The Change Healthcare attack: Explaining how it happened

What is Change Healthcare?

Change Healthcare is a healthcare technology company that is headquartered in Nashville, Tenn., with locations across the U.S., Canada, the United Kingdom, New Zealand, Israel and Taiwan. Change Healthcare was founded in 2007 and was acquired by UnitedHealth Group (UHG) and its Optum Insight business unit in an $8 billion deal that closed in October 2022.

The Change Healthcare platform provides several different services to healthcare providers including payment and revenue cycle management. The platform helps healthcare providers with claims processing and payments as well as integrating a system for appeals management from claimants for denied claims. The Change Healthcare Platform is one of the largest health information exchange (HIE) platforms in the U.S. The company manages 15 billion claims a year, totaling over $1.5 trillion.

As part of the overall platform offering Change Healthcare also provides clinical decision support, with technologies to help healthcare providers to make informed decisions about treatments. Change Healthcare also has a suite of patient engagement tools such as patient portals, secure messaging and appointment scheduling that help healthcare providers connect with patients.

How did the Change Healthcare attack happen?

The cyberattack on Change Healthcare was carried out by a ransomware group known as ALPHV or BlackCat. The attack led to significant disruptions in Change Healthcare's operations.

The attack was executed by the attackers somehow gaining unauthorized access to Change Healthcare's network. Precise details on specifically how ALPHV/BlackCat was able to get access to the Change Healthcare network have not been publicly disclosed.

While specifics on how the attackers were able to gain initial access to Change Healthcare, ALPHV/BlackCat is a reasonably prolific ransomware gang with tactics that have been reported by security researchers. Those tactics have included gaining access via Microsoft's remote desktop protocol as well as brute-force attacks against Active Directory (AD). There has also been speculation that vulnerabilities in the ConnectWise Screen Connect application, which were disclosed on Feb. 19 might have potentially been involved, though that has not been confirmed by Change Healthcare. ConnectWise has also publicly refuted any connection of its software to the Change Healthcare incident.

Once inside the Change Healthcare network, the attackers deployed ransomware. Ransomware attacks are particularly damaging because they can immediately render critical systems and data unavailable, posing immediate risks to patient safety and care delivery. In the case of Change Healthcare, the attack disrupted key operations, forcing healthcare providers and pharmacies to deploy workarounds to continue providing services.

Change Healthcare responded to the attack by disconnecting more than 111 different services across its system to prevent further damage. The company also engaged with law enforcement and cybersecurity firms to contain and remediate the ransomware risk.

Who was affected?

Among those who have been affected by the Change Healthcare attack are millions of Americans who use Change Healthcare's platform either directly or indirectly. Change Healthcare often serves as a backend services provider for various healthcare insurance providers in the U.S.

• Physicians and hospitals are impacted in their ability to bill, manage and issue prescriptions and healthcare procedures.
• Pharmacies are unable to get information and properly fill prescriptions.
• Individuals who are looking to make health claims as well as fill prescriptions have been affected by the breach.

Timeline of the attack

• Feb. 21, 2024: Change Healthcare suffers a cyberattack by the BlackCat/ALPHV ransomware group, leading to the company taking its systems offline.
• Feb. 26, 2024: American Hospital Association (AHA) writes a public letter to the U.S. Department of Health and Human Services (HHS) warning of widespread impact of the Change Healthcare cyberattack.
• Feb. 27, 2024: ConnectWise claims that it is unaware of any connection between the vulnerabilities in its ScreenConnect software and the Change Healthcare attack.
• Feb. 28, 2024: Medical Group Management Association (MGMA), an organization representing more than 60,000 medical practice administrators, executives, and leaders, sends a public letter to U.S. Department of Health and Human Services asking for government assistance to mitigate the attack's impact.
• Feb. 28, 2024: BlackCat/ALPHV claims responsibility for the attack.
• March 1, 2024: Security researchers discover that a payment of 350 bitcoins, worth $22 million was made to a bitcoin cryptocurrency wallet associated with BlackCat/ALPHV.
• March 5, 2024: HHS issues first public statement about Change Healthcare cyberattack as well as a plan to help providers serve patients.
• March 7, 2024: Service for prescription claim submissions as well as payment systems were restored.
• March 18, 2024: Full system recovery for all medical claims is expected.

Who was responsible for the attack?

The BlackCat ransomware gang, also known as ALPHV, claimed responsibility for the attack against Change Healthcare. BlackCat/ALPHV is the same group that was allegedly behind the attacks on Caesars Entertainment and MGM Resorts in September 2023.

BlackCat/ALPHV also has alleged links to the DarkSide ransomware group that was implicated in the Colonial Pipeline cyberattack in 2021.

BlackCat/ALPHV operates with a ransomware-as-a-service (RaaS) model. In the RaaS approach, BlackCat/ALPHV enables affiliates to attack victims with its ransomware code, who are then paid a share of any ransomware payment.

Law enforcement has not been standing idly by while BlackCat/ALPHV attacks organizations, though the group appears to be very resilient. In December 2023, the U.S. Department of Justice led an international law enforcement operation against the group. Yet despite that action, BlackCat/ALPHV was still able to attack Change Healthcare.

On March 5, 2024, the BlackCat/ALPHV leak site was taken offline in what some security experts suspect is a possible exit scam designed to cheat affiliates out of any potential payouts.

What is the impact of this attack?

AHA claims that Change Healthcare processes 15 billion healthcare transactions every year and impacts one in every three patient records in the U.S.

Among the ways that the attack has had an impact are the following:

• Patient care services. Disruption of a range of services that directly affect patient care, including clinical decision support, eligibility verifications and pharmacy operations.
• Claims processing and eligibility checks. A substantial portion of claims could not be processed, and eligibility checks necessary to determine whether a patient's insurance covers a prospective treatment could not be completed.
• Hospital finances and service delivery. Immediate adverse impact on hospitals' finances and their ability to offer the full set of health care services to their communities.
• Revenue cycle management. Interrupted technology controls providers' ability to process claims for payment, patient billing, and patient cost estimation services.
• Operational challenges. Prolonged disruption might negatively impact many hospitals' ability to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission-critical contract work.
• Administrative burden. Replacing previously electronic processes with manual processes adds considerable administrative costs on providers and diverts team members from other tasks.

Federal government assistance for impacted organizations

The U.S. federal government via HHS is providing some assistance for organizations impacted by the Change Healthcare cyberattack.

The Centers for Medicare & Medicaid Services (CMS) took steps to assist providers, including the following:

• Expedited electronic data interchange (EDI) enrolment for providers needing to change clearinghouses for claims processing.
• Instructed Medicare Administrative Contractors (MACs) to expedite the EDI enrolment process.
• Issued guidance to Medicare Advantage (MA) organizations to offer advance funding to the most affected providers.

The federal government, including HHS, the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the White House, all worked together to provide credible, actionable threat intelligence to impacted organizations and the healthcare industry in response to the incident.

What is UnitedHealth Group's temporary financial assistance program?

UnitedHealth set up a Temporary Funding Assistance Program offered by its Optum Financial Services business unit. This program is designed to help healthcare providers who have been impacted by the outage in the payment systems of Change Healthcare.

The program offers short-term temporary funding assistance to eligible providers to help with their immediate cash flow needs. Providers must receive payments from payers that were processed by Change Healthcare to be eligible for the program. Funding is calculated based on the provider's prior claims volume and impact level.

To determine eligibility and funding amount, providers need to register for the program using an Optum Pay account. Funds are deposited via Automated Clearing House (ACH) to the bank account on file with Optum Pay. Providers will need to repay these payments as soon as regular operations resume.

What can organizations learn from this attack?

The healthcare industry is particularly vulnerable to cyberattacks because personal patient information is valuable, and health organizations often lack strong cybersecurity measures. Organizations can learn valuable lessons from such incidents and implement prevention tips and best practices to enhance their cybersecurity posture. Here are key takeaways and recommendations:

• Business contingency plans are essential. Healthcare organizations must have plans in place to address cyberattacks or disruptions in revenue cycle processes, including proactively securing lines of credit to mitigate payment disruptions.
• Access to payer portals is crucial. Organizations should ensure they have payer portal logins for all payers with significant claims volume and establish policies and procedures outlining changes to operations in case of a cyberattack.
• Don't forget about Active Directory. Securing AD is critical to limiting the ability of ransomware attacks such as BlackCat/ALPHV to spread across a network. There are multiple steps organizations can take to secure AD, including backup policies and hardening access with fine-grained password policies that limit the risk of domain compromise.
• Investing in ransomware protection is a requirement. Ransomware is not going away anytime soon and it is incumbent upon organizations to take the necessary steps to prevent ransomware and limit risk.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.