In February 2024, Change Healthcare suffered a ransomware attack that exposed sensitive personal and medical data. This breach affected millions of Americans, potentially impacting up to one-third of the U.S. population.
By mid-July 2024, Change Healthcare began sending notification letters to individuals whose information was compromised. The exposed data includes health insurance information, medical records, and personal details.
To support those affected, the company is offering two years of free credit monitoring and identity theft protection. Individuals are encouraged to stay aware for signs of identity theft or fraud.
The financial impact has been estimated by UnitedHealth Group, with the total cost of the breach expected to exceed $2.3 billion by the end of 2024. This has led to legal and financial complications for healthcare providers nationwide.
Regulatory authorities, including the U.S. Department of Health and Human Services, have launched investigations into the handling of the incident and the notification process.
August, 2024: What to Do if You Receive a Change Healthcare Data Breach Notification
If you have recently received a letter from Change Healthcare informing you that your personal information was compromised in their February 2024 ransomware attack, you’re not alone. On July 31, 2024, Change Healthcare announced that individual breach notifications had begun, and millions of Americans are expected to be affected.
The breach, which compromised sensitive data between February 17 and 20, 2024, exposed various types of personal and health-related information. This could include contact details, health insurance data, medical records, billing information, and more. With the scale of the attack estimated to affect up to 110 million people, potentially 1 in 3 Americans, so taking action is important. Here are three steps to take if you receive a breach notification:
1. Verify the Legitimacy of the Notice
Before responding to any breach notification, ensure that it’s genuine. While Change Healthcare is mailing letters to affected individuals, it’s important to be aware of phishing attempts. To verify the letter:
• Look up the details of the breach on trusted sites like the U.S. Department of Health and Human Services (HHS) or Change Healthcare’s official website.
• Use the customer service number provided by Change Healthcare: 1-866-262-5342, which is available Monday to Friday, 8 a.m. to 8 p.m. CT, to confirm that the notification is authentic.
• Avoid relying on links or phone numbers from suspicious sources. Use official communication channels found through independent searches.
2. Monitor Your Financial and Health Accounts
Once you’ve confirmed the legitimacy of the notification, monitor your financial and health-related accounts for any signs of fraud or unauthorized activity. This includes:
• Regularly checking bank and credit card statements for unfamiliar transactions.
• Reviewing explanation of benefits (EOB) from health insurers for any services you did not receive.
• Watching out for medical bills from providers you haven’t visited or debt collection notices for services you didn’t receive.
If you notice any suspicious activity, report it to your financial institution, healthcare provider, or insurance company. You can also report identity theft to the Federal Trade Commission (FTC) and, if necessary, file a police report.
3. Consider Freezing Your Credit or Setting Up Fraud Alerts
Taking proactive steps to protect your identity is just as important as monitoring your accounts. Approximately 75% of ransomware victims experience a second attack following the first.
• For Fraud Alerts, Contact any of the three major credit reporting agencies—Equifax, Experian, or TransUnion—to place a free, one-year fraud alert on your credit file. This makes it more difficult for anyone to open accounts in your name.
• For Credit Freeze, you can freeze your credit for extra security, preventing anyone from accessing your credit report without your explicit permission. This service is also free, but it must be done individually with each of the credit reporting agencies.
These actions can help protect you from identity theft, one of the potential risks of the data breach. Change Healthcare is offering two years of free credit monitoring and identity theft protection through IDX. To enroll, visit the website provided in the breach notification letter or call 1-888-846-4705. While credit monitoring can be useful, it’s also important to note that taking steps like freezing your credit or setting up fraud alerts provides more protection.
Receiving a data breach notification can be troubling, but by verifying the notice, monitoring your accounts, and taking protective steps like freezing your credit, you can lessen the risks. For more information and updates, visit Change Healthcare’s Cyber Response page.
July 18, 2024: Costs from Change Healthcare Ransomware Attack Expected to Exceed $2.3 Billion in 2024
UnitedHealth Group (UHG) has updated the projected cost of its response to the February 2024 ransomware attack on Change Healthcare, estimating the total expense to reach between $2.3 billion and $2.45 billion by the end of the year. This is over $1 billion more than initially reported. As of June 30, 2024, UHG had already paid nearly $2 billion in response to the attack, which caused disruptions to providers nationwide due to extended system outages.
Most of Change Healthcare’s systems have been restored and are now fully operational. To support providers unable to bill for services during the outage, UHG has provided more than $9 billion in advance funding and interest-free loans. The $1.98 billion in costs incurred by June 30, 2024, includes $1.3 billion in direct costs related to restoring the Change Healthcare clearinghouse platform and increased medical expenses due to the temporary halt of some care management activities.
Change Healthcare is due to begin issuing individual breach notifications to affected individuals on July 20, 2024. Although the exact number of impacted individuals has not been confirmed, UHG CEO Andrew Witty has previously stated that up to 1 in 3 Americans may have had their protected health information (PHI) exposed, potentially affecting over 110 million people.
Despite the massive costs incurred from the cyberattack, UHG reported $7.9 billion in earnings and $4.2 billion in profits for the second quarter of 2024, with revenues rising 6% year-over-year to $98.9 billion. Profits were confirmed to be down from $5.5 billion in Q2 2023, largely due to the financial impact of the ransomware attack.
July 10, 2024: Change Healthcare Issues Update on Data Breach; Individual Notifications to Begin July 20th
Change Healthcare has uploaded a substitute breach notice on its website regarding the February 2024 cyberattack. The notice confirms that notification letters to affected individuals will start being mailed on July 20, 2024. While the data review is nearly complete, Change Healthcare noted that many individuals may still be identified as affected by the breach.
The breach was detected on February 21, 2024, with hackers having accessed Change Healthcare’s systems from February 17 to February 20, 2024. On March 7, 2024, Change Healthcare confirmed that a large amount of data had been exfiltrated from its network. The company began a safe analysis of the data on March 13, 2024. Early analysis suggests that up to one-third of Americans may have been impacted, potentially exceeding 110 million individuals.
The substitute notice outlines the types of data that may have been compromised, varying by individual. The information potentially exposed includes health insurance information (such as plan details and Medicaid/Medicare IDs), health information (including medical records, diagnoses, and treatments), billing and payment details, and personal identifiers like Social Security numbers, driver’s licenses, and passport numbers. In some instances, guarantors who paid bills for healthcare services also had their information compromised. Medical charts and full medical histories have not yet been identified as part of the breached data.
Change Healthcare is offering two years of complimentary credit monitoring and identity theft protection to those affected. Individuals are encouraged to sign up for these services immediately. Steps to further protect against misuse of personal data include monitoring health plan explanation of benefits (EOB) statements for inaccuracies, reviewing financial account and credit card statements for unauthorized transactions, and reporting any suspicious activities to local law enforcement.
Several state attorneys general have also urged residents to sign up for these protection services to safeguard against identity theft and fraud. Individuals are advised to be vigilant for signs of potential fraud, such as the denial of insurance coverage for unknown pre-existing conditions, notifications from insurers about reaching benefit limits, medical bills for services not received, or debt collection notices for unfamiliar debts or services.
For more details and assistance, affected individuals can visit Change Healthcare’s support page at ChangeCyberSupport or call the dedicated support line at 1-866-262-5342, available Monday through Friday, 8 a.m. to 8 p.m. CT.
Change Healthcare continues to work with cybersecurity experts and law enforcement to investigate the breach. The company has also implemented new security measures to prevent similar incidents in the future. While the investigation is in its final stages, the review of impacted data and the notification process will continue through late July and beyond as needed.
July 2, 2024: CHIME Seek Clarity on Notification Responsibilities
CHIME (College of Healthcare Information Management Executives), along with other healthcare provider associations, has sent a letter to Office for Civil Rights (OCR) Director Melanie Fontes Rainer, requesting guidance on reporting responsibilities following the Change Healthcare data breach. While the OCR had previously provided some guidance, CHIME is asking for clarification on several points to ensure providers can comply with HIPAA requirements without facing extra pressures.
- Delegation of Notification Responsibilities
OCR confirmed that affected covered entities may delegate the responsibility for breach notifications to Change Healthcare. CHIME is asking for confirmation that once the delegation is complete, the notification responsibilities will rest entirely with Change Healthcare/UHG. CHIME stated that covered entities should only be required to provide Change Healthcare with requested information as needed, rather than carrying the full weight of ensuring that notifications are made. - Formal Process for Delegation
CHIME is seeking clarification on whether there is a formal process, such as an online form, that covered entities must complete to delegate breach notification duties to Change Healthcare/UHG. If no formal process exists, they are asking what specific steps covered entities must take to ensure that responsibility is properly delegated. CHIME also wants to know how the process works for entities that are not directly contracted with Change Healthcare but may work with Change Healthcare as a subcontractor. - Sharing Names of Affected Individuals
One area of concern is how affected covered entities will receive information about the individuals whose data was compromised in the breach. CHIME is asking for clarity on when Change Healthcare/UHG will provide this information and what assurances will be given to ensure that the breach has been properly reported to OCR. - Coordination with State Laws
While OCR’s FAQs address federal HIPAA breach notification requirements, CHIME is asking whether OCR and Change Healthcare are also working with state officials to ensure compliance with state-specific breach notification laws. Given the differences in state laws, this is a concern for healthcare provide in states with stricter reporting requirements than those mandated by HIPAA. - Providers with No Active Relationship with Change Healthcare:
Some healthcare providers have reported that their patients’ protected health information (PHI) has surfaced on the dark web, despite not having a contractual relationship with Change Healthcare for years. CHIME is requesting guidance from OCR on how these situations will be handled and whether providers who no longer work with Change Healthcare are still responsible for breach notifications. - Managing Multiple Notifications to Patients:
Another issue is the potential for patients to receive multiple breach notifications if they have more than one healthcare provider or insurer affected by the breach. This could lead to confusion and unnecessary stress for patients. CHIME is asking OCR to clarify how notifications will be handled to ensure that patients only receive one notification, even if multiple entities hold their data.
CHIME has requested a meeting with OCR Director Melanie Fontes Rainer to further discuss the situation and seek timely resolutions. They press for clear and practical guidance to be provided, given the scale of the breach. The letter was co-signed by other prominent healthcare organizations, including the American Academy of Family Physicians (AAFP), American College of Physicians (ACP), American Medical Association (AMA), and the Medical Group Management Association (MGMA). Together, they are asking OCR to provide clarity to reduce the pressures on healthcare providers while ensuring compliance with HIPAA breach notification rules.
June 21, 2024: Change Healthcare Has Begun Notifying Organizations Impacted by February’s Ransomware Attack
Change Healthcare has confirmed it has started notifying healthcare providers, insurers, and other entities affected by the February 21, 2024, ransomware attack. To date, more than 90% of the compromised files have been reviewed, although it remains unclear which data has been compromised for each entity. The exposed information may include names, addresses, birth dates, diagnostic images, payment details, Social Security numbers, passport numbers, state ID numbers, and health insurance information. A positive aspect of the recent update is that medical charts and complete medical histories seem to have remained secure and were not accessed during the breach.
Under the HIPAA Breach Notification Rule, covered entities are required to issue individual notifications within 60 days of discovering a breach. OCR clarified that covered entities can delegate these notifications to a business associate, like Change Healthcare, but are still responsible for ensuring the notifications are sent. Change Healthcare has stated that it plans to start mailing individual notifications in late July for all affected covered entities that have requested assistance, although some individuals’ contact information may be incomplete.
The ongoing investigation and file review may result in the identification of further affected individuals. Change Healthcare has also posted a media notice and substitute notification on June 20, 2024, providing resources to individuals who believe their data may have been compromised, including offering two years of complimentary credit monitoring and identity theft protection.
Change Healthcare continues to work with cybersecurity experts and law enforcement to address the attack and safeguard the system. The company is also providing individuals with access to a dedicated call center and further resources for anyone concerned about their information.
June 11, 2024: Senators Advise UHG to Issue Notifications By June 21st
On June 7, 2024, Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) sent a letter to UnitedHealth Group (UHG) CEO Andrew Witty, asking him to assume full responsibility for notifying all affected individuals and health care providers about the ransomware attack on Change Healthcare. The February 21, 2024, attack compromised the personal and health information of potentially one-third of Americans, and to date, UHG has not issued the required breach notifications.
The letter states that UHG is in violation of the Health Insurance Portability and Accountability Act (HIPAA), which mandates that covered entities notify affected individuals within 60 days of discovering a breach. The senators conveyed concern that millions of Americans are still unaware that their personal data and health information may have been compromised, despite UHG’s public statements about conducting an analysis and offering to handle the notifications.
The Office for Civil Rights (OCR) recently updated its FAQs to confirm that UHG/Change Healthcare can legally issue breach notifications on behalf of the affected covered entities. OCR also reiterated that it is the ultimate responsibility of each covered entity to ensure notifications are sent. To resolve confusion, the senators asked for UHG to formally commit to handling all breach notifications and to notify OCR, state regulators, and health care providers.
Senators Hassan and Blackburn demanded that UHG issue the breach notifications no later than June 21, 2024, and requested that Witty provide them with a detailed plan for completing this process. They stressed that until notifications are sent, millions of Americans remain uninformed about the risks posed by the breach. This letter follows Witty’s testimony before Congress on May 1, 2024, where he acknowledged that the breach could affect up to one-third of Americans. Despite this, UHG has not yet issued formal breach notifications as required by HIPAA.
June 3, 2024: OCR Allows Change Healthcare to Issue Breach Notifications
The HHS Office for Civil Rights (OCR) has provided further clarity regarding the breach notification requirements for the Change Healthcare ransomware attack. In an updated Frequently Asked Questions (FAQs) document, OCR confirmed that Change Healthcare can issue breach notifications on behalf of all affected covered entities, provided that the covered entities delegate that responsibility to Change Healthcare.
This clarification arrives after weeks of confusion regarding who would be responsible for notifying affected individuals, especially given the scale of the attack. The cyberattack, which occurred on February 21, 2024, exposed the electronic protected health information (ePHI) of a large portion of the U.S. population. OCR stated that individual notifications are required under HIPAA, and that covered entities can work with Change Healthcare to fulfill their notification obligations.
Several provider groups had communicated concerns about the confusion surrounding breach notifications and asked OCR to clear up the matter. OCR’s update confirmed that affected covered entities can delegate the breach notification process to Change Healthcare, and that Change Healthcare is legally permitted to issue these notifications on behalf of all affected clients.
OCR Director Melanie Fontes Rainer asked all parties to take immediate steps to ensure that HIPAA breach notifications are prioritized, especially given that notifications were due by this time. According to the HIPAA Breach Notification Rule, entities are required to issue notifications within 60 days of the discovery of a breach. While some entities take longer, OCR made it clear that the clock starts once affected covered entities receive the necessary information from Change Healthcare.
UHG, the parent company of Change Healthcare, has stated that up to one-third of Americans could be affected by the breach. The exact number of impacted individuals and the types of data involved have yet to be confirmed. According to the updated FAQs, OCR will not start the 60-day period for notifications until Change Healthcare has provided the necessary information to affected covered entities. Several industry groups have praised OCR’s decision for providing clarity and reducing the pressure on providers, many of whom had raised concerns about duplicative notifications and unnecessary costs. The update has been seen as a positive step toward resolving the confusion around breach notifications stemming from one of the largest healthcare cyberattacks in history.
May 31, 2024: Senator Calls for FTC and SEC to Hold UHG Executives Accountable for Change Healthcare Ransomware Attack
Senator Ron Wyden (D-OR) has written to the Chairs of the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), urging both agencies to hold UnitedHealth Group (UHG) executives accountable for what he considers to be negligent cybersecurity practices that led to the ransomware attack on Change Healthcare. In the letter, Sen. Wyden criticized UHG for its failure to implement multi-factor authentication (MFA) on an external server, allowing a ransomware affiliate to breach the system, which affected one-third of Americans and caused disruptions in healthcare services.
Sen. Wyden’s letter referenced UHG CEO Andrew Witty’s testimony before the House Energy and Commerce Committee, in which Witty explained that UHG did not apply MFA to all external-facing systems, particularly older ones, because compensatory security controls were in place. Wyden pointed out that MFA is a basic security measure, important for a company as large as UHG, which processes the medical data of millions of Americans. Wyden also noted that skipping MFA on any server was an oversight that resulted in the breach, which has caused lasting harm to patients, providers, and U.S. national security.
The letter argued that UHG’s board should have recognized the risks of such practices and that the company’s failure to adopt basic cybersecurity defenses, such as MFA, amounts to corporate negligence. Wyden asked for FTC and SEC investigations, drawing parallels to previous enforcement actions by the FTC, such as those against companies like Drizly and Chegg, which were found to have violated the FTC Act due to failures in implementing cybersecurity protections.
Wyden further criticized UHG’s recovery efforts, which took weeks rather than hours or days, and questioned why UHG’s leadership allowed the company’s systems to be so vulnerable. He suggested that part of the failure derived from appointing an inexperienced Chief Information Security Officer (CISO), Steven Martin, who lacked prior full-time experience in cybersecurity. Wyden made it clear that while Martin should not be scapegoated, the board and senior leadership were responsible for appointing someone without sufficient experience to such a role.
Wyden also pointed out that the attack compromised the data of military personnel, which could pose risks to national security. He reiterated that the FTC and SEC should investigate UHG for any federal law violations and hold its senior officials accountable for the failures leading to this attack. The SEC case against SolarWinds was used as an example of how corporate leaders can be held accountable for cybersecurity breaches that harm consumers and investors. Sen. Wyden concluded by stating that this incident was preventable, and UHG’s negligence has harmed both patients and the healthcare industry, and also the company’s investors.
May 22, 2024: Over 100 Provider Groups Ask For Clarification of HIPAA Breach Reporting Requirements
On May 22, 2024, more than 100 provider groups, including organizations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHIMA), and the American Medical Association (AMA), wrote a letter to Health and Human Services (HHS) Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer. The letter sought clarification on the enforcement of HIPAA breach reporting requirements following the ransomware attack on Change Healthcare.
The provider groups expressed concerns about how the breach notification process will be handled, specifically whether UnitedHealth Group (UHG) and Change Healthcare would be solely responsible for notifying affected individuals and government entities, as opposed to the healthcare providers impacted by the breach. They called for clear guidance from the HHS Office for Civil Rights (OCR), stating that UHG had offered to take on the breach reporting responsibilities.
The letter explains that the breach has created confusion and challenges within the healthcare provider community, and many organizations are still dealing with its financial and operational impacts. The provider groups want OCR to confirm that UHG/Change Healthcare, as the covered entity, would manage all reporting obligations, allowing healthcare providers to focus on patient care rather than dealing with duplicate breach notifications.
The letter also noted that the number of affected providers was too large to quantify easily and described the situation as chaotic. The provider groups communicated their disappointment over OCR’s lack of clear correspondence regarding the issue, adding that OCR’s silence on the matter has only increased the confusion. The letter also requested that OCR publicly state that its breach investigation would focus on UHG/Change Healthcare, not the individual providers affected by the attack. The provider groups sought confirmation that UHG, which had already committed to handling breach reporting, would be responsible for notifying the public, government entities, and affected individuals.
This request for clarity comes as providers continue to struggle in recovering from the fallout of one of the largest healthcare breaches to date. Many organizations remain uncertain about their reporting obligations and are seeking reassurance from HHS that they can rely on UHG’s offer to manage the breach notification process. UHG has confirmed that it is working to meet these obligations, and OCR has issued FAQs reminding covered entities of their responsibilities. Providers are still seeking explicit confirmation that they will not be required to handle breach notifications themselves.
May 3, 2024: Senators Question UHG CEO
UnitedHealth Group CEO Andrew Witty faced questioning from the Senate Finance Committee on May 1, 2024, regarding the cyberattack on Change Healthcare. The breach, claimed by the ALPHV/BlackCat ransomware group, has impacted healthcare services across the U.S. since it occurred on February 21, 2024. This attack has led to delays in prescription processing, claims filing, and severe financial strain on healthcare providers, particularly in rural areas. Witty, who ultimately made the decision to pay a $22 million ransom, was pressed on the company’s cybersecurity practices and the consequences of the breach.
Witty expressed regret during the hearing over the incident and its fallout, acknowledging that compromised credentials were used to gain access to Change Healthcare’s systems. The hackers infiltrated a Citrix portal, which was not protected by multifactor authentication, a necessary security measure that could have prevented the attack. Witty admitted that this oversight was known to the company’s cybersecurity team, and it has since been rectified. He assured the Senate committee that UHG is working hard to recover from the breach and to improve its defenses against future attacks, adding that the company’s employees are working 24/7 to manage the response.
Senators, including panel chairman Ron Wyden (D-OR), were critical of UHG’s security practices, with Wyden describing the breach as a clear national security threat. He compared it to the 2015 Office of Personnel Management (OPM) data breach, which also exposed sensitive personal information. Wyden stated that the incident reflects the need for stricter cybersecurity standards for infrastructure, including healthcare systems. Senator Maggie Hassan (D-NH) asked UHG to immediately notify affected patients, pointing out that the HIPAA deadline for reporting the breach had already passed. Witty explained that the ongoing investigation into the breach is complex, and it could take several more months to identify all impacted individuals and issue the necessary notifications.
The breach has had an impact on the U.S. healthcare system, affecting claims processing, payments to providers, and patients’ access to services. According to a survey conducted by the American Medical Association between March 26 and April 3, 2024, more than 80% of physician practices lost revenue due to unpaid claims, with many relying on personal funds to cover expenses. Despite UHG’s efforts to restore services and provide financial assistance—totaling more than $6.5 billion—many healthcare providers continue to struggle with the lingering effects of the attack. Witty confirmed during the hearing that while claims processing has largely returned to normal, payments remain delayed, adding further pressure to an already strained healthcare system.
Several senators also raised concerns about the size and influence of UHG in the healthcare market. Senator Bill Cassidy (R-LA) questioned whether the company’s dominance created extra risks, noting that the scale of the attack had residual effects across the entire healthcare sector. Witty defended UHG’s size, arguing that the resources available to the company have enabled it to respond more effectively to the breach. This defense did little to alleviate concerns about UHG’s market power, with some senators suggesting that the company’s reach makes it a prime target for future attacks.
As the investigation into the breach continues, Witty claimed that UHG is committed to supporting affected individuals and healthcare providers. In addition to the financial assistance provided, UHG is offering free credit monitoring and identity theft protection for two years to anyone potentially impacted by the breach. Witty confirmed that the breach likely affects up to one-third of U.S. residents, meaning that the personal information of more than 100 million Americans could be at risk
April 30, 2024: UnitedHealth Group CEO to Testify
UnitedHealth Group (UHG) CEO Andrew Witty is scheduled to testify before the House Energy and Commerce Oversight Investigations Subcommittee on May 1, 2024, to provide details regarding the ransomware attack on Change Healthcare and its impact. Witty’s written testimony, already submitted ahead of the hearing, outlines the company’s response to the cyberattack, the decision to pay the ransom, and the ongoing recovery process.
Witty explained in his statement that UHG has been working tirelessly since the incident began on February 12, 2024, when a threat actor infiltrated the Change Healthcare network using compromised credentials. The threat actor exploited a Citrix portal that lacked multifactor authentication, gaining remote access to the system and moving to exfiltrate data. Ransomware was deployed nine days later, encrypting data and causing a disruption to Change Healthcare’s services.
The ransomware attack, perpetrated by the ALPHV/BlackCat group, led to the encryption of key systems, resulting in nationwide disruptions to healthcare billing, payments, and data systems. Witty confirmed that the attack was contained within Change Healthcare’s systems and did not extend to UHG’s other operations, including its Optum and UnitedHealthcare divisions. He did acknowledge the severity of the situation, describing his decision to pay the ransom as one of the hardest he has ever made. The ransom payment, reported to be $22 million, was intended to prevent the public release of stolen data, though the data was later obtained by a second group, RansomHub, which has since leaked portions of the data.
In his testimony, Witty mentioned the difficulties associated with the ongoing data review, which is expected to take months. He noted that UHG is working with cybersecurity experts to monitor the dark web for any publication of the stolen data and is offering free credit monitoring and identity theft protection for two years to affected individuals. UHG has also established a dedicated call center to provide support and assistance during this process. The company has created a website, where individuals can find information and sign up for these protections.
Lawmakers are expected to question Witty on the security vulnerabilities that allowed the attack to occur, including the absence of multifactor authentication on the Citrix portal. Witty acknowledged the security lapse, explaining that UHG took immediate action to sever connections with Change Healthcare’s data centers to prevent the spread of the ransomware. While this move caused disruption, he maintained that it was necessary to contain the threat and minimize harm.
Witty’s testimony also provided an update on the restoration of Change Healthcare’s services. Pharmacy and medical claims processing systems have been restored to near-normal levels, with 99% of pharmacies and a majority of healthcare providers able to process claims. Payment processing has reached approximately 86% of pre-incident levels, with full restoration of remaining services expected in the coming weeks. Witty reiterated that UHG is offering to assist affected stakeholders with breach notifications and administrative requirements to help ease the burden on healthcare providers and customers whose data may have been compromised.
Witty may face questions from lawmakers regarding other concerns about UHG’s dominance in the healthcare market. Some lawmakers, such as Subcommittee Ranking Member Anna G. Eshoo (D-CA), have raised concerns about the national security risks posed by UHG’s consolidation of healthcare services, following its acquisition of Change Healthcare in 2022. The company’s growing influence in the healthcare sector, along with the impact of the cyberattack, led to requests for increased regulatory oversight and improved cybersecurity standards across the industry.
April 23, 2024: Ransom Paid to BlackCat to Prevent Publication of Stolen Data
UnitedHealth Group (UHG) has confirmed that a ransom was paid to the BlackCat/ALPHV ransomware group in an effort to prevent the publication of stolen data from its subsidiary, Change Healthcare. While UHG did not disclose the exact amount, it is reported that $22 million was paid. The stolen data was not deleted, and it was subsequently obtained by a second ransomware group, RansomHub. After UHG and Change Healthcare declined to pay the new ransom demand, RansomHub began leaking screenshots of the stolen data.
UHG revealed in an official statement, that its investigation into the February 2024 cyberattack confirmed the compromise of protected health information (PHI) and personally identifiable information (PII). UHG has not provided details about the specific types of data affected, nor has it disclosed the total number of individuals impacted. The company warned that the breach could involve a large portion of the U.S. population, as Change Healthcare processes data for one in three Americans. This could make the incident one of the largest healthcare data breaches in history, affecting over 100 million individuals.
As of April 23, 2024, UHG has not yet issued official breach notifications to affected individuals. The company noted the complexity of its data review, which could take several months to complete. UHG stated that it is working with leading industry experts to analyze the compromised data. UHG has launched a dedicated website and call center to provide support to those concerned about the potential impact on their personal data. Individuals can enroll in complimentary credit monitoring and identity protection services for two years through the website, or by calling 1-888-846-4705.
An update on Change Healthcare’s service restoration has also been provided. UHG reported that pharmacy services and medical claims systems have been restored to near-normal levels, with 99% of pharmacies and a majority of healthcare providers able to process claims. Payment processing is still lagging at approximately 86% of pre-incident levels, and some healthcare providers continue to experience delays in billing and payment. UHG has confirmed that around 80% of Change Healthcare’s functionality has been restored, with full restoration expected in the coming weeks.
The Wall Street Journal reported that the breach occurred after hackers gained access to Change Healthcare’s systems nine days before the ransomware was deployed on February 21, 2024. Compromised credentials were used to infiltrate the system, and multifactor authentication was reportedly not enabled on the account that was exploited. The hackers were able to move laterally through the network for nearly two weeks, gaining access to large amounts of data before launching the attack.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has launched an investigation into whether Change Healthcare and UHG were in compliance with HIPAA regulations at the time of the attack. OCR has also published a webpage addressing frequently asked questions related to the HIPAA implications of the breach. The page reminds healthcare organizations that they must have business associate agreements in place with Change Healthcare and outlines their responsibility to issue breach notifications in accordance with HIPAA guidelines. Covered entities have up to 60 days from the date of discovery to report breaches of unsecured PHI.
As the data review and recovery process continues, scammers have begun targeting patients affected by the breach. Nebraska’s Bryan Health recently issued a warning after several patients reported receiving calls from scammers posing as hospital representatives offering refunds related to the cyberattack. The scammers requested credit card information, prompting warnings from healthcare providers to be vigilant and avoid sharing personal information over the phone. The Nebraska Hospital Association has urged patients to verify the legitimacy of any unsolicited calls by contacting their healthcare provider directly.
UHG is working to restore full services and provide support to affected individuals, and the company remains in communication with law enforcement and regulatory bodies as it handles one of the largest healthcare data breaches to date. Further updates are expected as the data review continues, and UHG has assured stakeholders that it will provide timely notifications once more information is available. The impact of the breach is still unfolding, and the company’s response efforts remain under scrutiny from both regulators and lawmakers.
April 19, 2024: Change Healthcare Investigating Possible Leak of Sensitive Patient Data
Change Healthcare continues to face challenges in the aftermath of the February ransomware attack by ALPHV/BlackCat. On April 17, 2024, the company confirmed it is investigating the possible leak of sensitive patient data after the new ransomware group, RansomHub, began publishing screenshots of stolen files. These screenshots reportedly include data-sharing agreements between Change Healthcare and its clients, as well as some files containing patient information. RansomHub claims to have acquired the stolen data from an affiliate of ALPHV, after the original group allegedly pocketed a $22 million ransom without compensating the affiliate responsible for the breach.
RansomHub has set a five-day deadline for Change Healthcare and its parent company, UnitedHealth Group (UHG), to pay a ransom, threatening to auction off the data if a payment is not made. The group insists that the data has not been publicly leaked or sold yet, a claim that cybersecurity experts are still investigating. While Change Healthcare has acknowledged the ransom demand, it has not confirmed whether the leaked data is from the February attack. UHG has confirmed that personal health and identifiable information were stolen and is working with forensic experts to assess the full extent of the breach.
Providers continue to struggle financially due to the lasting effects of the cyberattack. A recent survey conducted by the American Medical Association (AMA) revealed the widespread impact on physician practices. According to the survey, 36% of physician practices have experienced suspended claims payments, and 32% have been unable to submit claims at all. 80% of respondents reported revenue loss from unpaid claims, while 55% have had to use personal funds to cover expenses incurred during the disruption. These financial strains have prompted fears of closures, as many practices, particularly smaller ones, remain vulnerable to the ongoing effects of the attack.
Efforts to recover from the ransomware attack have been slow, and dissatisfaction with UnitedHealth Group’s response continues to grow. Lawmakers are demanding answers, particularly regarding the company’s preparedness and response to the attack. On April 8, 2024, Senators Josh Hawley and Richard Blumenthal wrote a letter to UHG CEO Andrew Witty, criticizing the company for its lack of redundancy and failure to prevent the outage, which has now stretched into its eighth week. The Senators requested detailed information on how the breach occurred, a timeline of events, and clarification on what UHG is doing to fill the revenue gaps faced by healthcare providers.
The House Committee on Energy and Commerce demanded similar answers, with some lawmakers raising concerns over UHG’s acquisition of Change Healthcare. Subcommittee member Anna G. Eshoo voiced concerns that the attack has exposed vulnerabilities in the U.S. healthcare system, noting that the consolidation of health services under UHG may have made the system a bigger target for cyberattacks. These lawmakers are now pushing for transparency and reforms to ensure that such disruptions do not happen again.
UnitedHealth Group is expecting a loss of up to $1.6 billion in 2024 due to the attack. The company has already spent approximately $872 million in direct-response costs, including $6 billion in temporary financial assistance to providers. Despite these losses, UHG reported that its first-quarter revenues surpassed expectations by $8 billion, showing the company’s financial resilience. The longer-term implications of the attack are still being assessed, and providers across the country continue to struggle with cash flow issues caused by the delay in processing claims.
April 8, 2024: UnitedHealth Group Confirms Data Theft
On April 8, 2024, UnitedHealth Group (UHG) confirmed that data had indeed been stolen in the February 21 ransomware attack on its subsidiary, Change Healthcare. After weeks of uncertainty and analysis, UHG revealed that sensitive data, potentially including personally identifiable health information, eligibility and claims data, and financial details, had been exfiltrated by the attackers. UHG refer to the complications of accessing compromised systems as the reason for the delay in confirming the data breach, explaining that the process of mounting and decompressing files took time. The analysis of the stolen data is ongoing, with no timeline for completion yet.
A new ransomware group calling itself RansomHub has added to the turmoil, claiming to hold the data stolen in the original attack. RansomHub posted a demand to UHG, Change Healthcare, and Optum, giving the companies 12 days to pay a new ransom or face the public release of the 4 terabytes of stolen data. The group asserts that the ALPHV/BlackCat operation, which first carried out the attack, has since disbanded after internal disputes over ransom payouts. According to RansomHub, ALPHV had taken the full $22 million ransom payment made by Change Healthcare and failed to distribute it to the affiliate responsible for the breach, a claim that has yet to be verified.
RansomHub claims that it is now the sole entity in possession of the stolen data, which allegedly includes sensitive information from active U.S. military personnel, medical records, and payment details. The group has threatened to sell the data to the highest bidder if UHG and Change Healthcare fail to meet its ransom demands. Security researcher Dominic Alvieri, who first found the RansomHub post, noted that no signs of the stolen data have yet been found on dark web marketplaces, suggesting that the group may still be holding out for a payout. The environment remains unsettled, with cybersecurity experts raising questions about whether RansomHub is a rebrand of ALPHV or a separate group attempting to cash in on the original breach.
The rise of RansomHub has increased concerns about the long-term consequences of paying ransom demands. Experts like Ken Dunham, Cyber Threat Director at Qualys, warn that companies that give in to extortion schemes often become repeat targets, with criminals exploiting their vulnerabilities again and again. The confusion surrounding the ownership of the stolen data has left Change Healthcare in a precarious position, facing the possibility of paying a second ransom after allegedly paying the first to ALPHV. Change Healthcare is also dealing with a mounting number of lawsuits related to the February attack. At least two dozen lawsuits have been filed by patients and healthcare providers, accusing the company of failing to implement appropriate cybersecurity measures. Change Healthcare has responded by working to join these lawsuits, arguing that they share common legal and factual issues. The company’s motion to consolidate the cases in the United States District Court for the Middle District of Tennessee, where Change Healthcare is headquartered, seeks to shorten the legal timeline and avoid duplicative discovery or inconsistent rulings.
Change Healthcare continues to face delays due to a large backlog of medical claims and ongoing system outages. UnitedHealth Group has extended its financial assistance program, now offering more than $4.7 billion in temporary support to affected healthcare providers, with a focus on safety net hospitals and federally qualified health centers. Many providers are still struggling to regain their footing, and the full impact of the ransomware attack is expected to be felt for months to come. The situation at Change Healthcare highlights the dangers of relying on criminal actors to honor their agreements and the complexities of negotiating with multiple ransomware groups. As the investigation into the breach continues, it remains unclear how much longer UHG and Change Healthcare will have to contend with the aftershocks of this unprecedented attack. The emerging involvement of RansomHub only adds to the uncertainty, raising questions about the future of ransomware negotiations and the effectiveness of paying ransoms in the first place.
March 25, 2024: Change Healthcare Faces Scrutiny Over Ransomware Breach Notifications as Recovery Efforts Continue
The fallout from the February 2024 cyberattack on Change Healthcare continues, with new developments concerning data breach notifications and the investigation by the U.S. Department of Health and Human Services (HHS). The American Hospital Association (AHA) has shown concerns over the handling of breach notifications following a letter from the HHS Office for Civil Rights (OCR), which reminded entities affected by the attack of their obligations under HIPAA. While Change Healthcare is the primary entity responsible for notifying affected individuals and HHS, the AHA is seeking clarity to ensure that hospitals and healthcare providers are not issued redundant notification requirements, which may confuse patients and add unnecessary costs.
In the letter to the HHS, the AHA asked for clear guidance, arguing that Change Healthcare, as a covered entity, bears the responsibility for issuing breach notifications. The concern derives from the possibility that healthcare providers may also be required to notify patients, leading to duplication of efforts. The Washington State Hospital Association (WSHA) affirmed these concerns, advising its members to review their business associate agreements with Change Healthcare to ensure that responsibilities are clearly outlined, including breach notification timing and indemnification.
Concerns have also been raised regarding scam activities targeting patients affected by the breach. In Minnesota, both the Hospital Association and the Attorney General’s office have issued warnings about fraudulent calls where scammers, posing as hospital or pharmacy representatives, have attempted to steal personal information. While it remains unclear whether these calls are directly linked to the stolen data from the cyberattack, healthcare officials ask patients to be watchful and contact their healthcare providers directly if they receive any suspicious communications.
Criticism continues to build over the pace of Change Healthcare’s recovery efforts. Despite restoring some services, including pharmacy and payment platforms, more than 100 services remain offline after more than four weeks since the attack. Experts have expressed concerns over whether Change Healthcare had adequately prepared for such a large-scale incident. Brett Callow, a threat analyst at Emsisoft, questioned whether proper backups were in place and if the company had an incident response plan that had been tested. The slow recovery has caused disruption across the U.S. healthcare system, leading to delayed payments and processing issues for healthcare providers.
UnitedHealth Group (UHG), Change Healthcare’s parent company, has provided more than $2.5 billion in financial assistance to reduce the financial strain on providers. This assistance has been important in helping smaller practices manage cash flow problems exacerbated by the ongoing outages. UHG has also confirmed that it is working through a backlog of over $14 billion in claims, with progress expected soon. The largest clearinghouses are scheduled to come back online in the coming days, which should help alleviate some of the difficulties healthcare providers have been facing. The HHS OCR has launched an investigation into Change Healthcare’s compliance with HIPAA regulations, a swift move given that such investigations usually occur months or even years after an incident. The investigation aims to determine whether the breach compromised protected health information (PHI) and whether Change Healthcare and UHG adhered to the required privacy and security measures under HIPAA. OCR Director Melanie Fontes Rainer asserted the value of protecting PHI and stated that business associates, including healthcare providers using Change Healthcare’s systems, must guarantee that they have proper agreements in place and are prepared to notify individuals and HHS in a timely manner if necessary.
March 15, 2024: UnitedHealth Group Identifies Attack Vector in Change Healthcare Ransomware Attack
After weeks of investigation, UnitedHealth Group (UHG) announced on March 15 that it has identified the source of the cyberattack that crippled Change Healthcare’s systems since February 21. The company confirmed that cybersecurity firms Mandiant and Palo Alto Networks have been assisting with a forensic analysis, which has now identified the attack vector used by the ransomware group known as BlackCat, also referred to as ALPHV.
With the attack vector identified, UHG has established a secure restore point, allowing the company to begin the process of restoring non-operational systems and recovering compromised data. While UHG has not publicly disclosed the specific method of intrusion, there was earlier speculation that vulnerabilities in ConnectWise ScreenConnect, a remote desktop and meeting software, might have been exploited. These vulnerabilities were discovered on February 15 and publicized on February 19, just days before the ransomware attack was detected. UHG has neither confirmed nor denied this speculation, and it remains unclear whether these vulnerabilities were indeed the entry point for the attackers. UHG has also made progress in restoring their other services. New instances of the Rx Connect (Switch) and Rx ePrescribing services have been brought online. The company has also enabled the Rx Edit and Rx Assist services, which are now accessible to customers who have configured direct internet access connectivity. As of March 13, UHG reported that over 99% of pre-incident claim volumes are now flowing through the system, indicating advancement towards their former operational capacity.
The U.S. Department of Health and Human Services (HHS) has initiated an investigation to determine whether protected health information (PHI) was compromised and if Change Healthcare complied with all privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). UHG has stated that it will share more details about the investigation and recovery efforts in the coming days, though it remains uncertain whether this will include specifics about how the attackers breached the system. The cyberattack has shown the weaknesses in the healthcare IT industry’s infrastructure, especially when a large vendor like Change Healthcare faces a security breach. The AlphV ransomware group targeted a link in the healthcare financial and claims processing chain, causing widespread operational disruptions. The attack led to challenges for healthcare providers, including delays in processing insurance claims and payments, which in turn affected patient care and pharmacy operations.
To lessen the impact on healthcare providers, UHG had earlier announced a phased reconnection and testing plan for Change Healthcare’s claims systems, scheduled for completion next week. The company has also expanded its financial assistance program to support providers facing cash flow issues due to the outage. This program offers advance payments based on historical payment levels, which providers are not required to repay until after normal claims processing resumes. As the recovery process continues, UHG has told healthcare providers to utilize established workarounds, such as the new iEDI claim submission system, to maintain continuity of operations. The company also recommends that clients configure direct internet access to take advantage of the restored services. The full restoration of all systems and services is expected to take more time.
March 11, 2024: Change Healthcare Begins Recovery as UnitedHealth Group Expands Financial Assistance Program
Following weeks of disruptions from the ransomware attack that began on February 21, Change Healthcare has provided updates on its recovery efforts, with some services already back online. In its most recent statement, Change Healthcare indicated that its electronic prescription service had been reestablished, indicating advancement toward normalizing operations. Numerous other systems, including those related to claims processing and payments, remained offline, creating financial and operational challenges for healthcare providers across the country.
As Change Healthcare continues its recovery, UnitedHealth Group, the company’s parent organization, announced a timeline for the restoration of systems. By March 15, electronic payment services are expected to be operational, and testing for claims processing systems is slated to begin on March 18. While these timelines offer some relief, many healthcare providers are still struggling with the fallout of the cyberattack, which disrupted their ability to process insurance claims and payments. The outage has caused delays in both pharmacy and hospital operations, with some providers resorting to manual workarounds, leading to increased administrative burdens and operational inefficiencies.
UnitedHealth Group also expanded its financial assistance program to help providers manage cash flow problems resulting from the disruption. Initially launched shortly after the attack, the program was met with criticism due to stringent terms. The revised assistance program now offers advance payments based on providers’ historical payment levels, which do not need to be repaid until after claims flow is fully restored. This expansion is aimed at providers who have explored every contingency, or are working with payers that do not offer similar financial support. The American Medical Association (AMA) has endorsed UnitedHealth’s initiative but asserted the need for other measures to assist physician practices that continue to face problems due to the outage.
The road to full recovery remains uncertain, as Change Healthcare processes over 15 billion healthcare transactions annually, and the ongoing disruptions are likely to have long-lasting effects on the healthcare industry. According to UnitedHealth Group, workarounds have been deployed to allow providers to continue submitting claims, but full service restoration is still several weeks away. Concerns about data breaches and potential class action lawsuits also continue to loom as investigations into the extent of the data stolen during the attack progress. While the ePrescribing service has been restored, other services are expected to remain offline until at least mid-March. UnitedHealth Group has advised healthcare providers to use temporary systems and workarounds to ensure continued operations until the situation is fully resolved. The company will continue to provide updates as the recovery progresses, while also working with cybersecurity firms and law enforcement to address the aftermath of the BlackCat ransomware attack.
February 26, 2024: BlackCat Confirmed as Culprit in Change Healthcare Cyberattack
Change Healthcare confirmed on February 26, 2024, that the ongoing cyberattack disrupting its services is being perpetrated by the ALPHV/BlackCat ransomware group. This disclosure was made as the company continues to battle the aftermath of the attack, which began on February 21 and has led to disruptions across the U.S. healthcare sector, affecting pharmacies nationwide. In its latest update to customers, Change Healthcare acknowledged that it is dealing with a cybersecurity issue initiated by a threat actor that identified itself as BlackCat. The company has engaged law enforcement and leading cybersecurity firms, including Mandiant and Palo Alto Networks, to manage the situation and mitigate the impact on its systems, members, patients, and customers.The ransomware group known for its double extortion tactics claims to have exfiltrated 6 terabytes (TB) of data from Change Healthcare, including sensitive information related to various clients such as Medicare, Tricare, CVS, and MetLife. BlackCat reportedly posted about the attack on the dark web, only to delete the post later. Experts including Brett Callow from Emsisoft caution that ransomware groups often exaggerate the scale of data theft to pressure victims into negotiations.
Change Healthcare has assured the public that it has implemented multiple workarounds to ensure continued access to medications and healthcare services, although the disruption remains severe. The company reiterated its intention to take a proactive and aggressive approach in restoring its systems, promising immediate action if any further issues are detected. As of February 26, the disruption had already lasted six days, with 117 applications and components still affected. The company’s focus is on restoring operations without cutting corners or introducing additional risks. Daily updates are being provided to keep stakeholders informed of progress, yet a definitive timeline for full recovery remains elusive.
The identification of BlackCat as the culprit behind the attack contrasts with earlier reports from UnitedHealth Group, Change Healthcare’s parent company, which suggested that the attack might have been the work of a nation-state-associated actor. This discrepancy has raised questions, as BlackCat is recognized as a financially motivated cybercriminal group with no known ties to any nation-state. The nature of the breach and how the attackers gained access to Change Healthcare’s systems are still under investigation, with no conclusive evidence provided by either the company or law enforcement.
The cyberattack has had an impact on pharmacy operations across the United States. Major chains like CVS Health and Walgreens have reported delays in processing prescriptions due to their inability to transmit insurance claims through the compromised systems. The American Pharmacists Association (APhA) has noted that many pharmacies are experiencing backlogs, leading to frustration and potential risks for patients who rely on timely access to their medications. The full extent of the damage and the long-term implications of the breach are still unfolding, with stakeholders across the industry monitoring the situation.
February 22, 2024: Cyberattack on Change Healthcare Causes Nationwide Disruption in Healthcare Services
Nashville-based healthcare billing and data systems provider ‘Change Healthcare’, recently disclosed that a cyberattack has impacted its network operations. The breach was identified on February 21, 2024, when quick actions were taken to contain the breach and limit developing effects. In a statement on its status page, Change Healthcare reported that it disconnected its systems as soon as the threat was detected, in an effort to protect its partners and patients. Change Healthcare’s services are integral to the operations of over 67,000 pharmacies across the United States, including military pharmacies and healthcare facilities served by Tricare, the healthcare provider for the U.S. military. The cyberattack has caused delays in prescription processing, leaving many patients unable to fill their prescriptions through insurance plans. Pharmacies nationwide are experiencing backlogs as they attempt to manage the disruption caused by the attack.
Following the detection of the cyberattack, Change Healthcare’s priority was to disconnect its systems to contain the breach. The company’s cybersecurity experts have been working hard to lessen the effects of the attack and restore the affected systems. The network disruption has persisted despite these efforts, causing continued delays in processing prescriptions at pharmacies across the country. Patients have reported difficulties in getting their medications, with some being forced to pay out of pocket due to the inability to process insurance claims.
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on February 22, 2024, UnitedHealth Group, the parent company of Change Healthcare, confirmed that the cyberattack had affected multiple systems within the organization. The filing noted that it is still too early to determine whether any patient data has been compromised. UnitedHealth could not provide a definitive timeline for when the disrupted systems would be fully operational again. UnitedHealth Group has indicated that the cyberattack may have been conducted by a nation-state actor, rather than a typical cybercriminal group. No further details have been provided, so this suspicion has added a dimension of caution to the situation. The investigation into the source of the attack is ongoing, and both Change Healthcare and UnitedHealth are working closely with cybersecurity experts to understand the breach fully.
The American Hospital Association (AHA) has issued an advisory to healthcare organizations connected to Optum, a subsidiary of UnitedHealth Group that relies on Change Healthcare’s services. The AHA has recommended that affected organizations consider disconnecting from Optum systems as a precautionary measure until the situation is resolved. This recommendation aims to prevent further spread of the disruption. Healthcare providers are also being advised to switch to manual processes where possible to ensure that patient care continues with minimal interruption.
As Change Healthcare continues to address the cyberattack, the focus is to restore normal operations as quickly and safely as possible. The company has committed to providing updates on its status page as more information becomes available. Pharmacies and healthcare providers across the country are managing the disruption, with many continuing to experience delays in processing prescriptions. The cyberattack on Change Healthcare has created challenges for the U.S. healthcare system, which continues to be an attractive target for cyber threat actors. As recovery efforts proceed, protecting patient information and restoring the services affected by the breach is all that matters.
Photo credits: photo for everything, AdobeStock