April 1, 2024 By Jennifer Gregory 3 min read

Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications.

Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.

Ransomware attacks shut down systems for weeks

Earlier this month, Change Healthcare was the victim of a ransomware attack by ALPHV, also known as BlackCat. Change Healthcare provides pharmacy claims transactions, provider claims processing, patient access and financial clearance, provider payments, authorizations and medical necessity reviews. Every year, Change processes 15 billion healthcare transactions and touches one in three patient records.

According to Change Healthcare’s statement on their website, when they discovered that a threat actor gained access to one of their environments, they disconnected their systems to limit the impact. The attack caused Change to shut down for several weeks. While some services are back online, Change Health is currently working on getting all operations up and running again. During this time, providers, including hospitals, pharmacies and private practices, were unable to access the systems to perform functions, including getting reimbursed for patient services and preauthorization for patients.

According to Wired, UnitedHealth, which owns Change Health, reportedly paid $22 million in ransom. Although ALPHV’s dark web sites and decryption keys were seized by the FBI in December 2023, the organization still managed to pull off one of the most disruptive healthcare attacks only a few months later. ALPHV’s dark website recently listed 28 other corporate victims of their attacks.

Read the Threat Intelligence Index report

Attack causes trickle-down effect

One of the most damaging parts of the cyberattack is the trickle-down effect from Change to providers to patients. Cybersecurity Dive uncovered a range of impacts, from providers not seeing new patients due to not being able to verify insurance eligibility to hospitals unable to use their typical billing processes. Pharmacists cannot accurately determine patient copays, resulting in them either taking estimated payments or requiring patients to pay the full amount for their medications.

Many providers are struggling to pay their expenses without insurance reimbursement for services. Molly Fulton, the Chief Operating Officer at Arlington Urgent Care, told the New York Times that their five urgent care centers had around $650,000 in unpaid insurance reimbursements. To stay open, the owners are using their personal savings and opening lines of credit through their bank to cover employee paychecks, rent and other business expenses.

Healthcare remains one of the industries most targeted by cyber criminals. The IBM X-Force Threat Intelligence Index 2024 reported that healthcare is the third-most targeted industry in North America, moving up from fourth place the previous year. The majority of healthcare incidents (43%) involved threat actors using legitimate tools for malicious purposes, while spam campaigns and malware cases each accounted for 29% of incidents.

The impact of the attack going forward

As Change Healthcare continues to get its systems back online, many questions still remain unanswered, such as what the organization’s liability will be. As the aftermath is being sorted out, many experts are interested in seeing how the organization may be held financially responsible for their customers’ current situation due to billing and payment issues.

Along with the Change Healthcare incident, cyberattacks that have affected critical infrastructure, such as the Colonial Pipeline attack, are prompting businesses and the federal government to review and adjust their processes to reduce the impact of future attacks. These attacks will likely compel changes in the future, affecting the U.S. healthcare system and the cybersecurity industry as a whole.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today