Cyberattack on Change Healthcare Threatens Large Segment of US Population

Chief Executive of UnitedHealth Group (UHG) Andrew Witty made a statement about paying a ransom to stop the leakage of information stolen during the Change Healthcare cyberattack. Although the amount of the ransom payment was not mentioned, it is reported that UHG paid the Blackcat ransomware group a $22 million ransom payment. The information was not deleted and one more ransomware group, RansomHub, acquired the data and attempted to demand a ransom payment from UHG and Change Healthcare. RansomHub exposed screenshots of the stolen information when no payment was forthcoming.

UHG released a statement that according to the preliminary investigation results, protected health information (PHI) and/or personally identifiable information (PII) was exposed during the attack. Information of the specific types of information involved was not confirmed, though UHG stated it did not find any proof of extraction of doctors’ charts and complete medical backgrounds. UHG had not confirmed the number of individuals impacted by the breach. However, a significant percentage of the American people will likely be impacted. Change Healthcare mentions on its website that the data of 33% of Americans is handled by its systems, meaning it may be the biggest ever healthcare data breach, possibly affecting the PHI of over 100 million people in America.

There is no clear date yet when notifications will be released. It is about 60 days since February 21, 2024, when the cyberattack was discovered. The breach of PHI was only confirmed on April 15, 2024. Analysis of the impacted data is in progress to know the number of people and the types of data breached. Considering the nature and intricacy of the data analysis, it will probably take a few months of extended analysis before it will be possible to determine and inform affected customers. While analyzing the data affected in this cyberattack, support and protections were provided now instead of waiting until the data review concludes. A focused website was built with further information.

There are updates on the recovery of services of Change Healthcare. UHG’s pharmacy and medical claims services in all health systems are restored to almost 100% levels, but a few providers are still negatively impacted. Payment processing is roughly 86% of pre-attack levels, and about 80% of Change Healthcare’s operations are restored. The rest of the services will be restored in a few weeks.

UHG has not disclosed information on the nature of the breach yet; but The Wall Street Journal mentioned that hackers acquired access to the systems of Change Healthcare 9 days before the deployment of ransomware on February 21, 2024. Based on the WSJ source, breached credentials were employed for systems access. Multifactor authentication was not activated on the breached account, and lateral movement happened between February 12 and February 24, allowing the attackers to access substantial amounts of data.

HHS Webpage with HIPAA FAQs Regarding the Change Healthcare Cyberattack

The HHS’ Office for Civil Rights built a webpage to respond to commonly asked questions concerning the relation of the Health Insurance Portability and Accountability Act (HIPAA) to the Change Healthcare ransomware attack. The webpage clarifies the reason for OCR’s ‘Dear Colleague’ letter regarding the cyberattack and the quick launching of an investigation of Change Healthcare and UnitedHealth Group (UHG) to determine if they were HIPAA Rules compliant. OCR took quick action because of the extensive impact of the cyberattack on healthcare companies and patients and the unparalleled effect on patient care and personal privacy. Concerning other HIPAA-covered entities with business relationships with Change Healthcare, OCR reminded them to ensure they have business associate agreements set up and told them of their duty to safeguard PHI.

OCR stated that it has not received any notice from Change Healthcare regarding any PHI breach and reminded that covered entities have 60 days from when a data breach is discovered to report an unsecured PHI breach. OCR mentioned covered entities impacted by the cyberattack on Change Healthcare must send breach notifications to the impacted persons and alert the HHS Secretary. The notifications must be sent without unreasonable delay and before the 60 days from discovering the breach are over. A notification must also be given to the media. When a business associate encounters a data breach they should inform the covered entity in 60 days. The business associate must inform the covered entity about the breach and the impacted individuals. The covered entity is accountable for providing breach notifications if breaches happen to business associates, though they may assign the business associate to do the task.

HIPAA-covered entities that were impacted by the Change Healthcare cyberattack must get in touch with Change Healthcare/UHG in case they have any concerns regarding breach notifications and to know whether Change Healthcare and UHG can send the breach notifications on behalf of the impacted companies and the way breach notification will be sent. UHG said that it is eager to help the impacted entities send breach notices for them.

Nebraska Hospitals Targeted by Scammers

Bryan Health has published an advisory after being informed by some patients that they were called by individuals posturing as representatives of hospitals in Nebraska telling them they could file a refund associated with the Change Healthcare cyberattack. The scammers required a credit card number to get the refund. Bryan Health stated that its staff will never call over the phone to ask for a credit card number to start a refund. President Jeremy Nordquist of the Nebraska Hospital Association (NHA) stated that Nebraskans must be cautious. When suspicious of the nature of a call, say goodbye and contact your hospital directly. All Americans are warned about the likely increase of scams associated with the Change Healthcare cyberattack.