News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack

Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims. 

The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”

A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.

Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”

 Change Healthcare handles about 15 billion payments each year.

According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.

“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)

Millions of Records May be in Wrong Hands

Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.” 

The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies. 

“The healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” noted a joint statement from the federal Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

AHA Urges Disrupted Hospitals to Disconnect from Optum

In an AHA Cybersecurity Advisory, the American Hospital Association recommended that affected providers “consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.”

In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”

“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.

Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”

In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”

Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:

  • Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
  • Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
  • Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
  • Groups have been unable to perform eligibility checks for patients.
  • Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
  • Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.

Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.

—Donna Marie Pocius

Related Information:

UnitedHealth Suspects “Nation-state” Behind Change Cyberattack

UnitedHealth Says ‘Blackcat’ Ransomware Group Behind Hack At Tech Unit

UnitedHealth Hackers Say They Stole ‘Millions’ of Records, then Delete Statement

US SEC Form 8-K

Change Healthcare Incident Status

Information on the Change Healthcare Cyber Response

UnitedHealth Confirms BlackCat Group Behind Recent Cybersecurity Attack

CISA Cybersecurity Advisory

Hackers Behind UnitedHealth Unit Cyberattack Reportedly Identified

Hospitals Affected by Cyberattack of UnitedHealth Subsidiary

UnitedHealth Group’s Change Healthcare Experiencing Cyberattack Could Impact Healthcare Providers

AHA Letter to HHS: Implications Change Healthcare Cyberattack

MGMA Letter to HHS

The Change Healthcare Cyberattack Is Still Impacting Pharmacies. It’s a Bigger Deal Than You Think

;