April 1, 2024 By Jennifer Gregory 3 min read

Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications.

Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.

Ransomware attacks shut down systems for weeks

Earlier this month, Change Healthcare was the victim of a ransomware attack by ALPHV, also known as BlackCat. Change Healthcare provides pharmacy claims transactions, provider claims processing, patient access and financial clearance, provider payments, authorizations and medical necessity reviews. Every year, Change processes 15 billion healthcare transactions and touches one in three patient records.

According to Change Healthcare’s statement on their website, when they discovered that a threat actor gained access to one of their environments, they disconnected their systems to limit the impact. The attack caused Change to shut down for several weeks. While some services are back online, Change Health is currently working on getting all operations up and running again. During this time, providers, including hospitals, pharmacies and private practices, were unable to access the systems to perform functions, including getting reimbursed for patient services and preauthorization for patients.

According to Wired, UnitedHealth, which owns Change Health, reportedly paid $22 million in ransom. Although ALPHV’s dark web sites and decryption keys were seized by the FBI in December 2023, the organization still managed to pull off one of the most disruptive healthcare attacks only a few months later. ALPHV’s dark website recently listed 28 other corporate victims of their attacks.

Read the Threat Intelligence Index report

Attack causes trickle-down effect

One of the most damaging parts of the cyberattack is the trickle-down effect from Change to providers to patients. Cybersecurity Dive uncovered a range of impacts, from providers not seeing new patients due to not being able to verify insurance eligibility to hospitals unable to use their typical billing processes. Pharmacists cannot accurately determine patient copays, resulting in them either taking estimated payments or requiring patients to pay the full amount for their medications.

Many providers are struggling to pay their expenses without insurance reimbursement for services. Molly Fulton, the Chief Operating Officer at Arlington Urgent Care, told the New York Times that their five urgent care centers had around $650,000 in unpaid insurance reimbursements. To stay open, the owners are using their personal savings and opening lines of credit through their bank to cover employee paychecks, rent and other business expenses.

Healthcare remains one of the industries most targeted by cyber criminals. The IBM X-Force Threat Intelligence Index 2024 reported that healthcare is the third-most targeted industry in North America, moving up from fourth place the previous year. The majority of healthcare incidents (43%) involved threat actors using legitimate tools for malicious purposes, while spam campaigns and malware cases each accounted for 29% of incidents.

The impact of the attack going forward

As Change Healthcare continues to get its systems back online, many questions still remain unanswered, such as what the organization’s liability will be. As the aftermath is being sorted out, many experts are interested in seeing how the organization may be held financially responsible for their customers’ current situation due to billing and payment issues.

Along with the Change Healthcare incident, cyberattacks that have affected critical infrastructure, such as the Colonial Pipeline attack, are prompting businesses and the federal government to review and adjust their processes to reduce the impact of future attacks. These attacks will likely compel changes in the future, affecting the U.S. healthcare system and the cybersecurity industry as a whole.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today