Change Healthcare, a healthcare technology company, suffered a cyberattack on February 21, 2024. It involved a breach of the company’s electronic data interchange (EDI) systems, impacting the processing of Medicare claims payments. As a result, healthcare providers and suppliers experienced payment delays, leading to financial strain, operational challenges, and patient care delivery.Â
The gateway for criminals has compromised credentials, and there is a lack of multi-factor authentication (MFA). The MFA adds an extra security layer by requiring a second verification step beyond just a password. This lapse in basic security measures allowed hackers to gain unauthorized access.
The cyberattack is believed to have occurred due to vulnerabilities in Change Healthcare’s EDI systems, which allowed unauthorized access to sensitive data and disrupted claims processing. BlackCat threat group has assumed authorship of the cyberattack.
In an unexpected turn, samples of stolen Change Healthcare data surfaced, allegedly held by a group known as RansomHub. This new threat group demanded a ransom, claiming ownership of four terabytes of sensitive data.Â
Financial and operational impact of the attack
The American Medical Association (AMA) conducted a survey that revealed that one-third of Americans might have been affected by the cyberattack. Even though the company paid the ransom demand by BlackCat actors, not all data was recovered.
After the cyberattack, the Centers for Medicare & Medicaid Services (CMS) initiated the Change Healthcare/Optum Payment Disruption (CHOPD) Accelerated and Advance Payment program.Â
This program aimed to provide accelerated or advanced payments to affected providers and suppliers to alleviate financial strain during disruption. CMS, along with other relevant agencies, issued guidance and implemented measures to address the challenges posed by the cyber incident.
As the fallout from the cyberattack unfolded, it became evident that the impact extended far beyond Change Healthcare alone. Pharmacies nationwide, including major chains like CVS and Walgreens, experienced disruptions due to the attack. Tricare, a crucial healthcare service provider for US service members and their families, reported system-wide impacts. These disruptions underscored the interconnectedness of the healthcare ecosystem and the ripple effects of cybersecurity incidents.
Amidst the chaos, UnitedHealth Group, Change Healthcare’s parent company, scrambled to restore normal operations. The company announced plans to release medical claims preparation software to alleviate the strain on affected providers and suppliers. However, uncertainties loomed as reports surfaced linking the cyberattack to a suspected nation-state actor, adding geopolitical dimensions to an already volatile situation.
As investigations into the cyberattack continued, UnitedHealth Group faced mounting pressure from industry stakeholders and regulatory bodies. The US Department of State offered a substantial reward for information on the threat actors responsible, highlighting the severity of the incident’s impact on national security.Â
Regulatory response and HIPAA compliance investigation
Following the cyberattack, Change Healthcare initiated a series of actions to mitigate the breach’s impact and restore normal operations as quickly as possible.Â
The incident reminded us of the critical role of collaboration among government agencies, healthcare organizations, and cybersecurity experts in addressing cybersecurity challenges.
In response to the cyberattack on Change Healthcare, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the critical nature of the incident.
The letter highlights the disruptive impact on nationwide healthcare and billing information systems, directly threatening patient care and essential healthcare operations. OCR, responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, announced the initiation of an investigation into the incident to determine if a breach of protected health information occurred and to assess Change Healthcare’s and UnitedHealth Group’s compliance with HIPAA regulations.
Cybersecurity in healthcare
The cyberattack on Change Healthcare has once again highlighted the critical relationship between cybersecurity in healthcare and its financial implications. This incident underscores the vulnerability of healthcare to cyber threats and the potential financial repercussions associated with such attacks.
Healthcare organizations rely heavily on digital systems and technologies to deliver patient care, manage operations, and process sensitive information.Â
The financial impact of cyberattacks on healthcare organizations extends beyond the immediate costs of mitigation, such as system restoration and breach investigation. Organizations may also lose revenue due to downtime, legal expenses from regulatory investigations, and potential lawsuits.Â
According to research findings from Diligent Institute and Bitsight, highly regulated industries like healthcare tend to outperform others in terms of cybersecurity performance, which translates to nearly 4X shareholder returns.Â
Organizations must invest in advanced cybersecurity technologies, implement the best data protection and privacy practices, and regularly assess and update their security protocols to stay ahead of evolving threats. Hiring a cybersecurity company is the best start to ensure cyber resilience and prevent data breaches.
Additionally, building a culture of cybersecurity awareness among employees and fostering collaboration with industry partners and regulatory authorities are critical steps in strengthening healthcare organizations’ overall cybersecurity posture.
