UnitedHealth Adopts Aggressive Approach to Recover Ransomware Attack Loans (2025)

Table of Contents

Posted By Steve Alder on Apr 16, 2025

UnitedHealth Group has adopted an aggressive approach to recover outstanding balances on loans issued to healthcare providers affected by the February 2024 ransomware attack on Change Healthcare. The attack caused a prolonged outage of Change Healthcare’s systems, causing massive disruption to revenue cycles as providers were unable to submit claims. Many providers were forced to exhaust personal funds to keep their businesses open, and many providers were pushed to the brink of closure.

In response, UnitedHealth Group, via Optum, established a temporary financial assistance program consisting of no-interest loans. The aim was to help healthcare providers through their short-term cash flow problems with the loans due for repayment once operations were restored and claims processes were back up and running. Optum stated that an invoice would be sent when operations resume, with the payment period extended to 45 business days from the invoice date. UnitedHealth Group paid out around $9 billion through the program and claims to have recovered around $3.2 billion so far.

While the deadline for repayment has long since passed, many healthcare providers have continued to struggle financially and have found it difficult to find the cash to repay the loans in full. Some providers have complained about having claims rejected, as they have been unable to meet the filing deadline. There have been reports of some providers being unable to file claims for 8 months after the ransomware attack.

Several media outlets have recently reported that healthcare providers have been receiving threatening letters demanding repayment in full or risk reimbursement for claims being withheld. UnitedHealth Group CEO Andrew Witty had previously stated that providers would not be required to repay the interest-free loans until they determined they were financially stable.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

On April 11, 2025, the American Medical Association (AMA) wrote to OptumInsight CEO Roger Connor urging a flexible approach to repayment, as a one-size-fits-all approach was unfair, especially on smaller physician practices that are still experiencing financial difficulties due to lost revenue and continued disruption to claims.

“We are hearing from many practices about Optum’s strict measures related to repayment/recoupment of loans to practices after the cyberattack and the resulting outage,” wrote AMA CEO James Madara, MD. “In addition, many practices are still grappling with claims from the period associated with CHC’s outage and receiving rejections for not meeting UnitedHealthcare’s (UHC) timely filing deadlines.”

The AMA has urged Optum to allow physicians to decide when they can afford to repay their loans. “Each practice will have distinct levels of patient volumes, revenue generation, and cost pressures and needs a repayment plan that does not recreate the same dire financial straits experienced during the cyberattack when CHC’s systems were non-functional,” Madara wrote.

Optum claims to be actively working with providers to identify a viable, flexible repayment plan based on their individual circumstances. Some practices have reported their claims have already been withheld due to outstanding balances, including practices that have already started repaying their loan.

Change Healthcare Files Motion to Dismiss Class Action Lawsuit

Last month, Change Healthcare filed a motion in the U.S. District Court of Minnesota to have a consolidated class action data breach lawsuit dismissed. Dozens of lawsuits were filed against UnitedHealth Group and Change Healthcare over the data breach seeking damages for the exposure of sensitive data. Many providers and insurers have also taken legal action to recover lost revenues and expenses incurred due to the outage. Hackers stole the protected health information of an estimated 190 million individuals before encrypting files, and the outage lasted for several months. The lawsuits were consolidated in the District of Minnesota.

Change Healthcare’s motion to dismiss claims that the company does not operate in the state, and the vast majority of plaintiffs do not reside there. “When personal jurisdiction over a defendant is lacking, a court has no power to adjudicate claims brought against that defendant, and the defendant must be dismissed from the litigation,” Change Healthcare wrote. “Personal jurisdiction can be general or specific. Here, the vast majority of plaintiffs do not—and cannot—demonstrate either as it relates to Change or its operations.” The court has yet to rule on the motion. The next hearing is scheduled for June 12, 2025.

February 19, 2025: Judge Sets Deadline for Motions to Dismiss Claims in Change Healthcare Data Breach Lawsuits

A District Court Judge has set a March 2025 deadline for Change Healthcare to file motions to dismiss certain claims raised in multiple complaints in response to its February 2024 ransomware attack and data breach.

In February 2024, Change Healthcare suffered a ransomware attack that resulted in file encryption and the theft of the protected health information of an estimated 190 million individuals. The stolen data included names, contact information, dates of birth, Social Security numbers, and medical information, and is the largest healthcare data breach ever reported. The attack resulted in an outage that lasted for several weeks, and severely hampered claims processing, causing massive disruption to providers’ revenue cycles.

Many lawsuits were filed in response to the data breach by individuals who had their data stolen in the attack, as well as by providers affected by the prolonged outage of Change Healthcare’s systems. The lawsuits were consolidated in federal multi-district litigation due to the common questions of fact and law. The MDL is being heard by U.S. District Court Judge Donovan Frank in the District of Minnesota.

Change Healthcare has previously indicated that it plans to submit motions to dismiss multiple claims in the litigation. The deadline for submitting those motions to dismiss has now been extended. According to a February 4, 2025, court order, the defendants have been given until March 21, 2025, to file any motions to dismiss. Judge Frank has also established a 60-page limit for Memorandums of Support. Plaintiffs have been given until April 25, 2025, to respond to those motions to dismiss, with a 90-page limit set for Memorandums of Support. The defendants have been given until May 23, 2025, to reply, limited to 30 pages.

Settlement talks are already underway to get an early resolution to the litigation, but if a settlement cannot be reached, Judge Frank is likely to schedule a series of bellwether trials to determine how juries would likely respond to the evidence and testimony. The next status conference on the litigation is scheduled for April 17, 2024.

January 25, 2025: UHG Increases Change Healthcare Data Breach Victim Count to 190 Million

UnitedHealth Group has provided an updated figure on the number of individuals affected by the Change Healthcare ransomware attack, almost doubling the previous estimate of 100 million individuals. While the final figure has still not been announced, UnitedHealth Group has publicly confirmed that the breach involved the data of approximately 190,000,000 individuals.

UnitedHealth Group also confirmed that the vast majority of affected individuals have been mailed notification letters, which means some individuals affected by the February 2024 ransomware attack have still not been notified that their data was stolen almost a year ago. Despite hackers having access to the stolen data for almost a year, UnitedHealth Group said it has not identified any misuse of the stolen data.

The data breach was already the largest ever reported, but at 190 million records, it is more than almost 2.5 times the size of the previous largest healthcare data breach – the 78.8 million-record data breach at Anthem Inc. in 2015.The ransomware attack on Change Healthcare was detected on February 21, 2024, and it was later confirmed that the BlackCat ransomware group was behind the attack. A $22 million ransom was paid to prevent the release of the stolen data; however, the BlackCat ransomware group performed an exit scam, pocketed the ransom payment, and didn’t pay the affiliate who conducted the attack. The affiliate then worked with another ransomware group, RansomHub, which attempted to extort Change Healthcare further, although no additional ransom payments were made and the stolen data remains in the hands of cybercriminals.

The outage caused by the attack lasted for several weeks, preventing healthcare providers and health insurers from using its Change Healthcare’s systems, which caused massive disruption to the revenue cycles of healthcare providers across the country. An investigation of the data breach was rapidly initiated by the Office for Civil Rights to determine if the breach was the result of a failure to comply with the security standards of the HIPAA Security Rule. The findings of the investigation have yet to be announced, but UHG has confirmed that the attackers gained access to the network using compromised credentials for a Citrix server that did not have multi-factor authentication enabled.

January 14, 2025 – Change Healthcare Ransomware Attack: Data Review “Substantially Complete”

It has been almost 11 months since a hacker breached Change Healthcare’s network, stole the data of an estimated 100 million individuals, and used ransomware to encrypt files. On January 14, 2025, Change Healthcare issued an update stating the review of the impacted data is “substantially complete.”

Change Healthcare has been issuing notifications to customers on a rolling basis, with the first batch of notification letters issued on June 20, 2024, almost four months to the day since it discovered the data breach. Further notifications were issued on August 8, 2024, September 16, 2024, November 21, 2024, and December 4, 2024.

In the latest update, Change Healthcare said it does not anticipate that it will identify any additional customers that have been affected; however, Change Healthcare has confirmed that the mailing of individual notification letters on behalf of clients that have delegated that responsibility to Change Healthcare is ongoing, which means some individuals are yet to learn that their sensitive data was stolen in the incident. Change Healthcare said it is still awaiting instruction from some impacted customers about whether they want Change Healthcare to mail notification letters on their behalf.

Change Healthcare confirmed that its policies and procedures have been reinforced to further strengthen security and to help prevent incidents in the future, and a third-party firm has been engaged to monitor the dark web to identify leaks of the stolen data. The affected individuals have been offered complimentary credit monitoring services for two years.

Extensive personal and protected health information was stolen before ransomware was used to encrypt files on February 21, 2024; however, despite having ample time to misuse the stolen data, Change Healthcare said it is not aware of any misuse of individuals’ information.

While Change Healthcare has been issuing updates, individuals affected by the Change Healthcare data breach may struggle to find the notification letter online, as it has been set to “NoIndex” by Change Healthcare. That means search engines are instructed to ignore the notice, so it will not appear in search engine results. It is unclear why that is the case. The breach report submitted to the HHS’ Office for Civil Rights still shows an estimate of 100,000,000 affected individuals. Change Healthcare has yet to confirm the actual number of affected individuals.

Since 2018, OCR has seen a 100% increase in large data breaches and a 264% increase in large breaches involving ransomware attacks. In response, OCR has proposed an update to the HIPAA Security Rule that requires HIPAA-regulated entities to implement stronger safeguards to better protect patient data, including mandatory multifactor authentication. The ransomware group behind the Change Healthcare cyberattack gained access to the network through a Citrix portal that did not have multifactor authentication enabled. If enacted by OCR under the Trump Administration, the updated HIPAA Security Rule will go a long way toward improving baseline security in healthcare and preventing future massive data breaches.

December 17, 2024: Nebraska Sues Change Healthcare Over February Ransomware Attack

Nebraska Attorney General Mike Hilgers is the first state Attorney General to file a lawsuit against Change Healthcare over its February 2024 ransomware attack – the most significant healthcare cyberattack in history and the largest ever healthcare data breach.

On February 11, 2024, an affiliate of the BlackCat/ALPHV ransomware group breached Change Healthcare’s network, then spent 9 days inside the network moving laterally and stealing data before ransomware was used to encrypt files. A $22 million ransom was paid to prevent the publication of the stolen data; however, the ransomware group pulled an exit scam, and the payment did not secure the stolen data.

The personal, health, and financial information of an estimated 100 million individuals was stolen in the attack, including the sensitive data of at least 575,000 Nebraskans. The stolen data included names, contact information, Social Security numbers, driver’s license numbers, health information, insurance information, and billing information.

The ransomware affiliate gained access to the network using the username and password of a low-level customer support employee, which AG Hilgers said was posted on a Telegram group chat known for selling stolen credentials. The credentials allowed the ransomware affiliate to log in via a Citrix remote access service that lacked multifactor authentication. The hacker was able to create privileged administrative accounts, exfiltrate vast amounts of sensitive data, and install ransomware undetected. The attack was only detected when files were encrypted, preventing access.

“Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud,” said Attorney General Hilgers. “We’re filing this suit to hold Change accountable.”

The lawsuit was filed in the District Court of Lancaster County, Nebraska on December 16, 2024, and names Change Healthcare Inc., Optum Inc., and their parent company, UnitedHealth Group Incorporated (UHG), as defendants. They are alleged to have failed to implement basic security measures and Change Healthcare’s security practices exacerbated the cyberattack and resulted in significant harm to Nebraska residents.

The lawsuit alleges the cybersecurity failures violated Nebraska’s consumer protection and data security laws. Those failures included outdated and poorly segmented IT systems, a lack of multifactor authentication, and a failure to isolate backup systems from the primary system, which meant the hacker was able to disable both. The attack forced a total shutdown of Change Healthcare’s systems, which were relied upon by hospitals, pharmacies, and doctors’ offices.

Further, Attorney General Hilgers alleges there was an inadequate response to the attack and data breach. The intrusion was not detected for 9 days, then it took Change Healthcare 5 months to start issuing notification letters to the individuals who had their data stolen. The notification process is ongoing, although the investigation and notification processes are now in the final stages.

“A functioning medical marketplace needs to have a trustworthy medical payments backbone. It requires companies who do what they say they will do, and do everything possible to protect Nebraska’s health information and who provide proper notice to Nebraskans when their data is breached,” said Attorney General Hilgers. “This suit is intended to help restore trust in our system and remedy the harm suffered by Nebraskans and their medical providers.”

While Nebraska was the first state to file a lawsuit, it is unlikely to be the last. State Attorneys General across the United States are also likely to take legal action against Change Healthcare and UHG, the HHS’ Office for Civil Rights is investigating to determine if the HIPAA Rules have been violated, and many class action lawsuits have been filed over the data breach.

Healthcare Providers Still Being Notified Their Data was Compromised

Individual notifications are still being mailed by Change Healthcare, but some healthcare providers are only just finding out that their patients have been affected. On December 16, 2024, Monument Health in South Dakota was informed by Change Healthcare that up to 26,000 of its patients had their data stolen in the February 21, 2024, ransomware attack. Change Healthcare is sending notification letters to those individuals.

Change Healthcare informed OCR in October that 100 million affected individuals had been affected. Given that some healthcare providers are only just learning they have been affected, presumably because Change Healthcare has only just discovered their data was involved, the 100 million figure could well be adjusted upwards.

December 5, 2024: Change Healthcare Data Breach Settlement Talks Due to Commence

Attorneys for the plaintiffs and defendants are due to meet soon to discuss the possibility of a settlement to resolve the consolidated Change Healthcare data breach litigation. Initially scheduled to meet in early December, the meetings have been delayed and are due to take place in mid-December for the plaintiffs’ attorneys and at the end of January for the defense team.

More than 4 dozen lawsuits were filed following the announcement that the Change Healthcare ransomware attack affected a significant proportion of the population of the United States, even before Change Healthcare started sending breach notification letters. Since the lawsuits were based on the same facts and asserted similar claims, the lawsuits were consolidated by a Federal Judicial Panel on Multidistrict Litigation.

Attorneys for UnitedHealth Group and Change Healthcare sought to have the lawsuits consolidated in the District of Tennessee since Change Healthcare’s headquarters are in Nashville; however, the Judicial Panel transferred and consolidated the multidistrict litigation (MDL) in the U.S. District Court for the District of Minnesota to be heard by District Court Judge Donovan Frank. After an initial conference in September, Judge Frank issued a text order directing lead counsel for the plaintiffs and the defendants to hold in-person, ex parte meetings with U.S. Magistrate Judge Dulce J. Foster to discuss the possibility of a settlement to resolve the MDL. Those meetings have been scheduled for December 18, 2024, for the plaintiffs’ attorneys and January 30, 2025, for the defendants’ attorneys with Judge Foster in Minneapolis.

While discussions about a possible settlement are about to commence, it is likely to be many months before victims of the breach can submit claims to recover out-of-pocket expenses and other losses incurred as a result of the ransomware attack. Settlement discussions are likely to take some time considering the amount of money at stake; however, the decision of Judge Frank to start settlement discussions early in the MDL should help to shorten the time it takes for an agreement to be reached. A jury trial remains a possibility if a settlement cannot be reached, although jury trials for healthcare data breach lawsuits are virtually unheard of.

The Change Healthcare data breach is the largest ever reported in the United States. According to the updated breach report submitted to the HHS’ Office for Civil Rights (OCR), the protected health information of 100 million individuals was compromised in the ransomware attack. Change Healthcare is still issuing individual notifications to some of the affected individuals so the number of class members in the MDL is likely to continue to rise.

If a settlement is agreed by all parties, it is likely to be the largest-ever settlement for a healthcare data breach. In 2017, Anthem Inc. settled a class action data breach lawsuit over its 78.8 million record data breach in 2015 – the largest healthcare data breach until that unwanted record was taken by Change Healthcare. Anthem’s MDL was settled for $115 million. Anthem Inc. also settled alleged HIPAA violations with OCR for $16 million, the largest HIPAA penalty issued to date. OCR launched an early investigation of Change Healthcare over the data breach to assess compliance with the HIPAA Rules, although the findings of that investigation are not yet known. If HIPAA violations are identified, the financial penalty may not be so high, as OCR is working with reduced caps on the maximum penalties for HIPAA violations, following a 2019 reinterpretation of the language of the HITECH Act.

November 19, 2024: Change Healthcare Fully Restores Clearinghouse Services After February Ransomware Attack

Change Healthcare has announced that its clearinghouse services have now been fully restored following its ransomware attack 9 months ago. Change Healthcare’s MedRx pharmacy electronic claims for medical service and its Payer Print Communication Multi-Channel Distribution System (MCDS), and Clinical Exchange have been restored, but Change Healthcare is still only offering a partial service. All other services are listed in the update as restored and fully operational.

Due to the prolonged outage of Change Healthcare’s systems, parent company UnitedHealth Group established a Temporary Funding Assistance Program to help providers struggling financially due to the disruption caused by the ransomware attack and paid around $8.5 billion in loans under that program. The repayment phase has been underway for some time, and around $3.2 billion in loans have been repaid as of October 15, 2024. Change Healthcare has lost business due to the prolonged outage as healthcare providers sought alternative companies. Change Healthcare is currently trying to win back their business.

DOJ and States Try to Block Acquisition of Amedisys

Earlier this month, the Department of Justice and four states – Maryland, Illinois, New Jersey, and New York – filed a lawsuit against UnitedHealth Group in an attempt to prevent the merger with Amedisys, one of the leading providers of home health and hospice care in the United States. UnitedHealth Group has been expanding in the home healthcare market, and its subsidiary, Option Care Health, is attempting to acquire Amedisys in a $3.3 billion deal. Amedisys is one of the largest home healthcare providers in the United States with 500 locations in 32 states.

The lawsuit claims that currently, competition between UnitedHealth Group and Amedisys forces both companies to improve patient services and offer higher wages to nurses but if the merger goes ahead, it will see UnitedHealth Group control around 30% of the home health and hospice market in 8 different states. The lawsuit alleges the merger would be presumptively anticompetitive and if competition is eliminated it would harm patients, insurers who contract with health services, and the nurses who provide the care.

“We are challenging this merger because home health and hospice patients and their families experiencing some of the most difficult moments of their lives deserve affordable, high quality care options,” said Attorney General Merrick B. Garland. “The Justice Department will not hesitate to check unlawful consolidation and monopolization in the healthcare market that threatens to harm vulnerable patients, their families, and health care workers.”

UnitedHealth Group responded to the legal challenge saying, “The Amedisys combination with Optum would be pro-competitive and further innovation, leading to improved patient outcomes and greater access to quality care. We will vigorously defend against the DOJ’s overreaching interpretation of the antitrust laws.”The Department of Justice tried to block UnitedHealth Group’s acquisition of Change Healthcare in 2022 but was unsuccessful.

October 24, 2024: Change Healthcare Cyberattack Affected 100 Million Individuals

It has taken 8 months for Change Healthcare to confirm the number of individuals affected by its February 21, 2024 cyberattack but it is now official. The protected health information of at least 100 million individuals was compromised in the ransomware attack – almost one-third of the population of the United States. That makes the Change healthcare data breach the largest ever known breach of protected health information at a HIPAA-regulated entity, beating the previous record set by Anthem Inc. in 2015 of 78.8 million individuals.

Change Healthcare notified the Department of Health and Human Services’ Office for Civil Rights (OCR) about the cyberattack using a placeholder estimate of 500 affected individuals, as the investigation was ongoing when the breach report was submitted on July 19, 2024. An updated breach report has now been provided to OCR, confirming that approximately 100 million individual notification letters have been mailed. Neither Change Healthcare nor its parent company, UnitedHealth Group (UHG), has confirmed that the file review has been completed at the time of writing.

OCR is investigating Change Healthcare to determine whether the company was fully compliant with the HIPAA Rules prior to the ransomware attack. The investigation was rapidly launched due to the unprecedented scale and impact of the attack; however, it is likely to take months or even years before the outcome of that investigation is known.A ransomware attack and major data theft incident does not necessarily mean there were HIPAA compliance failures. The OCR breach portal currently lists 3,400 data breaches of 500 or more records and OCR has only imposed 149 financial penalties for noncompliance.

If noncompliance is discovered, a financial penalty can be expected but even though the ransomware attack had a huge impact on healthcare providers across the country and resulted in the theft of a colossal amount of sensitive data, OCR’s ability to impose fines is limited. The maximum financial penalty for a HIPAA violation set by the HITECH Act is $1.5 million, and adjusted for inflation is just over $2.1 million. That maximum applies to all HIPAA violations of an identical provision, per calendar year. Since UnitedHealth Group acquired Change Healthcare in 2022, the potential penalty is likely to be relatively small unless multiple HIPAA violations are discovered.

The biggest financial penalty imposed to date for a HIPAA violation was the $16 million fine for Anthem Inc. A similar fine would amount to pocket change for a company the size of UnitedHealth Group. OCR has been pushing Congress to increase the maximum penalties for HIPAA violations to ensure the fines serve as a more effective deterrent and Senate Finance Committee Chair Ron Wyden (D-OR) and Senator Mark Warner (D-VA) are also pushing for change. They want Congress to remove the cap on financial penalties for HIPAA violations and only have minimum penalties. They also want more accountability and have proposed major reforms.

“Mega corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,”said Sen. Wyden.“The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.”

The Change Healthcare data breach total brings the number of individuals affected by large healthcare data breaches in 2024 up to 165,898,487 across 557 large data breaches, just 605,494 records short of last year’s record-breaking total with two full months of the year still to go.

October 21, 2024: Senate Finance Committee Chair Seeks Further Information on Change Healthcare Cyberattack

In June 2024, UnitedHealth Group CEO Andrew Witty provided testimony to the Senate Finance Committee on the February 2024 ransomware attack on Change Healthcare and answered questions from committee members on the incident and the response. Last week, Senate Finance Committee Chair Ron Wyden (D-OR) wrote to Witty seeking full answers to the questions asked at the committee hearing that were not adequately answered at the time.

“You testified about this incident before the Committee in June, during which you provided vague, unclear information about the incident and the degree to which it was caused by your company’s lax cybersecurity practices,” wrote Wyden in his October 18, 2024, letter to Witty. “Congress has a responsibility to conduct rigorous oversight to determine what legislative actions might be necessary in the wake of the most significant cyberattack against the U.S. health care sector to date.”

October 17, 2024: Change Healthcare Ransomware Attack Cost to Rise to $2.87bn in 2024

The cost of the Change Healthcare ransomware attack has risen to $2.457 billion, according to UnitedHealth Group’s Q3, 2024 earnings report. Revenues in the third quarter increased by 9% year-over-year to $100.8 billion.

UnitedHealth Group’s Q1, 2024 earnings report estimated total losses due to the cyberattack would be $1.6 billion in 2024. By the end of Q2, 2024, the estimate had increased to between $2.3 billion and $2.45 billion, almost 1 billion more than expected at the end of Q1. In the 9 months to September 30, 2024, UnitedHealth Group reported $1.521 billion in direct response costs and $2.457 billion in total cyberattack impacts, and the total anticipated cost of the Change Healthcare ransomware attack has been revised to $2.87 billion in 2024.

The ransomware attack has made a serious dent in UnitedHealth Group’s revenues and profits, although revenues have increased $8.5 billion year-over-year and the number of consumers served by its commercial domestic offerings has increased by 2.4 million for the year to date. UnitedHealth Group has emerged from Q3, 2024 with earnings of $7.15 per share, up from $6.56 per share a year ago. The adjusted earnings of $7.15 per share include $0.12 in business disruption impacts and exclude $0.28 in direct response costs.

“Third quarter earnings from operations were $8.7 billion, including $0.3 billion in unfavorable cyberattack effects,” said UnitedHealth Group. “Adjusted earnings from operations of $9.0 billion include the Change Healthcare business disruption impacts and exclude the cyberattack direct response costs.”

In an October 15, 2024, earnings call, UnitedHealth Group CEO Andrew Witty explained that for the full year 2024 the business disruption costs will be around 75 cents per share, an increase of 10 cents from the former midpoint. UnitedHealth Group’s new adjusted net earnings outlook is $27.50 to $27.75 per share.

“After the cyberattack we prioritized devoting resources to support care providers over some activities such as share repurchase,” explained Witty. “Payments and claims flows for most care providers have normalized and repayment of these capital advances is underway.” UnitedHealth Group disbursed $8.9 billion in loans to providers adversely affected by the Change Healthcare ransomware attack and has recovered $3.2 billion.

UnitedHealth Group said it has made substantial progress recovering from the ransomware attack with most systems now back online; however, transaction volumes are still not at pre-event levels. “We continue to work with customers to bring transaction volumes back to pre-event levels and to win new business with our now more modern, secure and capable offerings. We expect to continue to build back the business to pre-attack levels over the course of ’25 and estimate next year’s full year impact will be roughly half of the ’24 level,” said Witty.

September 19, 2024: Initial Conference Takes Place for Consolidated Change Healthcare Data Breach Lawsuit

Dozens of lawsuits have been filed over the Change Healthcare cyberattack and data breach.With so many lawsuits to defend in multiple districts, Change Healthcare filed a motion for transfer and centralization of all actions related to the cyberattack and data breach with the U.S. Judicial Panel on Multidistrict Litigation (JPML). According to Change Healthcare, all of the lawsuits arose from one nucleus of operative facts – a data breach involving the theft of 6 TB of data, including the protected health information of millions of individuals throughout the United States. The lawsuits also make similar allegations – that Change Healthcare failed to properly protect the plaintiffs’ and class members’ personally identifiable and protected health information, resulting in the theft of their data.

In the motion to consolidate the lawsuits, Change Healthcare said all actions are based on several common questions of fact and law, therefore, “There is a compelling need to establish uniform and consistent standards in conducting pretrial discovery and motion practice, and to avoid potentially inconsistent rulings, inefficiencies, and waste of the parties’ and judicial resources that would result if the actions were allowed to proceed in numerous district courts”

Change Healthcare said the middle district of Tennessee is the most logical location for the consolidated lawsuit. Change Healthcare is based in Nashville, TN, where most of the key witnesses and evidence are located, and four of the proposed actions have been filed in that district. On June 7, 2024, the JPML issued an order transferring and consolidating the lawsuits – In Re: Change Healthcare Inc. data breach litigation – before U.S. District Judge Donovan W. Frank in the District of Minnesota, as that was determined to be the most appropriate location for pretrial proceedings. At the time the motion to transfer the lawsuits was filed 6 lawsuits were pending. By the time the pretrial order was issued, the number had swelled to 50 and more are expected to be filed now that data breach notifications are being mailed to the affected individuals.

The first pretrial order was issued on August 14, scheduling the first meeting for September 17, 2024, to establish preliminary procedures and appoint temporary interim counsel.

What Can be Done to Prevent Another Change Healthcare Cyberattack?

It has been seven months since the ALPHV/Blackcat ransomware group breached Change Healthcare’s network and used ransomware to encrypt files. The attack caused massive disruption due to a prolonged outage of Change Healthcare’s systems and the Change Healthcare data breach has affected a substantial proportion of Americans.With systems unavailable, healthcare providers suffered serious cashflow problems due to the inability to claim for the services they provided. UnitedHealth Group offered financial assistance to struggling healthcare providers and advanced more than $9 billion by the end of Q2, 2024, yet even that huge figure was not enough.The financial problems continued for healthcare providers long after Change Healthcare’s systems were brought back online due to the huge backlog of claims. 7 months on and some healthcare providers are still waiting for their claims to be paid.

Cyberattacks can be remediated fairly quickly, but the disruption can continue for months. Two months after the Change Healthcare ransomware attack, providers were still having difficulty verifying patients’ insurance information. A survey conducted by the American Hospital Association indicated 60% of providers were continuing to face challenges with checking insurance coverage and 86% said they were still experiencing disruption to the claim submission process.

No healthcare cyberattack has caused as much disruption as the Change Healthcare ransomware attack and there is concern that the cyberattack on Change Healthcare may not be an isolated incident and could signal the shape of things to come. The Change Healthcare cyberattack stands out due to the months-long and large-scale disruption to healthcare services across the United States, but it is unlikely to be the last.

The huge disruption caused, and the massive costs involved could prompt nation state actors to conduct more attacks targeting key infrastructure and the huge ransom payment could trigger a new wave of big game hunting for cybercriminal groups looking to secure massive ransom payments. Action is clearly needed to improve defenses and ensure that something like this can never happen again.

The Change Healthcare cyberattack served as a wake-up call to the healthcare industry, prompting many to review their IT and cybersecurity priorities and contingency plans to prepare for a similar incident in the future.Some of the key steps that are being taken include reviewing third-party suppliers and financial intermediaries to identify potential weak points, addressing any weaknesses, and developing incident response and contingency plans to minimize disruption in the event of another attack and prolonged outage.

A recent survey conducted by KLAS Research and Bain & Company (link) on 150 U.S. healthcare providers revealed that 70% of respondents had been directly affected by the Change Healthcare cyberattack. Cybersecurity was already a key priority for those organizations but the cyberattack has prompted them to increase effort and spending and build redundancy to mitigate future risks. In response to the attack, 44% of respondents said they had arranged or conducted audits of internal systems, 43% had arranged audits of current vendors, 38% had increased cybersecurity spending, and 19% had increased spending on cybersecurity professionals and managed services.

At the start of the year, the Department of Health and Human Services published its Health and Public Health Sector Cybersecurity Performance Goals and stated that it is considering a carrot-and-stick approach, first making the cybersecurity goals voluntary, then moving toward further regulation to force healthcare organizations to take steps to improve cybersecurity.

Any move to force healthcare providers to improve cybersecurity through increased regulation is likely to face strong resistance, as many healthcare providers simply do not have the funds to invest more in cybersecurity. The HHS is seeking additional funding from Congress to help low-resource healthcare providers implement those goals to improve cybersecurity, but at best the money will not start to be provided to hospitals until fiscal year 2027. The proposed financial assistance is also only focused on hospitals, not the myriad of suppliers that help keep the healthcare industry running smoothly.

The HHS Administration for Strategic Preparedness & Response and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have been working on identifying a list of systemically important entities that are critical to the function of the health system in the United States that could receive special attention, but that process is ongoing despite plans to finish the list a year ago.

The HHS’ Centers for Medicare and Medicaid Services (CMS) is looking to take action to prevent similar attacks in the future from causing such widespread disruption and is currently planning oversight of third-party healthcare vendors. At Modern Healthcare’s Leadership Symposium, CMS principal deputy administrator, Johnathan Blum said the agency is looking at the levers it can pull to ensure that severe disruptions like those caused by the Change Healthcare cyberattack can never happen again.

The Change Healthcare cyberattack clearly demonstrates there is a major risk when companies become massively dominant in the healthcare ecosystem. In 2022, the Justice Department and the Attorneys General in Minnesota and New York took legal action to block UnitedHealth Group’s acquisition of Change Healthcare due to the harm that would be caused to competition in health insurance markets. Since the cyberattack, there has been a great deal of criticism over UnitedHealth Group’s anti-competitive practices with respect to the creation of a single point of failure that can cause massive disruption to healthcare across the United States. It is not just a problem with UnitedHealth Group of course, as growing consolidation in the healthcare sector has created significant vulnerabilities to cyberattacks.

“The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our health care system,” said Anna Eshoo, Ranking Member of the Energy and Commerce Committee’s Subcommittee on Communications and Technology at a hearing on the Change Healthcare cyberattack. “The cyberattack laid bare the vulnerability of our nation’s health care infrastructure.” Given the example set by Change Healthcare, in the future mergers and acquisitions in healthcare should be subject to greater scrutiny, not just with respect to anti-competitive practices, but how and to what extent they could increase cyber risk.

July 31, 2024: Change Healthcare Reports Ransomware Data Breach to HHS

On February 21, 2024, Change Healthcare discovered it had fallen victim to a ransomware attack, and almost a week later the ALPHV/Blackcat ransomware group claimed responsibility for the attack and said 4TB of data was stolen in the attack. A $22 million ransom was paid to ensure the data was deleted, but data deletion did not occur. Instead, the ransomware group pulled an exit scam. The affiliate behind the attack was not paid and passed the stolen data to another ransomware group, RansomHub, which demanded another ransom payment.

At a House Committee hearing on May 1, 2024, the CEO of Change Healthcare’s parent company, UnitedHealth Group, confirmed that protected health information had been exposed and that the breach could potentially involve the data of up to 1 in 3 Americans; however, the full scale of the breach had yet to be determined.

On or around July 10, 2024, Change Healthcare published a substitute breach notice that explained that it was confirmed on March 7, 2024, that a substantial amount of data had been exfiltrated, but the analysis of that data could not commence until March 13, 2024, when a safe copy of the data was obtained. And that it anticipated mailing individual notifications to the affected individuals on July 20, 2024.

On July 19, 2024, almost 5 months following the discovery of the attack and a day before notifications started to be mailed, Change Healthcare reported the data breach to the HHS’ Office for Civil Rights. Since the total number of affected individuals has still not been determined, Change Healthcare provided an estimated number of affected individuals – 500.

A breach of 500 individuals is the trigger for OCR to add a data breach to its data breach portal. When any breach is reported to OCR, there is a delay before it is added to the breach portal, as OCR first verifies the information reported. OCR has previously stated that that process can take around 2 weeks. On July 30, 2024, the day that OCR added Change Healthcare to its data breach portal, OCR updated its Change Healthcare Cybersecurity Incident Webpage to provide an explanation.

“Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal,”explained OCR. “Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach.”

Change Healthcare explained in its substitute breach that the data analysis was 90% complete but has not provided any further updates on when it anticipates that process will be completed nor have there been any further estimates on the scale of the breach.

July 18, 2024: Change Healthcare Ransomware Attack Cost Predicted to Rise to at Least $2.3B in 2024

UnitedHealth Group (UHG) has provided an update on the cost of its response to the February 2024 ransomware attack on Change Healthcare. The total cost of the response is now predicted to be between $2.3 billion and $2.45 billion this year, more than $1 billion more than previously reported. UHG has already paid almost $2 billion dealing with the response to the ransomware attack, which caused massive disruption to providers across the country due to prolonged outages.

Most of Change Healthcare’s systems have now been restored and are fully operational, and UHG has so far provided more than $9 billion in advance funding and interest-free loans to help providers who have been unable to bill for their services due to the lack of access to Change Healthcare’s systems. UHG has paid $1.98 billion in costs as of June 30, 2024, including $1.3 billion in direct costs such as restoring the Change Healthcare clearinghouse platform and higher medical expenses due to the temporary pause of some of its care management activities. Change Healthcare is also about to start issuing individual notifications to the affected individuals.

Notifications are expected to start being mailed on July 20, 2024, and while the total number of affected individuals has not yet been confirmed, UHG CEO, Andrew Witty, has previously warned that up to 1 in 3 Americans may have had protected health information exposed in the attack. With the U.S., population currently around 333 million, that could mean that more than 110 million individuals have been affected. Notifying those individuals will incur considerable costs.

Even with the massive costs of the ransomware attack, the Minnetonka, MN-based healthcare giant reported second-quarter earnings of $7,9 billion and profits of $4.2 billion, with revenues up 6% year over year at $98.9 billion in Q2. Profits are down from $5.5 billion in Q2, 2023, with the fall largely attributed to the ransomware attack.

July 10, 2024: Change Healthcare Publishes Substitute Data Breach Notice; Notifications to be Mailed 20th July

Change Healthcare has uploaded a substitute breach notice to its website about its February 2024 cyberattack and confirmed that notification letters will start to be mailed to the affected individuals on July 20, 2024. Change Healthcare said the data review is in the late stages; however, it is possible that further individuals may still be identified as having been affected.

In the notice, Change Healthcare explains that the breach was detected on February 21, 2024, that hackers had access to its internal systems between February 12 and February 20, 2024, and on March 7, 2024, Change Healthcare confirmed that a substantial amount of data had been exfiltrated from its network. The analysis of the data was delayed until March 13, 2024, when Change Healthcare was able to obtain a safe copy of the data to analyze. The initial analysis revealed that a substantial proportion of people in America had been affected. The total number of affected individuals has yet to be publicly announced, but it is possible that as many as 1 in 3 Americans have been affected, which could put the total at more than 110 million.

The types of information exposed or stolen vary from individual to individual and may include some or all of the following. In some cases, the information of guarantors was also compromised.

Health insurance information (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.

The notice lists some of the actions that the affected individuals can take to protect themselves against the misuse of their information. Further information can be obtained on this UHG link or by calling the toll-free number – 1-866-262-5342, which is manned Monday to Friday, from 8 a.m. to 8 p.m. CT.

Change Healthcare is offering complimentary credit monitoring and identity theft protection services to the affected individuals for two years. As previously reported by the HIPAA Journal, the data was stolen by an affiliate of the BlackCat ransomware group who retained a copy of the data, the operators of the now-defunct BlackCat ransomware group may also have a copy, and the RansomHub ransomware group has claimed to have obtained the data. Since the credit monitoring services are already available, and given that 1 in 3 Americans have been affected, the best course of action is for all Americans to sign up for those services immediately if they think they may have been affected by clicking the above UHG link or calling (888) 846-4705.

Several state attorneys general have issued warnings to that effect and are urging state residents to sign up for the services being offered as soon as possible to protect themselves against fraud and identity theft. Other steps that all Americans should take include:

Monitor explanation of benefits statements from health plans and report any irregularities
Monitor financial accounts and credit card statements and immediately report any unauthorized charges to the relevant financial institution
Report any crime to local law enforcement and file a police report

Signs of potential fraud include:

Denial of insurance coverage due to incorrect pre-existing conditions
Notifications from health insurance companies that they are reaching their benefit limit
Bills for medical services that have not been received
Notifications from debt collection companies about debts they do not owe
Medical debt collection notices for services that have not been received

July 2, 2024: Provider Associations Seek Clarity on Notification Responsibilities for Change Healthcare Breach

CHIME and several healthcare provider associations have written to the Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, seeking greater clarity and guidance for clinicians and providers about the reporting responsibilities for the Change Healthcare data breach.

The HHS responded promptly to CHIME’s previous letter and confirmed certain requirements regarding the breach response, most importantly, that the affected covered entities may delegate responsibility for issuing notifications to Change Healthcare. OCR stated that if the affected covered entities coordinated with Change Healthcare, they would not have additional HIPAA breach notification obligations; however, they must ensure that Change Healthcare fulfills its obligations.

CHIME is seeking clarification on the responsibility of the affected covered entities regarding the delegation of notifications and ensuring Change Healthcare fulfills its obligations and what that actually means. “We request confirmation that upon completing the delegation, the notification obligations will rest with Change Healthcare/UHG, with [covered entities] responding to reasonable requests to provide Change Healthcare/UHG with any needed information to the extent feasible,” wrote CHIME. “Anything less will fall short of the mark in providing clarity and reducing the overwhelming burden already experienced by affected clinicians and provider.”

CHIME has also asked whether there is a formal process for delegating responsibility to Change Healthcare, and if there is no online form to complete, what are the expected and specific actions that should be taken by covered entities who are in a business associate relationship with Change Healthcare/UHG that wish to delegate responsibility. Guidance has also been requested for downstream subcontractors of a business associate of Change Healthcare, and whether the covered entity must delegate the notification requirements to their business associate, who will in turn need to delegate the responsibility to Change Healthcare/UHG.

CHIME is also seeking clarity on the process for sharing names of the affected individuals when that process is expected to occur, and what assurance Change Healthcare/UHG will give to clinicians and providers that the breach has been reported to OCR for their patients.

OCR has provided answers to some questions on its FAQ page, but they only relate to the notification requirements of the federal HIPAA Breach Notification Rule. There are also breach reporting requirements under state laws. CHIME is seeking advice about those reporting requirements, and whether OCR and Change Healthcare/UHG are coordinating with state officials and if OCR is anticipating working with state officials and Change Healthcare/UHG to ensure Change Healthcare/UHG’s compliance with state laws.

Some clinicians and providers have expressed concern that some of their patients’ protected health information has been found on the dark web, but they do not currently have any contractual relationship with Change Healthcare/UHG and have not had a contractual relationship for years. CHIME has asked how OCR will handle these situations.

One of the problems with a data breach of this magnitude, which may have affected 1 in 3 Americans, is there will be many affected patients who have more than one payer. That could mean that those individuals may receive multiple breach notification letters, one from each affected payer. Such a situation could create undue stress and anxiety for those patients. CHIME has asked OCR to explain the process for notification to ensure that those individuals only receive one notification.

CHIME has requested answers from OCR as soon as possible as well as a meeting with Fontes Rainer to discuss these concerns.

June 21, 2024: Change Healthcare Starts Notifying Entities Affected by February Ransomware Attack

Change Healthcare has provided an update on the progress made in reviewing the files potentially stolen in its February ransomware attack and has confirmed that the healthcare providers, insurers, and other entities affected have started to be notified. More than 90% of the affected files have been reviewed although it is still not yet possible to confirm precisely what data has been compromised for each affected covered entity. The compromised information may include names, addresses, birth dates, diagnostic images, payment information, Social Security numbers, passport numbers, state ID numbers, and health insurance information. Medical charts and medical histories do not appear to have been stolen.

The HIPAA Breach Notification Rule requires covered entities to issue individual notifications without undue delay and no later than 60 days from the discovery of a data breach. OCR has confirmed that when a data breach occurs at a business associate, covered entities have up to 60 days to issue breach notification letters from the date they receive notification from their business associate. They can delegate responsibility for issuing notifications to the business associate, but they are ultimately responsible for ensuring that notifications are sent.

OCR has confirmed that Change Healthcare may send notifications on behalf of the affected covered entities and United Healthcare Group has publicly stated that it will help the affected covered entities with the administrative and notification requirements. Each affected covered entity must coordinate with Change Healthcare regarding the sending of individual notifications.

Change Healthcare said it anticipates mailing individual notification letters at the end of July for all affected covered entities that have asked Change Healthcare to issue notifications on their behalf, although up-to-date contact information may not be held for all of those individuals. The investigation into the breach and file review is ongoing, and Change Healthcare said it may identify further individuals who have been affected as the investigation progresses.

“The media notice and substitute notification posted [Thursday, June 20, 2024] is the next step in the process and consistent with the ongoing communication we have been providing regarding this cyberattack against Change Healthcare and the U.S. healthcare system,” explained Change Healthcare. “While the data review is in its late stages, we continue to provide credit monitoring and identity theft protection to people concerned about their data potentially being impacted.”

June 11, 2024: Senators Urge UHG to Issue Notifications About Change Healthcare Ransomware Attack Before June 21

On June 7, 2024, Senators Maggie Hassan (D-NH)and Marsha Blackburn (R-TN) wrote to UnitedHealth Group CEO Andrew Witty urging him to take responsibility for issuing notifications about the February 21, 2024, ransomware attack on Change Healthcare and to promptly issue notifications to the affected individuals.

The Office for Civil Rights (OCR) recently updated its website FAQ to clear up confusion about breach notifications (see below) and confirmed that UHG/Change Healthcare can legally send individual notifications on behalf of the affected covered entities; however, also confirmed that it is ultimately the responsibility of each affected covered entity to ensure that those notifications are sent.

Prior to the publication of the OCR FAQ, UHG offered to issue notifications and undertake the related administrative requirements for the affected covered entities; but has not publicly confirmed that it is taking sole responsibility for issuing the notifications, nor has UHG formally notified the affected covered entities about the breach.

To clear up any remaining confusion, the senators have called for UHG to formally confirm that it will be handling all of the breach notification requirements, including issuing individual notifications and notifying the media, state attorneys general, and OCR.

At the House Committee hearing on May 1, 2024, Witty confirmed that protected health information had been exposed, and while the scale of the breach was not known, said it could affect up to 1 in 3 Americans. The ransomware group publicly confirmed that patient data had been stolen well before that date.

The senators claim that UHG/Change Healthcare is already in violation of the HIPAA Breach Notification Rule as it has been more than 3 months since the discovery of the ransomware attack and notifications have still not been issued. The HIPAA Breach Notification Rule requires notifications to be issued without undue delay and no later than 60 days from the discovery of the breach.

The senators have called for Witty to immediately send them the plan for issuing notifications and to ensure that notifications are sent no later than June 21, 2024. Until notifications are issued, the affected individuals remain in the dark about the vulnerability of their personal data and health information.

June 3, 2024: OCR Confirms Change Healthcare Can Issue Breach Notifications for Ransomware Attack

The HHS’ Office for Civil Rights (OCR) has updated its Change Healthcare Cyberattack Frequently Asked Questions (FAQs) to provide greater clarity about the breach reporting requirements for the Change Healthcare ransomware attack. OCR has confirmed that Change Healthcare can legally issue breach notifications on behalf of all affected covered entities.

OCR initially said that ultimately it is the responsibility of each covered entity to issue breach notification letters when there is a breach of unsecured protected health information at a business associate and that a covered entity may delegate breach notifications to the business associate. Change Healthcare is a healthcare clearinghouse, a type of HIPAA-covered entity, but it is a business associate of the covered entities that use its services.While Change Healthcare’s parent company, UnitedHealth Group (UHG), publicly confirmed that it was willing to help its customers by handling the reporting requirements, many Change Healthcare clients were confused about whether UHG would handle the breach notifications. Several provider groups wrote to OCR (see below) asking for UCR to clear up the confusion and confirm that UHG/Change Healthcare would handle all breach notifications.

On May 31, 2024, OCR reiterated that the Change Healthcare ransomware attack resulted in the exposure of electronic protected health information, therefore under HIPAA, individual notifications must be issued to the affected individuals. OCR explained in the updated FAQs that if a covered entity affected by the breach wants UHG/Change Healthcare to issue notifications, then they must contact Change Healthcare to discuss the matter. As far as OCR is concerned, it is acceptable for Change Healthcare to issue notifications for all affected clients.

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said OCR Director Melanie Fontes Rainer. “All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.” Several industry groups have praised OCR for clearing up the confusion and confirming that UHG/Change Healthcare can issue notifications.The FAQs also state that if the affected covered entities delegate the notification requirements to change Healthcare or UHG and those notifications are not issued, then the burden of issuing notifications will fall on the affected covered entities.

Regarding the timescale for issuing notifications, the HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a breach. The Change Healthcare ransomware attack was discovered on February 21, 2024, so breach notifications are now due.While many covered entities and business associates have issued notifications within 60 days of the discovery of a cyberattack, it is increasingly common for breached entities to take the date of discovery as either the date that it was confirmed that protected health information was breached, or the date of the completion of the document review, when the exact types of information involved and the total number of affected individuals has been established. In such cases, notifications are issued months after the attack was first identified.

UHG said that up to 1 in 3 Americans could have been affected by the attack but UHG has not confirmed the actual number of individuals affected nor the types of information involved. No time frame has been provided on when those processes will be completed. According to the OCR FAQ, “OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG.”

May 31, 2024: Senator Calls for FTC and SEC to Hold UHG Executives Accountable for Change Healthcare Ransomware Attack

Senator Ron Wyden (D-OR) has written to the Chairs of the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) calling for UnitedHealth Group (UHG) executives to be held accountable for the ransomware attack that caused massive disruption and huge financial difficulties for providers across the country.

As UHG CEO Andrew Witty explained in a recent hearing before the House Energy and Commerce Committee, a ransomware actor gained access to the internal network via a server that did not have multi-factor authentication (MFA), rendering it vulnerable to brute force attacks and compromised credentials, which is how a ransomware affiliate breached its network.

For a company that processed the data of 1 in 3 Americans and was used by so many providers across the country, security should have been exceptional; however, breaching the network was straightforward for the ransomware group. As Sen. Wyden explained in the letter, MFA is a basic security measure and one that a company as large as UHG should have comprehensively implemented.

At the hearing, Witty explained that UHG has a policy requiring MFA to be implemented on all external-facing systems; but in some cases, such as when servers were running older technologies that have been updated, MFA may have been skipped due to compensatory controls being in place. Sen. Wyden said that the board should have been aware that in those cases, skipping MFA was a bad idea.

The failure to comprehensively implement MFA amounts to negligent cybersecurity practices according to Sen. Wyden. If MFA had been in place, the cyberattack and data breach could have been prevented, patients would not have been harmed, and providers’ financial problems would have been avoided.

Patients were prevented from obtaining their medications and had difficulty getting the care they needed as many providers had to restrict hours or even close. Further, the harm is likely to continue as patient data is now in the hands of cybercriminals and can be used for identity theft and fraud. The personal and health information of military personnel was also stolen in the attack, and that information could be obtained by adversaries such as Russia and China, causing serious harm to U.S. national security.

Sen. Wyden believes that the attack was the direct result of corporate negligence and the executives should be accountable for the lapses in security, including CEO Witty and the board of directors. In the letter, Sen. Wyden called for FTC Chair Lina S. Khan and SEC Chair Gary Gensler to investigate UHG over its negligent cybersecurity practices

The FTC has already taken action against companies for failing to implement MFA. In cases against the alcohol delivery platform Drizly and the education tech firm Chegg, the lack of MFA was deemed to be an unfair business practice that violated the FTC Act, and the companies were ordered to implement the most secure form of MFA, phishing-resistant MFA.

Sen. Wyden also called for UHG to be investigated over its lack of preparedness for ransomware attacks. A plan should have been developed to allow the rapid recovery of its systems in the event of a ransomware attack; however, instead of taking hours or days, the recovery took several weeks.

Sen. Wyden also suggested that the failure of UHG to implement industry-standard cybersecurity defenses was due to a lack of experience on the board. For instance, the Chief Information Security Officer (CISO) at UHG was appointed in June 2023 after holding other positions in UHG and Change Healthcare, yet he had never held any similar cybersecurity position elsewhere. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job,” said Sen. Wyden.

He also stressed that the CISO should not be scapegoated due to his lack of experience, and instead, the board of directors should be held responsible for giving the job to someone who clearly did not have the necessary experience.

Sen. Wyden called for the SEC to investigate UHG to determine if any laws under its jurisdiction have been broken and to hold senior officials accountable. A precedent was set last year at the SEC for holding executives accountable for cybersecurity failures when the SEC held that the Chief Technology Officer at SolarWinds was accountable for lax cybersecurity that was exploited in the SolarWinds cyberattack.

May 22, 2024: Provider Groups Request Clarification from HHS on Change Healthcare Data Breach Reporting Requirements

More than 100 provider groups, including the College of Healthcare Information Management Executives (CHIME), American Health Information Management Association (AHIMA), and American Medical Association (AMA), have written to HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer seeking clarification on the HIPAA breach reporting requirements with respect to the Change Healthcare ransomware attack and how those requirements will be enforced.

On March 13, 2024, OCR explained in a Dear Colleague letter that an investigation had been initiated into the Change Healthcare cyberattack to assess United Health Group’s (UHG) and Change Healthcare’s compliance with the HIPAA Rules. OCR explained in the letter that UHG and Change Healthcare are the primary focus of the investigation, and that OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary.

“While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” wrote OCR in the letter.

In a recently published FAQ on the HHS website, OCR explained that when there is a breach of protected health information (PHI) at a business associate, it is ultimately the responsibility of the covered entity to notify the affected individuals about the breach although the covered entity may delegate that responsibility to the business associate. OCR also said that if there is any doubt regarding how breach notifications will be handled, the affected providers should contact UHG and Change Healthcare.

UHG issued a statement confirming they “are committed to doing everything possible to help and provide support to anyone who may need it,” and that “to help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.”

The provider groups want OCR to clear up confusion for providers and have requested that OCR explain how it intends to enforce the HIPAA reporting requirements with respect to the Change Healthcare data breach. They want to be able to reassure their members that UHG/Change Healthcare will be handling the reporting and notification requirements, rather than the providers that have been affected by the breach. That includes notifying OCR about the breach, issuing notifications to media outlets, reporting the breach to state Attorneys General, and issuing individual notifications.

As explained in the letter, since UHG has offered to handle the breach reporting requirements, it would be quick and easy for OCR to publicly state that UHG/Change Healthcare will be handling all reporting and notification requirements. OCR’s FAQ suggests that every affected provider contact UHG/Change Healthcare for information on how breach reporting will be handled; however, the providers affected are “so numerous that a specific number is not readily available.” The provider groups said, “Given the well-documented state of chaos in the provider community in the wake of this breach, OCR’s silence on this point is disappointing.”

They would like to be able to tell their members that they can rely on the offer from UHG to handle notifications and undertake related administrative requirements on behalf of any provider or customer, and request that OCR confirm that providers can rely on that statement and confirm that since “UHG bears sole responsibility for the breach, no breach notification requirements apply to any affected medical provider.”

They have also requested clarification from OCR regarding its investigations. “OCR should publicly state that their breach investigation and immediate efforts at remediation will be focused on Change Healthcare and not the providers affected by Change Healthcare’s breach.”

May 3, 2024: Senators Grill UHG CEO About Change Healthcare Cyberattack

At a House subcommittee hearing, UnitedHealth Group (UHG) CEO Andrew Witty was grilled by Senators over the Change Healthcare ransomware attack and confirmed that one-third of Americans may have been affected.

Witty opened by saying he was “deeply, deeply sorry,” for the attack and the disruption and financial strain placed on providers and the impact the attack has had on patients. He explained that he decided to pay the $22 million ransom and confirmed that compromised credentials were used to gain access to Change Healthcare’s systems, which were most likely purchased by the attacker on the dark web.

Credentials alone should not be sufficient to gain access to a system. Witty confirmed that the stolen credentials were for a Citrix portal used for remote access, and that access was made possible due to the lack of multifactor authentication (MFA). He said it is company policy to have MFA on all externally facing devices but MFA was missing on the Citrix portal, a fact known to the company’s head of cybersecurity. Witty confirmed that all externally facing systems now have MFA enabled.

Change Healthcare states on its website that its systems touch the data of one in three Americans so the data breach could potentially be huge – more than 110 million Americans. Witty was asked to disclose the scale of the breach but was reluctant to do so in case he was wrong, but when pressed to give an estimate, confirmed that a third of U.S. residents may be affected.

Senator Calls for Immediate Notifications for Potentially Affected Patients

U.S. Senator Maggie Hassan (D-NH) called for UHG to immediately notify patients whose data was potentially stolen in the Change Healthcare cyberattack. She reminded Witty of the UHG’s obligation under HIPAA to issue notifications when it is reasonably believed that protected health information has been exposed. That would mean notifications for all patients for whom Change Healthcare holds data.

“The attack happened on February 21st. The HIPAA deadline for reporting to the agency and to individuals was April 21st. It’s now May 1st,” said Senator Hassan. “Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals on the dark web.” Many HIPAA-regulated entities take the view that the clock starts ticking on the date that it is confirmed that protected health information has been exposed, which is the date when the forensic investigation is completed, or as is increasingly common, the date when the review of all documents on the compromised network has been completed. That could be several months after the date of discovery of a security breach. Witty said that the complex nature of the investigation and review means it could well be several months before notifications can be issued.

At the hearing, Sen Hassan was able to get Witty to commit to waiving exclusivity clauses from contracts with Change Healthcare, which will make it easier for healthcare providers to make contingency plans and pivot quickly in the event of a future cyberattack on Change Healthcare.

Has Change Healthcare Become Too Big?

Sen. Ron Wyden (D-OR), chair of the Senate Finance Committee, and several other Senators criticized UHG over the speed at which security and systems are being updated. UHG acquired Change Healthcare in 2022 and the upgrades to systems and security have still not been completed. UHG was also criticized for the time it is taking to recover from the attack. While many of the core systems have now been restored, Witty said that older Change systems are still in the process of being restored.

“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” said Wyden. “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack.”Sen. Marsha Blackburn (R-TN) slammed Witty for the lack of preparedness for what many people believe was an inevitable cyberattack. In 2023, UHG generated around $22 billion in profit. “Your revenues are bigger than some countries’ GDP,” said Blackburn. “How in heaven’s name did you not have the necessary redundancies, so that you did not experience this attack and find yourself so vulnerable?”

The size of UHG was often referenced at the hearing, with Sen. Bill Cassidy (R-LA) suggesting that the dominance of UHG in healthcare markets created a special vulnerability and that the attack had an outsized ripple effect, with Sen. Elizabeth Warren (D-MA) criticizing UHG and calling it “a monopoly on steroids.”

April 30, 2024: UHG CEO to Testify Before House E&C Subcommittee About Change Healthcare Ransomware Attack

UnitedHealth Group (UHG) CEO Andrew Witty is due to testify before the House Energy and Commerce Oversight Investigations Subcommittee on Wednesday, May 1, 2024, about the Change Healthcare Ransomware attack. A copy of his written testimony is available here.

Witty said in his written testimony, “We have been working 24/7 from the day of the incident and have deployed the full resources of UnitedHealth Group on all aspects of our response and restoration efforts. I want this Committee and the American public to know that the people of UnitedHealth Group will not rest – I will not rest – until we fix this.”

He said UHG “repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year,” however, on February 12, 2024, one of those attacks succeeded and a threat actor gained access to the Change Healthcare network. Witty said the threat actor then “moved laterally within the systems in more sophisticated ways and exfiltrated data.” Ransomware was deployed 9 days after the initial intrusion on February 21, 2024, and data on Change Healthcare’s systems was encrypted, preventing access to those systems.

Witty said the perimeter was secured and UHG prevented the malware from spreading to the broader health system. Those efforts were successful, as the intrusion was confined to Change Healthcare and did not spread to any external environment, including Optum, UnitedHealthcare, and UHG. “We are working tirelessly to uncover and understand every detail we can, which we will use to make our cyber defenses stronger than ever,” explained Witty.

Witty also confirmed that the threat actor gained initial access to the Change Healthcare network using compromised credentials to remotely access a Change Healthcare Citrix portal used for remote access to desktops. The Citrix portal did not have multifactor authentication enabled.He explained that it was initially unclear how access had been gained, so the decision was taken to sever connectivity with Change Healthcare’s data centers. While that move was hugely disruptive, he said it was the right thing to do to contain the attack and limit the harm caused. He also confirmed that it was his decision to pay the ransom. The decision was “guided by the overriding priority to do everything possible to protect people’s personal health information,” and it was one of the hardest decisions he has ever had to make.

He also said that the complicated nature of the data review means it will likely take months to identify and notify the affected individuals. For the individuals affected, that means they could be at risk of identity theft and fraud long before they even find out if their data has been stolen. Witty said UHG is working with industry experts to monitor the Internet and dark web to determine if any of the stolen data is published, and “rather than waiting to complete this review, we are providing free credit monitoring and identity theft protections for two years, along with a dedicated call center staffed by clinicians to provide support services. Anyone concerned their data may have been impacted should visit [this link]for more information.”

UHG has now provided more than $6.5 billion in accelerated payments and interest-free loans to help providers who have been unable to file and collect insurance claims; however, many patients, hospitals, and health systems continue to be affected by the attack. UHG said in an April 22, 2024, press release that it would “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack,” and that UHG “has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” The American Hospital Association (AHA) and the Medical Group Management Association (MGMA) have called for OCR to hold UHG to its promise to send out breach notifications to the affected individuals.

April 23, 2024: UHG: Substantial Proportion of US Population May Be Affected by Change Healthcare Cyberattack

Andrew Witty, Chief Executive of UnitedHealth Group (UHG) has confirmed that a ransom was paid to prevent the publication of data stolen in the Change Healthcare cyberattack. While the amount paid was not disclosed, it has been widely reported that $22 million was paid to the Blackcat ransomware group behind the attack. The data was not deleted and was obtained by another ransomware group, RansomHub, which tried to extort Change Healthcare and UHG and then leaked screenshots of the stolen data when payment was not forthcoming.

UHG issued a statement confirming that based on the initial results of its investigation, protected health information and/or personally identifiable information was compromised in the attack. Details of the exact types of data involved have not been confirmed, although UHG said it has not found any evidence of exfiltration of doctors’ charts and full medical histories.UHG has yet to confirm the number of people affected by the breach, but has warned that it could cover, “a substantial proportion of people in America.” Change Healthcare states on its website that the information of one in three Americans is touched by its systems, which means it could be the largest ever healthcare data breach, potentially involving the protected health information of more than 100 million Americans.

As for when notifications will be issued, that too is unclear. It has almost been 60 days from the date of discovery of the cyberattack (February 21, 2024), but it was only confirmed on April 15, 2024, that protected health information had been breached. The review of the affected information is ongoing to determine how many individuals have been affected and the types of information involved.“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” said UHG. “As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections rather than waiting until the conclusion of the data review.” A dedicated website has been created with further information.

An update has also been provided on the restoration of Change Healthcare’s services. UHG said pharmacy services and medical claims across health systems are back to near-normal levels, although a small number of providers continue to be adversely affected. Payment processing is at approximately 86% of pre-incident levels, and around 80% of Change Healthcare’s functionality has now been restored. The remaining services are expected to be restored in the coming weeks.

Details of the nature of the breach have yet to be disclosed; however, The Wall Street Journal has reported that the hackers gained access to Change Healthcare’s systems 9 days before ransomware was deployed on February 21, 2024. According to the WSJ source, who is familiar with the attack, compromised credentials were used to access its systems, multifactor authentication was not enabled on the compromised account, and lateral movement occurred from February 12 to February 24, which would have allowed the attackers to gain access to significant amounts of data.

HHS Publishes Webpage with HIPAA FAQs Related to Change Healthcare Cyberattack

The HHS’ Office for Civil Rights has created a webpage to answer commonly asked questions about the Health Insurance Portability and Accountability Act (HIPAA) and the Change Healthcare ransomware attack.The webpage explains the rationale behind OCR’s ‘Dear Colleague’ letter about the cyberattack and the prompt opening of an investigation of Change Healthcare and UnitedHealth Group (UHG) to establish whether they were in compliance with the HIPAA Rules. OCR said action was taken quickly due to the widespread impact of the attack on healthcare providers and patients and the unprecedented impact on patient care and privacy.

OCR confirmed that its interest in other HIPAA-regulated entities in relation to the Change Healthcare cyberattack is secondary but reminded HIPAA-regulated entities that if they have business associate relationships with Change Healthcare or UHG, they must ensure they have business associate agreements in place and reminded them of their responsibility to ensure that protected health information (PHI) is safeguarded.

OCR confirmed that it has yet to receive any notification from Change Healthcare about a breach of PHI and confirmed that covered entities have up to 60 days from the date of discovery of a data breach to report any breaches of unsecured PHI.OCR said covered entities affected by the Change Healthcare cyberattack are required to issue breach notifications to the affected individuals and notify the Secretary of the HHS, and that those notifications should be issued without unreasonable delay and no later than 60 days from the date of discovery of a data breach. A notice is also required to be provided to the media. If a business associate experiences a data breach they must notify the covered entity within 60 days of discovery. The business associate should provide the covered entity, to the extent possible, with details of the breach and the affected individuals. The covered entity is responsible for issuing breach notifications when breaches occur at business associates, although they may delegate responsibility for doing so to the business associate.

HIPAA-regulated entities that have been affected by the Change Healthcare cyberattack should contact Change Healthcare/UHG if they have any questions about breach notifications to determine the extent to which Change Healthcare and UHG are willing to issue breach notifications on behalf of the affected organizations and how breach notification will occur. UHG has stated publicly that it is willing to help the affected entities with their breach notifications.

Scammers Target Nebraska Hospitals

Bryan Health has issued an alert after being notified by several patients who were contacted by people claiming to be representatives of hospitals in Nebraska telling them they are entitled to a refund related to the Change Healthcare cyberattack. The scammers ask for a credit card number to issue the refund.Bryan Health said its representatives would never ask for a credit card number over the phone to initiate a refund. Jeremy Nordquist, President, Nebraska Hospital Association (NHA), said “Nebraskans need to be vigilant for both them and their family members. If you are at all skeptical regarding the nature of a phone call, hang up and call your hospital directly.”The warning applies to all Americans. There are likely to be many scams related to the Change Healthcare cyberattack over the coming weeks and months.

April 17, 2024: Change Healthcare Investigates Potential Leak of Patient Data

Change Healthcare experienced an ALPHV/Blackcat ransomware attack and reportedly paid a $22 million ransom to prevent 6TB of stolen data from being leaked, only for the group to pull an exit scam and pocket the payment without paying the affiliate who conducted the attack.

A relatively new ransomware group – RansomHub – then issued a demand stating it had acquired the stolen data from the former ALPHV affiliate and required payment to prevent the data from being leaked. Payment has not been made and RansomHub has started to leak the stolen data. Screenshots have been leaked that appear to be data sharing agreements between Change Healthcare and several of its clients, and some files that include patient data.

The group claims it will sell the stolen data to the highest bidder in 5 days if Change Healthcare and UnitedHeath Group refuse to negotiate a suitable payment. Change Healthcare has confirmed it is aware of RansomHub’s threat but has yet to verify whether the leaked data was stolen in the February cyberattack. UnitedHealth Group has confirmed that personal health information and personally identifiable information were stolen in the attack and leading forensics experts have been engaged to review the affected files. The types of information exposed and the number of individuals affected have yet to be disclosed.

Providers Still Struggling Financially Due to Cyberattack

A survey conducted by the American Medical Association (AMA) has revealed that more than one-third (36%) of physician practices have seen claims payments suspended as a result of the ransomware attack, one-third (32%) have not been able to submit claims, two-fifths (39%) have not been able to obtain electronic remittance advice, and one-fifth (22%) have not been able to verify eligibility for benefits.

77% of respondents said they experienced service disruptions since the Change Healthcare ransomware attack and are still dealing with the effects of the attack. 80% of providers said they lost revenue from unpaid claims, 78% lost revenue from claims that they have been unable to submit, 55% have had to use personal funds to cover expenses incurred as a result of the attack, and 51% said they have lost revenue from the inability to charge patient co-pays or remaining obligations.

48% of respondents said they have had to enter new and potentially costly arrangements with alternative clearinghouses to conduct electronic transactions, and while some practices have been able to take advantage of advance payments, temporary funding assistance, and loans, issues persist with all of those measures.

“The disruption caused by this cyber-attack is causing tremendous financial strain,” said AMA President Jesse M. Ehrenfeld, MD, MPH. “These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians. The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open.”

Lawmakers Seek Answers on What Went Wrong

On April 8, 2024, Senators Josh Hawley (R-MO), ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and Subcommittee Chair, Richard Blumenthal (D-CT), wrote to UnitedHealth Group Chief Executive Officer Andrew Witty seeking answers about the attack. One of the key questions was why there was a lack of redundancy to prevent a major outage. The Senators also requested information about how its network was breached, asked for a timeline of events following the attack, and wanted to who about the steps UnitedHealth Group is taking to fill the revenue gap providers are experiencing and what is being done to identify the providers and patients whose data was stolen in the attack. The Senators requested answers before April 15, 2024.

On April 15, 2024, members of the House of Representatives Committee on Energy and Commerce wrote to Andrew Witty demanding answers to a long list of questions about the status and impact of the cyberattack and system restoration, the identification and immediate response to the cyberattack, the cybersecurity protocols and dedicated resources in place, the response to the healthcare community, and requested updates on the recovery by April 29, 2024.

At an April 16, 2024, hearing before the Energy and Commerce Health Subcommittee, Subcommittee Ranking Member Anna G. Eshoo (D-CA) criticized UnitedHealth Group over its acquisition of Change Healthcare – an acquisition that was opposed by the Department of Justice. “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our health care system,” said Rep. Eshoo. “The cyberattack laid bare the vulnerability of our nation’s health care infrastructure.” Questions were also asked about whether the government allowed UnitedHealth Group to become too dominant through its mergers and acquisitions and whether enough was done to prevent inevitable cyberattacks given how big a target Change Healthcare is. UnitedHealth Group was asked to attend the hearing, but no representative turned up.

UnitedHealth Group Anticipates $1.6 Billion Loss This Year Due to Ransomware Attack

UnitedHealth Group has spent around $872 million in Q1, 2024, responding to the Change Healthcare ransomware attack, with $593 million spent on direct-response costs and $279 million lost due to business disruption. UnitedHealth has also provided $6 billion in temporary, interest-free funding to providers affected by the outages who have been unable to bill for their services and anticipates the costs in 2024 to increase to between $1.35 billion and $1.6 billion. Despite the losses due to the cyberattack, UnitedHealth Group has exceeded expectations in Q1, 2024, with revenues up $8 billion year-over-year.

April 8, 2024: New Ransomware Group Claims to Have Data from Change Healthcare Ransomware Attack

The ALPHV/Blackcat affiliate behind the Change Healthcare ransomware attack has claimed not to have been paid a share of the $22 million ransom payment and the ALPHV ransomware operation has since been shut down. The affiliate, who operates under the name notchy, claimed to hold a copy of the 6TB of data stolen in the attack; however, the data does not appear to have been publicly leaked and cybersecurity researchers have not identified any attempts to sell the data, and Notchy has been quiet since making the initial claims and appears to be laying low.

There have been some developments, however. A new ransomware group called Ransom Hub has emerged that has issued a ransom demand to Change Healthcare, Optum Group, and UnitedHealth Group. The Ransom Hub post, which was found by security researcher Dominic Alvieri, states that ALPHV stole the $22 million that was paid to prevent the release of the stolen data and that ALPHV does not hold the stolen data.

Ransom Hub claims to have the only copy of the stolen data and the post lists some of the affected healthcare providers. Ransom Hub is threatening to leak the stolen data and has given Change Healthcare and UnitedHealth Group 12 days to pay the ransom.“Change Healthcare and United Health you have one chance in protecting your clients data,” said Ransom Hub on its dark web site. “The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.”

Vx-underground engaged with the Ransom Hub group, which claimed to have recruited previous ALPHV affiliates, suggesting that notchy may be one of the affiliates that has joined the operation; however, there are other possible explanations as VX Underground explained, “it is not clear if RansomHub is a rebrand of ALPHV ransomware group, the affiliate at ALPHV is moving to RansomHub, or if this is a scam by RansomHub ransomware group trying to intimidate Change Healthcare into paying again.”

“Ransomware payouts is a tricky business because you’re dealing with criminals who can’t be trusted. Various theories exist on recent reports that RansomHub is now claiming data from United Health and Change HealthCare, which was recently breached by AlphV,” Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit told The HIPAA Journal. “This can be explained through shifts in the criminal marketplace, lying by bad actors, multiple compromises, or other scenarios. It is not uncommon, as an incident responder, to discover not just one threat inside of a compromised environment, but two or more. It is also not uncommon for companies that give in to bad actors performing extortion, such as ransomware and DDoS payouts, to become “soft targets”, quickly hit again with additional forms of extortion again and again.”

Change Healthcare Seeks Consolidation of Lawsuits

Lawsuits against Change Healthcare have been mounting, with at least two dozen lawsuits now filed in response to the attack and data breach. The lawsuits have been filed by patients who claim their sensitive data was stolen in the attack and by healthcare providers who have been affected by the prolonged outage of Change Healthcare’s systems.Change Healthcare has responded by filing a motion that seeks consolidation and transfer of the lawsuits to Change Healthcare’s home district, the United States District Court for the Middle District of Tennessee. While lawsuits have been filed by individuals and providers, Change Healthcare has asked the court to consolidate all lawsuits, since they include common factual and legal issues arising from the attack and they assert substantially identical causes of actions.

According to Change Healthcare, consolidating the lawsuits will prevent duplicative discovery, inconsistent pretrial rulings, and will conserve the resources of the parties and the courts, and the Middle District of Tennessee has the strongest connection to the litigation. The only common defendant in each of the actions is Change Healthcare, which is headquartered in Tennessee, where key custodians, witnesses, and evidence are also located. The Middle District of Tennessee is also where the first action was filed, along with around half of the subsequent actions.

The lawsuits filed by individuals and providers all make similar allegations – That Change Healthcare failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to its network, something that Change Healthcare denies.“All the actions are based on the incorrect and unfounded theory that, because a cyberattack occurred, Change’s security must have been deficient and plaintiffs must have been have harmed,” said Change Healthcare in its filing.

At least 13 lawsuits have been now filed by individuals whose data was allegedly stolen in the attack. They claim that they face an imminent and heightened risk of identity theft and fraud as a result of the theft of their data. At least 11 lawsuits have been filed by healthcare providers who were affected by the outages at Change Healthcare, that caused a delay in insurance claims and has threatened the viability of their businesses.

Disruption Continues to Be Experienced by Providers Despite Restoration of Change Healthcare Systems

Many of Change Healthcare’s systems have now been restored, with the remainder expected to be restored in the next few weeks. The latest update on April 5, 2024, said medical network and transaction services such as Pharmacy solutions, Exchange clearinghouse, Assurance Reimbursement Management, Clearance Patient Access Suite, and Reimbursement Manager, as well as claims and eligibility transactions are being prioritized.

While medical claims are now flowing through Change Healthcare’s network, providers are still facing delays due to the substantial billing backlog and the unavailability of certain systems. Change Healthcare’s Assurance and Relay Exchange clearinghouses are back online and have been for a few weeks; however, it has taken time for commercial payers and government payers to reconnect the claims network, with providers across the country still waiting for many claims to be paid.UnitedHealth Group has continued to offer financial assistance and has provided more than $4.7 billion in temporary financial assistance to the affected providers.

March 29, 2024: UnitedHealth Group Confirms Data Stolen in Change Healthcare Ransomware Attack

It has been more than 5 weeks since Change Healthcare suffered a Blackcat ransomware attack. The ALPHV/BlackCat is known to exfiltrate data in its attacks, the group claimed to have stolen 6TB of data, and a ransom of $22 million was paid to a Blackcat account to prevent the release of the stolen data. The affiliate behind the attack claimed not to have been paid for the attack, the ALPHV/Blackcat group said the ransom was seized by law enforcement and was never received, and the affiliate claimed to hold a copy of the stolen data still.

Neither Change Healthcare nor its parent company, UnitedHealth Group, have publicly disclosed whether a ransom was paid but UnitedHealth Group has now confirmed that data was stolen in the attack. UnitedHealth Group said it has started analyzing the exfiltrated files to determine how many individuals have been affected and the types of data involved. UnitedHealth Group said it was unable to confirm whether data had been stolen until now as Change Healthcare’s systems were difficult to access and it was not safe to pull any data out of those systems directly. The delay was due to the time taken to complete mounting and decompression procedures, but a dataset has now been obtained that can be safely accessed and analyzed.

No timescale has been provided so far about when that analysis will be completed but UnitedHealth Group said attention is focused on the data review. While it is currently unclear what types of data were stolen in the attack, UnitedHealth Group said personally identifiable health information, eligibility and claims information, and financial information are likely to have been compromised. So far, UnitedHealth Group has not identified the publication of any of the stolen data on the dark web.

Key systems have now been restored but many Change Healthcare IT products and services remain offline. UnitedHealth Group said substantial progress has been made in recovering those systems, with eligibility processing, clinical data exchange, and retrospective episode-based payment models expected to be restored in the next 3 weeks.United Health Group has also confirmed that it has paid out more than $3.3 billion in loans to healthcare providers under its temporary funding program to help ease the financial strain caused by delays to the processing of insurance claims and providers will have 45 days to pay back the loans. 40% of the $3.3 billion has been provided to safety net hospitals and federally qualified health centers that serve high-risk patients and communities.

HHS Issues Guidance for Providers Affected by Change Healthcare Ransomware Attack

The Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), and the Administration for Strategic Preparedness and Response (ASPR) have issued guidance to help entities impacted by the Change Healthcare ransomware attack.

The attack forced Change Healthcare to take more than 100 systems and services offline, and those systems have remained offline for several weeks. While key products and services have been restored, some Change Healthcare systems are still offline. It is likely to take several more weeks before all services are restored.HHS Deputy Secretary Andrea Palm, ASPR Administrator and Assistant Secretary Dawn O’Connell, and CMS Administrator Chiquita Brooks-LaSure said they continue to hear from providers who are still experiencing difficulty getting answers from healthcare plans about the availability of prospective payments or the flexibilities that may be needed while Change Healthcare’s systems remain unavailable.

They explained that the HHS has asked health plans to provide national contact information that the affected providers can use, and have shared resources to help affected providers get the answers they need. Affected providers have been urged to try to get answers from regional points of contact for their health plans in the first instance, and to use the provided contact information if they are unable to get a response.

They have also taken the opportunity to remind healthcare providers about the HHS voluntary Healthcare and Public Health Cybersecurity Performance Goals, which will help them to strengthen preparedness, improve resiliency against cyberattacks, better protect patient health information, and better support HIPAA compliance.

Department of State Offers $10 Million Reward for Information on ALPHV/Blackcat Ransomware Group

The U.S. Department of State has confirmed that there is a reward of up to $10 million for information leading to the identification or location of any individual linked to the ALPHV/Blackcat ransomware group, their affiliates, or links to a foreign government under the Rewards for Justice (RFJ) program.

March 25, 2024: Clarification Sought from OCR About Change Healthcare Ransomware Breach Notifications

The American Hospital Association (AHA) has written to the Department of Health and Human Services seeking clarification about data breach notifications, should it turn out that protected health information has been compromised.OCR recently announced that due to the impact of the Change Healthcare ransomware attack, the decision had been taken to investigate Change Healthcare promptly to establish whether it was compliant with the HIPAA Rules. In a “Dear Colleague” letter, OCR Director Melanie Fontes Rainer said, “While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

The AHA expressed concern about Fontes Rainer’s statement and is seeking clarification on which entities need to issue notifications. The AHA explained in the letter that Change Healthcare is a covered entity and, as such, has a duty to notify OCR and the affected individuals about any data breach, even in cases where Change Healthcare acts as a business associate.“We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred,” stated the AHA in the letter. “We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already… our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack.

The Washington State Hospital Association (WSHA) has also been contacted by its members who have expressed concern about the notification requirements after reading OCR’s letter. With respect to the business associate agreement and notification warnings in the letter, WSHA said, “This statement reminds hospitals they can get ahead of this issue by reviewing now the various sets of obligations on both their part and the part of Change contained in the BAAs they have in place. Examples of these obligations include breach notification timing and who provides the notice, indemnification, and insurance requirements.”

Patients Report Scam Calls Following Change Healthcare Cyberattack

The Minnesota Hospital Association and Minnesota Attorney General have issued warnings as scammers appear to be targeting patients affected by the Change Healthcare ransomware attack. Patients have reported receiving calls from individuals claiming to be representatives from hospitals, clinics, and pharmacies who are offering refunds or demanding payment.While these calls could indicate that data stolen in the attack is already being misused, it could just be opportunists taking advantage of the situation. Lou Ann Olson of the MHA urged everyone to exercise caution and be wary of scams. “Your hospital will not call or email you to ask for a credit card number,” said Olson. She urged patients to contact their healthcare provider directly if they receive a call, text, or email related to the Change Healthcare cyberattack.

Change Healthcare Criticized for Slow Recovery

Cybersecurity experts have criticized Change Healthcare over its response to the cyberattack, which has caused outages lasting more than 4 weeks. While around 20 services have now resumed, more than 100 are still offline. While it is not unusual for a recovery from a ransomware attack to take several weeks, the extent to which Change Healthcare’s systems are used by healthcare providers means the impact has been far-reaching, and as such, Change Healthcare should have been aware of this and been better prepared to ensure that disruption was minimized.

“The fact that it has taken a company that provides such a critical service so long to recover is obviously a concern. Not only the time it took to recover its IT systems, but the fact that it seemingly didn’t have a backup plan that could be quickly and speedily put in place,” said Emsisoft threat analyst, Brett Callow. Other cybersecurity experts have questioned whether appropriate backups were in place and if an incident response plan was in place that had been properly tested.

UnitedHealth Provides $2.5B in Financial Assistance to Affected Providers and Starts Working on $14M Claims Backlog

UnitedHealth Group has confirmed that it has advanced more than $2.5 billion to healthcare providers affected by the outages at Change Healthcare and has software due to be made available to help with claims preparations.“We recognize the event has caused different levels of impact among providers; therefore, we continue to offer temporary funding assistance at no cost,” the company said. “We know many providers, especially smaller practices, are struggling, and we encourage those who need further assistance to access these resources.”

UHG also said on March 22, 2024, that it expected its biggest clearinghouses to be back online during the weekend, and that the backlog of more than $14 billion in claims will start to flow soon afterwards.

March 15, 2024: UHG Identifies Attack Vector Used in Change Healthcare Ransomware Attack

UnitedHealth Group (UHG) has confirmed that the cybersecurity firms Mandiant and Palo Alto Networks are assisting with the forensic investigation and that the investigation into the February 21, 2024, ransomware attack on Change Healthcare is well underway. UHG has also confirmed that the forensic investigation has uncovered the source of the intrusion. After identifying the initial attack vector, UHG identified a safe restore point and can now work on restoring the systems that are currently non-operational and can start recovering data.

At this stage, UHG has not publicly disclosed the initial attack vector. There was speculation in the days immediately after the attack that two recently disclosed vulnerabilities in ConnectWise ScreenConnect were exploited in the attack. Those vulnerabilities were discovered on February 15, and notifications about the flaws were issued on February 19, just a couple of days before the LockBit ransomware attack on Change Healthcare was detected.UHG said it will be sharing further information on its investigation and recovery in the coming days, but it is unclear whether that will include the attack vector. Typically, victims of cyberattacks do not publicly disclose exactly how their systems were breached.

UHG has confirmed that it has stood up new instances of its Rx Connect (Switch) and Rx ePrescribing services and it has begun enabling its Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity.On March 13, 2024, UHG said all major pharmacy and payment systems are up and more than 99% of pre-incident claim volume is flowing.

March 11, 2024: UnitedHealth Group Expands Financial Assistance Program and Provides Timeline for Recovery

On March 8, 2024, more than 2 weeks after the Change Healthcare ransomware attack, UnitedHealth Group provided a timeline on when it expects to have restored its systems and services. UnitedHealth Group said its electronic prescribing service is now fully functional and has been since Thursday; however, electronic payments are not expected to be available until March 15, 2024. Testing of the claims network and software will commence on March 18, and services are expected to be restored throughout that week.

UnitedHealth Group has also confirmed that its financial assistance program, provided through Optum, has been expanded to include providers that have exhausted all available connection options as well as those that work with payers who will not advance finances during the outage. The financial assistance program will see advance payments made each week based on providers’ historic payment levels and those following the cyberattack. UnitedHealth Group was criticized for the onerous terms of its financial assistance program which was made available a week after the attack, but confirmed that the funds will not need to be repaid until claims flows have completely resumed. When that happens, providers will be sent an invoice and will be given 30 days to repay the funds.

Prior authorizations are being suspended for most outpatient services for Medicare Advantage plans, utilization reviews for inpatient admissions are being put on hold until March 31, 2024, and drug formulary exception review is suspended for Medicare Part D pharmacy benefits. Pharmacies affected by the outage have been notified by Optum Rx that pharmacy benefit manager will reimburse them for claims filled during the outage “with the good faith understanding that a medication would be covered.”

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO, UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”

The additional measures have been welcomed but the American Medical Association (AMA) has warned that physician practices are still likely to face significant challenges. “The AMA agrees with UnitedHealth’s call for all payers to advance funds to physicians as the most effective way to preserve medical practice viability during the financial disruption, especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is re-established,” said the AMA. “While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns. Full transparency and security assurances will be critical before connections are re-established with the Change Healthcare network.”

March 5, 2024: UnitedHealth Group Offers Temporary Funding Assistance in Response to Change Healthcare Ransomware Attack

UnitedHealth Group, the parent company of Change Healthcare, has set up a temporary financial assistance program for customers affected by the Change Healthcare ransomware attack. The program will help providers who have been unable to receive payments due to the outage at Change Healthcare.Under the financial assistance program, providers that receive payments processed by Change Healthcare will be able to apply for temporary funding through Optum Financial Services. If applications are made for temporary funding, they will be paid based on prior claims volume and will be interest-free and fee-free.

“We understand the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem,” Explained UnitedHealth. “While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”

The financial assistance program is only available for providers who have been affected by the disruption to payment distribution. Financial assistance is not being offered to providers that have faced claims submission disruption, therefore, only a small number of providers will qualify for assistance. The terms of the financial assistance program are also worrying. Any funds provided will need to be paid back when normal operations resume and repayments will need to be made within 5 days of receiving notice. The terms of the financial assistance include allowing Optum Financial Services to take back the funds without advance communication.

While the move has been welcomed by provider groups, they say it will do little to alleviate the financial strain on many of the affected providers who are experiencing severe cash flow problems due to the increased workload from having to implement workarounds for filing claims and prior authorization requests. The American Hospital Association (AHA) said the assistance being offered “falls far short of plugging the gaping holes in funding caused by the Change Healthcare outage.” The assistance being offered only addresses one of the two problems caused by the Change Healthcare outage. It helps address the problem of payers being unable to pay via Change Healthcare, although the AHA said the terms and conditions are “shockingly onerous.” The AHA said no assistance is being offered at present to ease the burden on providers who are unable to bill payers in a timely manner due to the ongoing disruption of Change Healthcare’s clearinghouse and claims submission systems.

The recovery process has been slow for Change Healthcare. The Blackcat ransomware attack caused an outage that has lasted for almost 2 weeks. On March 1, 2024, Change Healthcare confirmed that it had set up a new instance of its Rx ePrescribing service and had successfully tested the new instance with vendors and retail pharmacies; however, the Clinical Exchange ePrescribing provider tools remain offline, as do around 100 of Change Healthcare’s IT products.

There have been reports in the media that indicate Optum paid a $22 million ransom payment to the ALPHV/Blackcat ransomware group for the decryption key and to ensure that the stolen data is deleted. The affiliate behind the attack claims that the ALPHV/Blackcat group stole the ransom and has now shut down the operation. The affiliate claims to have 4TB of the data stolen from Change Healthcare.

UnitedHealth Provides Update on Incident Response and Recovery

UnitedHealth Group has provided further updates on the recovery process. On March 1, 2024, a new instance of Change Healthcare’s Rx ePrescribing service was made available and UnitedHealth Group said it has already processed more than 3 million transactions, and volume is increasing daily as more system vendors reconnect.Workarounds are continuing to be deployed for claims, and UnitedHealth Group says 90% of claims are now flowing uninterrupted, with claims expected to increase to around 95% by next week (w/c 3/11); however, there are still issues with Change Healthcare’s payment capabilities although progress is being made on restoring them.“Our teams have been diligently working on restoration of the core environment. We expect our data center rebuild and restoration of database center services to be complete this week,” explained UnitedHealth Group. “From there, we will turn our full attention to application and service restoration.”

On March 7, UnitedHealth Group said a new instance of the Rx Connect (Switch) service is now online and it is actively working to restore full service and connectivity claim traffic and has begun enabling Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity.

While progress is being made on restoring services, attention will soon turn to the scale of the data breach. Given that Change Healthcare processes 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions, this could turn out to be one of the largest healthcare data breaches of all time. At least 5 class action lawsuits have already been filed in Tennessee and Minnesota on behalf of patients who allege their information was stolen in the attack, and that number is expected to continue to grow as the extent of the data breach becomes clear.

March 2, 2024: Change Healthcare Confirms Blackcat Ransomware Attack as Rx ePrescribing Service Reestablished

The Blackcat ransomware ground claims to have stolen a vast amount of data from Change Healthcare in the recent cyberattack. In a statement posted, and later removed, from its data leak site, a member of the group claimed to have stolen 6TB of data from UnitedHealth, which the group alleges includes “highly selective data” from all Change Healthcare clients, including Medicare, CVS Caremark, Health Net, and Tricare, the U.S. military medical health agency. Screenshots of some of the data were shared as proof of data theft. The group also claims to have stolen the source code of Change Healthcare applications. The group claims to have stolen the data of millions of patients, including medical records, insurance records, dental records, payment information, claims information, and patients’ PHI, including health data, contact information, and Social Security numbers.

Change Healthcare has yet to determine the extent of any data breach at this early stage of its investigation. Ransomware groups usually threaten to publicly release data to pressure victims into paying the ransom, and listings are often added when victims refuse to negotiate or when negotiations break down. The rapid removal of the listing suggests that Change Healthcare is in touch with the group, although there could be other reasons for the removal of the data.

In an update on February 28, 2024, Change Healthcare confirmed that disruptions have continued for a 9th day, with some applications still experiencing connectivity issues. Change Healthcare also said it has a high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems were not compromised and the breach appears to be limited to Change Healthcare, with none of its clients’ systems breached.

In a February 29, 2024 update, Change Healthcare confirmed that this was an ALPHV/Blackcat ransomware attack. “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat. Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”

While not specifically referencing the Change Healthcare cyberattack, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint cybersecurity alert on February 27 warning about increased attacks on the healthcare sector by the Blackcat/ALPHV ransomware group. 70 victims have been listed on the group’s data leak site since December 2023, and the healthcare sector has been the most commonly attacked sector.

In a March 1, 2024 update, Change Healthcare explained that a new instance of its ePrescribing service has been stood up, although Clinical Exchange ePrescribing providers’ tools are still not operational. “Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types,” explained Change Healthcare in a March 1, 2024 status update. “As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.”

February 27, 2024: Blackcat Ransomware Group Behind Change Healthcare Cyberattack

The disruption at Change Healthcare has continued into the seventh day after its February 21 cyberattack, with pharmacies across the country still struggling to process prescriptions. With Change Healthcare’s systems out of action, pharmacies have been unable to transmit insurance claims and now have significant backlogs of prescriptions that cannot be processed. On Monday, Change Healthcare confirmed that the attack is still affecting 117 of its applications and components.

Change Healthcare/Optum has been providing daily updates and has confirmed that the disruption is continuing. “We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” explained Change Healthcare in its February 26, 204 update. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”

Change Healthcare has engaged the services of Alphabet’s cybersecurity unit, Mandiant, which is assisting with the investigation and remediation of the cyberattack. While neither Change Healthcare nor Mandiant have commented on the nature of the attack, Reuters has reported that two sources familiar with the incident have confirmed that this was a ransomware attack and that the ALPHV/Blackcat ransomware group is responsible. On February 27, 2024, a member of the Blakcat group confirmed that they were behind the attack.

Blackcat is known to engage in double extortion tactics, where sensitive data is exfiltrated before ransomware is used to encrypt files. Ransoms must be paid to recover encrypted files and to prevent the release of stolen data, so there is likely to have been a data breach although that has not been confirmed by Change Healthcare at this stage.

In December 2023, the Blackcat group was the subject of a US-led law enforcement operation that took down websites used by the group. The group issued a statement following the attack stating that in response to the takedown it has removed affiliate restrictions and now allows them to conduct attacks on critical infrastructure entities and healthcare organizations. It should be noted that the “rule” on not targeting healthcare organizations was not strictly followed before the takedown, as the group has conducted several attacks on healthcare organizations including McLaren Health Care and Norton Healthcare in 2023.

In early updates on the nature of the attack, Change Healthcare said it suspected that the attack was the work of a nation-state-associated actor; however, that appears not to be the case. ALPHV/Blackcat is a financially motivated cybercriminal group with no known links to any nation state. There have also been media reports suggesting the attack involved the exploitation of a vulnerability in ConnectWise’s ScreenConnect app. ConnectWise issued a statement saying Change Healthcare does not appear to be a direct customer, although it is possible that ConnectWise was used by a managed service provider. At this stage, no MSP partners have come forward and confirmed a breach that impacted Change Healthcare.

February 22, 2024: Change Healthcare Responding to Cyberattack

Change Healthcare, a Nashville, TN-based provider of healthcare billing and data systems, has confirmed that it is dealing with a cyberattack that has caused network disruption. The attack was detected on February 21, 2024, and immediate action was taken to contain the incident and prevent further impacts.

“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” explained Change Healthcare on its status page. The Change Healthcare cyberattack has caused enterprise-wide connectivity issues and cybersecurity experts are working around the clock to mitigate the attack and restore the affected systems.

UnitedHealth Group owns Change Healthcare and the healthcare provider Optum. Change Healthcare provides prescription processing services through Optum which provides services to over 67,000 U.S. pharmacies and serves 129 million patients. Change Healthcare handles more than 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions. Change Healthcare is used by Tricare, the healthcare provider of the U.S. military, and all military pharmacies, clinics, and hospitals have been affected by the disruption caused by the Change Healthcare cyberattack, and retail pharmacies across the country are experiencing delays processing prescriptions and have been unable to send orders through insurance plans.

In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, UnitedHealth confirmed that confirming that Change Healthcare had experienced a cyberattack that affected dozens of systems. At this stage of the incident response, it is too early to tell if any patient data has been exposed or stolen in the attack and neither UnitedHealth nor Change Healthcare could provide a timeline on when systems will be brought back online.

UnitedHealth said in its SEC filing that it suspects the cyberattack was conducted by a nation state, rather than a cybercriminal group, but did not provide further information on how that determination was made. That announcement is concerning, given the recent warnings about China maintaining access to critical infrastructure entities in the U.S. and the new sanctions due to be imposed on Russia in response to the death of Alexei Navalny.

There are also fears that the cyberattack could extend to the pharmacies connected to the Optum system. The American Hospital Association (AHA) has issued a warning to all members that they should immediately disconnect from the Optum system as a precaution. “We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said, and in the meantime switch to manual processes.

What is HIPAA and does this Cyberattack Break the Law?

All healthcare organizations that conduct transactions electronically that involve protected health information are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for privacy and security. The HIPAA Privacy Rule prohibits disclosures of protected health information to unauthorized individuals and the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information.

If an unauthorized individual gains access to systems containing protected health information, it is classed as an impermissible disclosure of protected health information and is a reportable HIPAA breach. A cyberattack that results in access being gained to protected health information is not necessarily a HIPAA violation. The HIPAA Security Rule requires risks and vulnerabilities to be identified, and for those risks to be managed and reduced to a reasonable and appropriate level. The HIPAA Security Rule does not require risks and vulnerabilities to be eradicated entirely.

The first priority following the detection of unauthorized system activity should be to contain the incident and ensure that the threat actor is eradicated from internal systems. Systems must be safely brought back online and the nature and scope of the incident established through a forensic investigation. If it is determined that patient data has been exposed, the breach must be reported to the Department of Health and Human Services (HHS) and the affected individuals must be provided with individual notifications within 60 days of the discovery of a data breach. The HHS investigates all data breaches of over 500 records to determine if they were the result of a failure to comply with the HIPAA Rules and financial penalties can be imposed for noncompliance.

The HIPAA Journal will update this post as more information about the incident comes to light, so please check back over the coming days and months.