Early in the morning of Feb. 21, Change Healthcare, a company unknown to most Americans that plays a huge role in the U.S. health system, saying some of its applications were 鈥渃urrently unavailable.鈥
By the afternoon, the company described the situation as a 鈥渃yber security鈥 problem.
Since then, it has rapidly blossomed into a crisis.
The company, recently purchased by insurance giant UnitedHealth Group, reportedly suffered a cyberattack. The impact is wide and expected to grow. Change Healthcare鈥檚 business is maintaining health care鈥檚 pipelines 鈥 payments, requests for insurers to authorize care, and much more. Those pipes handle a big load: Change , 鈥淥ur cloud-based network supports 14 billion clinical, financial, and operational transactions annually.鈥
Initial media reports have focused on the impact on pharmacies, but techies say that鈥檚 understating the issue. The American Hospital Association of its members aren鈥檛 getting paid and that doctors can鈥檛 check whether patients have coverage for care.
But even that鈥檚 just a slice of the emergency: , an institution that helps health providers share medical records, information critical to care, also relies on Change technology. The system on 208 million individuals as of July 2023. Courtney Baker, CommonWell marketing manager, said the network 鈥渉as been disabled out of an abundance of caution.鈥
鈥淚t鈥檚 small ripple pools that will get bigger and bigger over time, if it doesn鈥檛 get solved,鈥 Saad Chaudhry, chief digital and information officer at Luminis Health, a hospital system in Maryland, told 蘑菇影院 Health News.
Here鈥檚 what to know about the hack:
Who Did It?
Media reports are fingering ALPHV, a notorious ransomware group also known as Blackcat, which has become the target of numerous law enforcement agencies worldwide. While UnitedHealth Group has said it is a 鈥渟uspected nation-state associated鈥 attack, some outside analysts . The gang has previously been blamed for hacking casino companies MGM and Caesars, among many other targets.
The Department of Justice , before the Change hack, that the group鈥檚 victims had already paid it hundreds of millions of dollars in ransoms.
Is This a New Problem?
Absolutely not. A study published in JAMA Health Forum in December 2022 found that the annual number of ransomware attacks against hospitals and other providers .
鈥淚t鈥檚 more of the same, man,鈥 said Aaron Miri, the chief digital and information officer at Baptist Health in Jacksonville, Florida.
Because the assaults disable the target鈥檚 computer systems, providers have to shift to paper, slowing them down and making them vulnerable to missing information.
Further, a study published in May 2023 in JAMA Network Open examining the effects of an attack on a health system found that waiting times, median length of stay, and incidents of patients leaving against medical advice all increased 鈥 at neighboring emergency departments. The results, the , mean cyberattacks 鈥渟hould be considered a regional disaster.鈥
Attacks have devastated rural hospitals, Miri said. And wherever health care providers are hit, patient safety issues follow.
What Does It Mean for Patients?
Year after year, more Americans鈥 health data is breached. That exposes people to identity theft and medical error.
Care can also suffer. For example, a 2017 attack, dubbed 鈥淣otPetya,鈥 forced a to reboot its operations and hit pharma company Merck it wasn鈥檛 able to fulfill production targets for an HPV vaccine.
Because of the Change Healthcare attack, some patients may be routed to new pharmacies less affected by billing problems. Patients鈥 bills may also be delayed, industry executives said. At some point, many patients are likely to receive notices their data was breached. Depending on the exact data that has been pilfered, those patients may be at risk for identity theft, Chaudhry said. Companies often offer free credit monitoring services in those situations.
鈥淧atients are dying because of this,鈥 Miri said. Indeed, an October preprint from researchers at the University of Minnesota in mortality for patients in a ransomware-stricken hospital.
How Did It Happen?
The Health Information Sharing and Analysis Center, an industry coordinating group that disseminates intel on attacks, has that flaws in an application called ConnectWise ScreenConnect are to blame. Exact details couldn鈥檛 be confirmed.
It鈥檚 a tool tech support teams use to remotely troubleshoot computer problems, and the attack is 鈥渁pparently fairly trivial to execute,鈥 H-ISAC warned members. The group said it expects additional victims and advised its members to update their technology.
However, there’s uncertainty about how the attack happened. ConnectWise said in a statement that it is unaware of any connection to the breach and that its internal reviews have “yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of managed service providers have come forward with any information regarding their association with Change Healthcare.鈥
When the attack first hit, the AHA disconnect from systems both at Change and its corporate parent, UnitedHealth鈥檚 Optum unit. That would affect services ranging from claims approvals to reference tools.
Millions of Americans see physicians and other practitioners employed by UnitedHealth and are covered by the company鈥檚 insurance plans.
UnitedHealth has said only Change鈥檚 systems are affected and that it鈥檚 safe for hospitals to use other digital services provided by UnitedHealth and Optum, which include claims filing and processing systems.
But not many chief information officers 鈥渁re jumping to reconnect,鈥 Chaudhry said. 鈥淚t鈥檚 an uneasy feeling.鈥
Miri says Baptist is using the conglomerate鈥檚 technology and that he trusts UnitedHealth鈥檚 word that it鈥檚 safe.
Where鈥檚 the Federal Government?
Neither executive was sanguine about the future of cybersecurity in health care. 鈥淚t鈥檚 going to get worse,鈥 Chaudhry said.
鈥淚t鈥檚 a shame the feds aren鈥檛 helping more,鈥 Miri said. 鈥淵ou鈥檇 think if our nuclear infrastructure were under attack the feds would respond with more gusto.鈥
While the departments of Justice and State have targeted the ALPHV group, the government has stayed behind the scenes more in the aftermath of this attack. Chaudhry said the FBI and the Department of Health and Human Services have been attending calls organized by the AHA to brief members about the situation.
Miri said rural hospitals in particular could use more funding for security and that agencies like the Food and Drug Administration should have mandatory standards for cybersecurity.
There鈥檚 some recognition among officials that improvements need to be made.
鈥淭his latest attack is just more evidence that the status quo isn鈥檛 working and we have to take steps to shore up cybersecurity in the health industry,鈥 said Sen. Mark Warner (D-Va.), the chair of the Senate Select Committee on Intelligence and a longtime advocate for stronger cybersecurity, in a statement to 蘑菇影院 Health News.
[Update: This article was updated at 4:55 p.m. ET on March 1, 2024, to reflect uncertainty about how the attack happened and to include a statement from ConnectWise.]
