Change Healthcare Data Breach: 192.7 Million Affected

This article includes a timeline of the Change Healthcare ransomware attack as information was released and includes known information about the Change Healthcare data breach, which has now been confirmed as the largest-ever healthcare data breach in the United States. This article will be updated when further information becomes available about the data breach, response, remediation, and repercussions, so please bookmark this page and check back regularly.

August 7, 2025:  Change Healthcare Data Breach: 192.7 Million Affected

Change Healthcare has provided its final estimate of the number of individuals affected by its February 2024 ransomware attack, increasing the total to an estimated 192.7 million from the previous estimate of 190 million. That figure is almost double that of its first estimate of 100 million individuals. The 192.7 million total includes approximately 1.3 million individuals who were notified by the affected covered entities rather than Change Healthcare.

The ransomware attack was detected on February 21, 2024, and caused massive disruption to healthcare providers across the country due to the prolonged outage of its clearinghouse systems. The investigation revealed that the ransomware group accessed its network via a remote access Citrix portal that lacked multifactor authentication.

A BlackCat ransomware affiliate exfiltrated data, then used ransomware to encrypt files. A $22 million ransom was paid to no effect, as the ransomware group pocketed the money but did not delete all the data. The affiliate retained a copy and tried to obtain a further ransom payment through a different ransomware group, RansomHub, but Change Healthcare’s parent company, UnitedHealth Group, refused to pay.

The file review has been a long-winded process which is now drawing to a close. Change Healthcare has confirmed that the call center set up to deal with queries about the data breach will be closing on August 26, 2025, which will also be the last day that victims of the breach can register for the complimentary credit monitoring and identity theft protection services that have been made available.

Final notices are now being sent to state attorneys general confirming the number of individuals affected in each state. In a letter to the New Hampshire attorney general, Change Healthcare explained that it has made reasonable best efforts to deduplicate individuals included in the numbers provided, but despite those efforts, full deduplication was not feasible. Therefore, the figures provided may be higher than the actual number of affected individuals. There may also be an overestimation of the number of individuals affected, as some may have been associated with more than one data owner.

Change Healthcare was unable to link a significant percentage of the affected individuals to a particular covered entity client. In those cases, notification letters were still sent, but they were attributed to an unidentified covered entity. UnitedHealth Group’s latest estimate of the cost of the attack was $3.09 billion, although that total could continue to rise.

January 24, 2025: 190 Million Individuals Affected by Change Healthcare Data Breach

UnitedHealth Group has almost doubled its estimate of the number of individuals affected by the Change Healthcare data breach, which is now known to have affected approximately 190,000,000 individuals. The previous figure of 100 million individuals provided to the HHS’ Office for Civil Rights in October 2024 was an interim figure, as the file review was ongoing at the time. On January 14, 2025, Change Healthcare issued an update confirming the file review was substantially complete and Change Healthcare did not expect to identify any additional affected clients, although files are still being reviewed. UnitedHealth Group does not have a final figure for the total number of affected individuals, but when that figure is confirmed, the Office for Civil Rights will be notified.

It has been 11 months since the ALPHV/BlackCat ransomware group breached Change Healthcare’s network using compromised credentials for access. Stolen credentials alone should not have been sufficient to grant access to Change Healthcare’s network; however, the credentials provided access to a Citrix server that did not have multifactor authentication enabled. The threat actor was then able to move laterally within Change Healthcare’s network and used ransomware to encrypt files around 9 days later. A vast amount of sensitive data was exfiltrated, undetected, before file encryption.

The attack resulted in a prolonged outage of Change Healthcare’s systems and affected healthcare organizations across the country, disrupting billing and payments for healthcare services, which naturally had an impact on patients. UnitedHealth Group established a financial assistance program for the affected providers and has offered complimentary credit monitoring and identity theft protection services to individuals affected by the data breach, but some affected individuals have yet to receive a notification that their data was involved.  Change Healthcare has confirmed that the vast majority of notification letters have now been mailed.

At 190 million breached records, this is the largest healthcare data breach in history, not just in the United States but worldwide. That previous unenviable record was held by Anthem Inc. which suffered a 78.8 million-record data breach in 2015. In 2023, record numbers of healthcare records were breached, with the final 2023 total standing at more than 168 million healthcare records. The latest total from the Change Healthcare data breach takes the 2024 total past 275 million healthcare records – 82% of the population of the United States.

January 16, 2025: Change Healthcare Data Breach Notifications “Substantially Complete”

An update has been issued about the Change Healthcare data breach this week confirming that the file review is “substantially complete.” Change Healthcare does not anticipate identifying any more customers who had data stolen in the attack; however, the process of mailing notifications to the affected individuals is ongoing.

According to Change Healthcare’s January 14, 2025, update, the affected customers have been notified but Change Healthcare is still awaiting directions from some of those entities about mailing notification letters on their behalf, which means 11 months after the ransomware group encrypted data on its network and stole the protected health information of an estimated 100 million individuals, some of those individuals have still not been notified that their data was stolen. Further, Change Healthcare said, “we may not have sufficient addresses for all potentially impacted individuals,” which means some individuals may never learn that their data was stolen in the attack.

Change Healthcare has been issuing notifications to the affected customers on a rolling basis, starting on June 20, 2024, four months after the ransomware attack was detected. Further notifications were issued on August 8, 2024, September 16, 2024, November 21, 2024, and December 4, 2024. With the notification process almost complete, Change Healthcare should soon be in a position to confirm to the HHS’ Office for Civil Rights exactly how many individuals have been affected. The OCR breach portal still lists the data breach as affecting an estimated 100 million individuals.

December 18, 2024: Nebraska Attorney General Files Lawsuit Over Change Healthcare Data Breach

A lawsuit has been filed against Change Healthcare, UnitedHealth Group, and Optum by Nebraska Attorney General Mike Hilgers over the ransomware attack and 100-million-record Change Healthcare data breach. This is the first litigation initiated by a state Attorney General over the ransomware attack and data breach, but it is unlikely to be the last. Attorneys General in other states are likely to file similar lawsuits over alleged violations of federal and state laws.

AG Hilgers said the personal and protected health information of at least 575,000 Nebraskans was stolen from Change Healthcare, and potentially up to 1 million state residents were affected. The lengthy outages caused by the attack and the theft of sensitive data have caused considerable harm to providers and patients. Those harms could have been prevented had the defendants implemented straightforward security measures, according to AG Hilgers.

AG Hilgers alleges systemic failures at Change Healthcare and poor security practices exacerbated the data breach, prevented healthcare providers from delivering timely care, and put Nebraskans at risk of identity theft and fraud. According to the lawsuit, Change Healthcare had outdated and poorly segmented systems, some of which were up to 40 years old, and the company failed to meet basic enterprise security standards, including implementing multifactor authentication.

There was an inadequate response to the breach, which was not detected for 9 days, during which time the hackers were able to exfiltrate a huge amount of sensitive data. Poor backup processes meant the hacker was able to shut down primary and backup systems, which caused huge operational disruptions, including stopping prior authorizations for medical care and prescriptions that left patients without essential treatment and medications.

The affected individuals were not notified about the breach for months. Individual notifications did not start to be mailed for 5 months, and they still have not all been mailed. The attack placed significant financial and operational burdens on Nebraska hospitals, pharmacies, and doctors’ offices and caused significant harm to patients, including delays to care and putting them at risk of identity theft, financial fraud, and other harms from the exploitation of their personal information.

The lawsuit alleges these failures violated Nebraska’s Consumer Protection Act, Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, and the Uniform Deceptive Trade Practices Act. The lawsuit seeks civil penalties, restitution, and an order from the court compelling the defendants to improve their data security practices.

“Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable,” said AG Hilgers. A spokesperson for Change Healthcare said, “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.”

December 5, 2024: Change Healthcare Data Breach Settlement Talks to Start This Month

The Change Healthcare data breach triggered many class action lawsuits, the first of which were filed months before Change Healthcare had started issuing notification letters to the individuals affected by the ransomware attack.

Change Healthcare sought to have the lawsuits consolidated in Tennessee; however, in June, a Federal Judicial Panel on Multidistrict Litigation consolidated 50 of those lawsuits into a single action in the District of Minnesota. Two-fifths of the lawsuits had been filed by individuals whose personal information was compromised in the Change Healthcare ransomware attack and three-fifths by healthcare providers who alleged they had not been paid for service provided during the attack and outage.

The data breach has now been reported to the HHS’ Office for Civil Rights as affecting 100 million individuals, and individual notification letters are still being mailed, so some of the affected individuals are only just learning that their personal and protected health information was compromised in the attack.

In September 2024, following an initial conference with U.S. District Court Judge Donovan Frank, a text order was issued directing lead counsel for the plaintiffs and defense to hold in-person, ex parte meetings with U.S. Magistrate Judge Dulce J. Foster early in the multidistrict litigation to discuss a possible Change Healthcare data breach settlement.

On December 18, 2024, attorneys for the plaintiffs will meet with Judge Foster in Minneapolis to discuss a potential settlement that would allow the 100 million individuals affected by the attack to file claims to recover losses and to be compensated for having their names, contact information, Social Security numbers, and health information stolen in the attack. On January 30, 2025, Change Healthcare’s attorneys are scheduled to have a similar meeting with Judge Foster to discuss a potential settlement.

A consolidated class action lawsuit against Anthem Inc. over its 78.8 million-record data breach in 2015 resulted in a settlement of $115 million in 2017. The Change Healthcare data breach settlement is likely to be considerably larger, given that 100 million individuals were affected.

November 21, 2024: Change Healthcare Reaches Major Milestone in Ransomware Attack Recovery

A recent study by the cloud service provider Fastly on 1,800 IT decision-makers revealed it takes 7.34 months on average to recover fully from a cybersecurity incident, but for Change Healthcare the recovery from its ransomware attack has taken considerably longer.

Almost 9 months to the day after the ransomware attack, Change Healthcare completed the restoration of its clearinghouse services, and while all systems and services have now been restored, some are still not fully operational. The Clinical Exchange electronic health record exchange, pharmacy claims management platform MedRx, and the Payer Print Communication Multi-Channel Distribution System which is used for payment document printing are still not listed as fully operational on the Change Healthcare update page.

The ransomware attack has cost the company more than $2 billion and the attack is continuing to have an impact on revenues due to lost business, as some affected providers sought alternative clearinghouse services. Change Healthcare is working on winning back customers.

Change Healthcare has confirmed that 100 million individuals had their protected health information compromised in the attack and notification letters are still being mailed. Some recipients of those letters were confused about why Change Healthcare had their data, as they had no direct dealings with the company. Many voiced their concerns online about whether the notification letters were a scam.

According to the American Hospital Association, around 94% of hospitals were affected by the outage as the 15 billion transactions processed by Change Healthcare each year came to a screeching halt. The outage caused massive disruption at healthcare providers across the country, resulting in a major loss of revenue and preventing them from billing and being paid for their services. UnitedHealth Group established a temporary financial assistance program to help ease the strain and issued billions in no-cost loans. The repayment phase has now commenced, and according to the latest update, $3.2 billion of the $9 billion in loans have now been paid back.

October 24, 2024: 100 Million Individuals Affected by Change Healthcare Data Breach

Change Healthcare has confirmed the number of people affected by its February 2024 ransomware attack. The data breach was initially reported to the HHS’ Office for Civil Rights (OCR) as affecting at least 500 individuals, but the total has now been updated to 100 million individuals – Almost one-third of the population of the United States.

Under the HIPAA Breach Notification Rule, HIPAA-regulated has 60 days from the date of discovery of a data breach to notify OCR and send individual notifications. Due to the scale of the data breach and the difficulty of the file review, Change Healthcare is still sending individual notifications.

OCR has confirmed in past guidance that if the number of individuals affected has yet to be determined, the breach should still be reported within 60 days, but an estimate should be provided to OCR on the likely number of affected individuals. Many data breaches are reported using a placeholder figure of 500 or 501 individuals, but it was a surprise when Change Healthcare reported the breach with a 500-placeholder figure, as the breach was known to have affected millions of individuals. It remains to be seen if that is the last time the total will be updated.

As it stands, the Change Healthcare data breach is the largest data breach ever reported to OCR. The previous record has stood since 2015 when Anthem Inc. suffered an unprecedented data breach that affected 78.8 million individuals.

A data breach of 100 million records is certain to make 2024 the worst-ever year for breached records. Currently, the OCR data breach portal shows the records of more than 165 million individuals have been exposed or stolen from HIPAA-regulated entities in 2024, around 600,000 short of the total for 2023. With a little over 9 weeks left in 2024, 2023’s record-breaking figure for breached records will certainly be broken.

From January 1, 2023, to October 24, 2024, 332,402,468 healthcare records have been reported as having been breached at HIPAA-regulated entities. That’s just 9 million records short of the entire population of the United States in 2024. Something clearly needs to be done to improve cybersecurity in the healthcare sector.

There have been calls for updated regulations for the healthcare sector including an update to the 20-year-old HIPAA Security Rule. That update looks like it is finally about to happen as the HHS has confirmed that its proposed update to the HIPAA Security Rule has been handed over to the Office of Information and Regulatory Affairs at the Office of Management and Budget for review. OCR anticipates issuing a Notice of Proposed Rulemaking (NPRM) on the proposed HIPAA Security Rule update before the end of the year. Even if the HHS sticks to that schedule, it will likely be 2026 before HIPAA-regulated entities are required to comply with the new cybersecurity measures.

States such as New York have given up waiting for further federal cybersecurity regulations for the healthcare sector and have implemented their own cybersecurity regulations for state hospitals, some of which are effective immediately, although most must be implemented no later than October 2025.

Oct 22, 2024: Change Healthcare Data Breach Cost Rises to $2.46 Billion

The cost of the February 2024 ransomware attack and data breach at Change Healthcare was predicted to be $1.6 billion in 2024 at the end of Q1, then the estimate was increased to between $2.3 billion and $2.45 billion at the end of Q2, now the estimated costs have increased again and are predicted to rise to $2.457 billion by the end of the year according to the UnitedHealth Group (UHG) in its Q3, 2024 earnings report.

The ransomware attack on Change Healthcare caused considerable disruption to business operations; however, UHG still managed to achieve 9% year-on-year growth in revenues, which rose to $100.8 billion and earnings are at $7.15 per share, up from $6,56 per share a year ago. Those earnings include $0.12 in business disruption impacts but exclude $0.28 in direct response costs.

UHG has made considerable progress in recovering from the hugely disruptive ransomware attack. The majority of systems are back online, payments for most care providers have normalized, and providers have started paying back the loans UHG provided, with $3.2 billion of the $8.9 billion in loans now paid back. UHG said transaction volumes have not yet returned to pre-attack levels and efforts are ongoing to increase the volume and win new business. UHG CEO Andrew Witty said he expects that next year’s full impact will be around half of the 2024 level.

While progress has been made in recovering systems and data and individual notifications are now being mailed to the affected individuals, Change Healthcare has not yet confirmed how many individuals had their protected health information exposed in the attack. The breach was reported to the HHS’ Office for Civil Rights using an estimate of 500 affected individuals which raised a few eyebrows, as Witty had previously testified that a substantial proportion of the population of the United States had likely been affected. That total will be updated when the file review is completed, but 8 months on from the attack, OCR has not been provided with an updated figure.

Sen. Wyden Demands Answers from UHG on Pre-Attack Change Healthcare Security Audits

Senator Ron Wyden, Chair of the Senate Finance Committee, has written to UHG CEO Andrew Witty seeking answers about cybersecurity at Change Healthcare prior to the February 2024 ransomware attack. Witty gave testimony before the committee in June 2024 on the attack and incident response. Witty was asked questions by committee members and provided answers; however, Sen. Wyden said several of the responses were inadequate. “You provided vague, unclear information about the incident and the degree to which it was caused by your company’s lax cybersecurity practices,” Sen. Wyden said in the letter.

Sen. Wyden followed up with UHG after the hearing seeking further information and responses were received but his questions were not answered satisfactorily. In those responses, UHG said that third-party auditors were hired to assess the security of Change Healthcare’s IT infrastructure before the attack, now Wyden is seeking more specific information on the findings of those audits.

Witty explained at the hearing that the initial access occurred on a server that did not have multifactor authentication (MFA) enabled. Sen. Wyden wants to know whether that specific server was included in the security audits prior to the attack. After gaining initial access, the attacker escalated privileges and gained access to Change Healthcare’s “crown jewels” – The Microsoft Active Directory Server.

Sen. Wyden asked Witty whether the method used by the attacker to escalate privileges was identified by the security auditors and whether they made any recommendations for addressing the issue to prevent that method from being used. Sen. Wyden also wants to know what measures have been implemented to ensure that method cannot be used again, and whether the mitigations implemented by UHG to prevent privilege escalation have been tested and verified as effective.

In addition to the answers, Sen. Wyden has requested UHG supply a copy of each of the reports from the security auditors for the 5 years leading up to the attack along with the names of the companies that conducted the audits. A response is required no later than November 8, 2024.

Jul 31, 2024: Change Healthcare Notice of Data Breach Provided to OCR

The Change Healthcare notice of data breach has been provided to the HHS’ Office for Civil Rights (OCR) and while the data breach was expected to include the protected health information of more than 110 million individuals, it has been reported to OCR as affecting 500 individuals.

Change Healthcare notified OCR about the data breach on July 19, 2024, a day before individual notifications started to be mailed. OCR has previously stated that when a data breach is reported, it can take up to 2 weeks for the breach to be added to the data breach portal. OCR has previously instructed HIPAA-regulated entities to provide an estimate of the number of affected individuals if the final total is not yet known.

The use of the 500 affected individuals figure warranted an explanation from OCR, which updated its FAQs page. “Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal,” wrote OCR. “Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach.”

It could be some time before the CHC data breach total is updated and the true scale of the data breach is confirmed. UnitedHealth Group has repeatedly stated that the full review of the affected files is likely to take several months.

Jul 19, 2024: Change Healthcare Ransomware Attack Cost Will Be At Least $2.3 Billion This Year

UnitedHealth Group has provided an update on the Change Healthcare ransomware attack, which was detected on February 21, 2024. Most of Change Healthcare’s systems have now been fully restored and more than $9 billion in funding has been issued under its temporary financial assistance program to help covered entities affected by the outage who have been experiencing financial difficulties due to billing problems.

As of June 30, 2024, UnitedHealth Group has paid $1.98 billion in costs, including $1.3 billion in direct costs restoring the Change Healthcare clearinghouse platform and having to pay higher expenses due to the temporary pause of its care management activities. UnitedHealth Group confirmed that individuals will start to be notified by mail on June 20, 2024.

UnitedHealth Group’s Q2 earnings report shows $7,9 billion in earnings and $4.2 billion in profit. Its revenues are up 6% year over year at $98.9 billion for the quarter, although profit is down from $5.5 billion in Q2, 2023, mostly due to the Change Healthcare cyberattack. UnitedHealth Group anticipates costs will increase to at least $2.3 billion in 2024.

Jul 10, 2024: Change Healthcare Data Breach 2024 Notification Letter

Ahead of mailing individual notifications later this month, a Change Healthcare data breach notification letter has been published. The substitute notice explains what happened, when Change Healthcare learned that data had been stolen (March 7, 2024) and that it was not possible to start its analysis of the affected data until March 13, 2024, when it first obtained a safe copy of the data for analysis.

Change Healthcare said it is not possible to confirm exactly what types of data have been compromised for each affected individual, but said it likely includes first and last name, address, phone number, date of birth, and email address as well as some or all of the following:

• Health insurance information (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
• Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
• Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
• Other personal information such as Social Security numbers, driver’s licenses/state ID numbers, and passport numbers.

Change Healthcare confirmed that no evidence has been found to indicate full medical histories have been compromised and said that some of the compromised information may relate to guarantors who paid bills for healthcare services.

Change Healthcare also confirmed that complimentary credit monitoring and identity theft protection services have been made available for 2 years.

Jul 2, 2024: CHIME Asks OCR to Clarify Change Healthcare Breach Notification Responsibilities

Change Healthcare has confirmed that it will handle data breach notifications and stated that it anticipates sending notifications by the end of July. OCR has confirmed that Change Healthcare may send data breach notifications rather than the affected covered entities; however, some questions remain unanswered.

The College of Healthcare Information Management Executives (CHIME) is still receiving questions from its members about the responsibilities of the covered entities that have delegated responsibility for issuing notifications to Change Healthcare.

“We request confirmation that upon completing the delegation, the notification obligations will rest with Change Healthcare/UHG, with [covered entities] responding to reasonable requests to provide Change Healthcare/UHG with any needed information to the extent feasible,” wrote CHIME in a June 26, 2024, letter to OCR Director Melanie Fontes Rainer. “Anything less will fall short of the mark in providing clarity and reducing the overwhelming burden already experienced by affected clinicians and providers.”

CHIME asked OCR to confirm if there is a formal process for delegating responsibility to Change Healthcare for issuing data breach notifications and what actions OCR recommends the covered entities in a business associate relationship with Change Healthcare should take. It is also unclear whether downstream subcontractors of a business associate of Change Healthcare must also delegate responsibility for issuing notifications to Change Healthcare.

Naturally, OCR has provided advice on its FAQ page about issuing notifications to fulfill responsibilities under the HIPAA Breach Notification Rule, but there are also breach reporting requirements under state laws. CHIME is seeking advice on where the responsibility lies for ensuring those notifications are issued.

CHIME has also expressed concern about individuals receiving more than one notification since each affected payer could potentially issue notifications. CHIME says that could cause stress and anxiety, and asked OCR to confirm what is being done to ensure that only one notification is received by each affected individual.

Jun 21, 2024: Change Healthcare Data Breach Notifications Sent to Affected Providers

As requested by Senators Hassan and Blackburn, the covered entities affected by the Change Healthcare data breach are now being notified. Change Healthcare has confirmed that significant progress has been made in reviewing the affected data and that the process is now 90% completed.

Change Healthcare has confirmed that the types of data compromised in the ransomware attack include names, addresses, birth dates, diagnostic images, payment information, Social Security numbers, passport numbers, state ID numbers, and health insurance information, although it is not possible, at this stage, to confirm exactly what information was compromised for each affected covered entity client.

HHS’ Office for Civil Rights Director Melanie Fontes Rainer has previously confirmed that the affected covered entities have 60 days from being notified about the breach to issue notifications. If they require Change Healthcare to send data breach notifications, they must contact Change Healthcare to make the arrangements.

Change Healthcare said it will start mailing individual notifications by the end of July for the clients who have asked for Change Healthcare to issue notifications, but stated that up-to-date contact information may not be held for those individuals.

“The media notice and substitute notification posted is the next step in the process and consistent with the ongoing communication we have been providing regarding this cyberattack against Change Healthcare and the U.S. healthcare system,” said Change Healthcare. “While the data review is in its late stages, we continue to provide credit monitoring and identity theft protection to people concerned about their data potentially being impacted.”

Jun 8, 2024: Change Healthcare Must Issue Notifications Before June 21, Say Senators

Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) have written to UnitedHealth Group CEO Andrew Witty to ask him to confirm that Change Healthcare will be handling all notification requirements for the Change Healthcare data breach.  HHS Office for Civil Rights Director Melanie Fontes Rainer has confirmed that Change Healthcare may send notification letters, and UnitedHealth Group has stated that it is willing to assist with notifications. The Senators want confirmation from Witty that Change Healthcare will be handling all notification requirements.

They also criticized Witty over the delay in issuing notifications, as it has been three months since the ransomware attack was detected and notifications still have not been issued to the affected covered entities, let alone the individuals whose data was compromised. The Senators asked Witty to share the plan for issuing notifications and requested that they be sent to the affected covered entities no later than June 21, 2024, which means that individual notifications will need to be mailed no later than 60 days after that date.

Jun 3, 2024: OCR: Change Healthcare Can Issue Data Breach Notifications

The HHS’ Office for Civil Rights (OCR) has responded to the calls from provider groups to provide clarity on who is responsible for issuing notifications about the Change Healthcare data breach. OCR has updated its FAQs confirming how HIPAA applies to business associate data breaches.

The HIPAA Breach Notification Rule requires notifications to be issued without undue delay and no later than 60 days from the date of discovery of a data breach. When a data breach occurs at a business associate of a HIPAA-covered entity, it is ultimately the responsibility of each covered entity to ensure that notifications are issued to OCR, the affected individuals, and the media. Covered entities may delegate responsibility for issuing notifications to the business associate, but it is the responsibility of each covered entity to make sure that all notifications are issued.

OCR Director, Melanie Fontes Rainer, said that as far as OCR is concerned, Change Healthcare may handle the breach reporting requirements but if the affected covered entities require Change Healthcare to send notifications, then they must contact Change Healthcare to request it. “All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized,” said Fontes Rainer.

Fontes Rainer also clarified the time frame for issuing notifications. “OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or [UnitedHealth Group].”

Jun 1, 2024: UnitedHealth Group Executives Should be Held Accountable for Cyberattack, Says Senator

Senator Ron Wyden (D-OR) wrote to the Chairs of the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) calling for UnitedHealth Group executives to be held accountable for the attack and the huge disruption that has been caused.

A company as large as Change Healthcare, which processes more than 15 billion transactions a year and whose systems touch the health information of 1 in 3 Americans, should have exceptional security measures, yet the ransomware attack was made possible due to the lack of one of the most basic cybersecurity measures – Multifactor authentication on a system that provided remote access.

A cyberattack on Change Healthcare, which is a huge target considering its size, should have been anticipated and plans should have been developed and tested for responding to such an incident. Had such a plan been in place, the outage would have lasted for hours or days, rather than months.

Sen. Wyden said the lack of MFA amounts to corporate negligence and executives should be held accountable for the security lapses and lack of preparedness and called for the SEC and FTC to investigate UnitedHealth Group over the negligent cybersecurity practices.

Much of the blame for the attack is likely to be directed at UnitedHealth Group’s Chief Information Security Officer (CISO), who was appointed to the role in June 2023 after holding other positions at UnitedHealth Group and Change Healthcare, although the CISO had not held any cybersecurity positions elsewhere. Sen. Wyden said the blame should not fall on the CISO, who appeared to be unqualified to hold the position, rather the board of directors should be blamed for appointing a person who did not have the necessary experience for the role.

May 22, 2024: Clarification Sought from OCR on Change Healthcare Data Breach Notification Requirements

The College of Healthcare Information Management Executives (CHIME), American Health Information Management Association (AHIMA), American Medical Association (AMA), and more than 100 provider groups have called for the HHS to clarify the data breach reporting requirements for the Change Healthcare data breach.

UnitedHealth Group has previously confirmed that it is “committed to doing everything possible to help and provide support to anyone who may need it,” which includes assisting with the notification requirements. “UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.”

The HHS Office for Civil Rights (OCR) has confirmed that covered entities may delegate responsibility for issuing notifications to business associates; however, the provider groups are pushing for OCR to confirm that it is the responsibility of Change Healthcare to issue notifications. They would like to be able to tell their members that they do not need to worry about issuing notifications to OCR, state Attorneys General, the individuals affected, and the media. CHIME said it would be quick and easy for OCR to issue a statement confirming that Change Healthcare will be handling all notification requirements and bears sole responsibility for doing so.

The provider groups have been contacted by members worried that in addition to having to deal with the aftermath of the ransomware attack, they could also be investigated by OCR for HIPAA compliance. The provider groups have asked OCR to confirm that the breach investigation will be focused on Change Healthcare and not the healthcare providers that have been affected by the incident.

May 3, 2024: UnitedHealth Group CEO Testifies at House Subcommittee Hearing

UnitedHealth Group CEO Andrew Witty has attended a House subcommittee hearing and has faced questions from Senators about the Change Healthcare ransomware attack, data breach, and continuing outage.

Witty began by apologizing, saying he was “deeply, deeply sorry” for the attack, the disruption caused to providers, and the impact the attack has had on patients. Cybersecurity experts had suggested that the initial access vector may have been a vulnerability that was announced around the same time that the attack occurred; however, Witty confirmed that was not the case.

Witty said the attacker used compromised credentials for a Citrix portal which was used for remote access and that the portal did not have multifactor authentication enabled, even though it was company policy for MFA to be implemented on all external facing systems. He also confirmed that Change Healthcare’s head of cybersecurity was aware of the lack of MFA and that it has now been implemented on all external-facing systems.

Witty was asked about the likely scale of the data breach but was reluctant to provide a figure. When pushed and asked to provide an estimate, he said the breach could involve the information of 1 in 3 Americans, which would be more than 110 million individuals.

Witty was reminded that HIPAA requires data breach notifications to be issued within 60 days of the discovery of a data breach. Senator Maggie Hassan (D-NH) pointed out that the breach occurred on February 21, 2024, and that 10 weeks is too long for individuals to have to wait to find out if their healthcare data has been exposed and may have been sold or released on the dark web.

Witty said that sending notification letters immediately, as requested, is not possible, and said the complex nature of the investigation means it may take several months before all notifications can be issued.

Several Senators criticized UnitedHealth Group for the length of time it has taken to update Change Healthcare’s systems and perform upgrades. UnitedHealth Group acquired Change Healthcare in 2022, yet essential updates to its systems have still not been completed. They also asked for a status update on the recovery. Witty confirmed that all core systems have now been restored but older Change Healthcare systems are still not up and running.

One of the questions that has been asked by many lawmakers is whether the anti-competitive practices of Change Healthcare are to blame for the lengthy outage. UnitedHealth Group has been gobbling up smaller companies and has become a behemoth, but the dominance in healthcare markets has created a special vulnerability that has had an outsized ripple effect. When companies become as big as UnitedHealth Group, a ransomware attack will inevitably cause huge disruption.

Change Healthcare and UnitedHealth Group should have been aware of that fact, yet they have apparently failed to take appropriate action to prevent massive disruption. “Your revenues are bigger than some countries’ GDP,” said Sen. Marsha Blackburn (R-TN). “How in heaven’s name did you not have the necessary redundancies, so that you did not experience this attack and find yourself so vulnerable?”

Apr 30, 2024: UnitedHealth Group CEO to Testify Before House E&C Subcommittee

UnitedHealth Group CEO Andrew Witty is due to testify before the House Energy and Commerce Committee about the Change Healthcare cyber attack and data breach. In his written testimony, which was released ahead of the hearing, Witty confirmed that the full resources of UnitedHealth Group have been devoted to the investigation and remediation of the attack, and staff have been working 24/7 on response and restoration.

Witty explained that an attempted intrusion is repelled every 70 seconds, and each year more than 450,000 attempted intrusions are blocked; however, on February 12, 2024, one of those attempts was successful. A hacker had access to the network from that date until February 21, 2024, during which time the hacker moved laterally and exfiltrated data, then used ransomware to encrypt files.

While the attack was not prevented, UnitedHealth Group was able to prevent the attack from spreading to other systems, including those of UnitedHealthcare, UnitedHealth Group, and Optum. Witty confirmed that the investigation is ongoing and that they want to learn every detail and that information will be used to make its cybersecurity defenses even stronger.

Witty explained the reason for the outage, saying that it was initially unclear how access was gained to the network, so the decision was taken to sever all connections with its data centers. While such a move was certain to result in major disruption, he defended the move as it was necessary to limit the harm that could be caused. He said the decision was guided by “the overriding priority to do everything possible to protect people’s personal health information,” and said that decision was one of the hardest he has ever had to make.

While everyone needs to be informed if their personal and health data has been compromised, Witty said the review of the data is complicated and it will likely take several months to issue individual notifications to all of the affected individuals. In the meantime, to ensure that those individuals are protected, UnitedHealth Group has been providing free credit monitoring and identity theft protection services for 2 years and has set up a dedicated call center to provide answers to questions.

Those services are available immediately, and individuals do not need to wait until they receive a letter to sign up for those services. Further information on those services and helpline information is available at this link.

April 24, 2024: HHS Creates Web Page with FAQs About the Change Healthcare Cyberattack and Data Breach

The HHS’ Office for Civil Rights (OCR) has created a new web page with frequently asked questions about the Change Healthcare cyberattack. OCR explained why the Dear Colleague letter was issued, confirming that the unprecedented disruption caused by the attack prompted OCR to launch an immediate investigation and alert the affected covered entities about their responsibilities under HIPAA.

The FAQ explains that affected covered entities must ensure that they have a business associate agreement with Change Healthcare if they use its services and that it is their responsibility to ensure that any protected health information is appropriately safeguarded.

Regarding data breach notifications, OCR explained that when there is a breach of unsecured PHI, covered entities must inform OCR, send individual notifications, and notify the media without unnecessary delay and no later than 60 days from the date of discovery of the data breach. When a data breach occurs at a business associate, it is ultimately the responsibility of the affected covered entities to ensure that notifications are issued within the allowed time frame. OCR confirmed that covered entities may delegate the notification requirements to the business associate.

If affected providers wish to delegate responsibility for issuing notifications to Change Healthcare, they must contact Change Healthcare to make those arrangements. UnitedHealth Group has confirmed publicly that it is willing to help the affected providers with the notification requirements but has not stated that it will be sending notifications on behalf of all affected clients.

Apr 23, 2024: 1 in 3 Americans May Have Been Affected by Change Healthcare Ransomware Attack

There has been the first confirmation from UnitedHealth Group about the potential size of the Change Healthcare data breach. UnitedHealth Group CEO Andrew Witty has confirmed that the breach could affect “a substantial proportion of people in America,” although no figure has been provided so far on how many that is likely to be. Given that Change Healthcare’s systems touch the health information of 1 in 3 Americans, it is possible that all of that data may have been breached.

Witty confirmed that a ransom was paid to prevent the publication of the stolen data, and while he did not confirm how much was paid, it has previously been reported by other sources to be $22 million. That attempt was not successful as the data has been obtained by the Ransom Hub group.

The review of the affected data is ongoing, and it is not yet possible to say exactly what types of data were involved, but Witty said doctors’ charts and full medical histories do not appear to have been stolen. A web page has been created that provides further information for individuals potentially affected by the data breach.

It has now been two months since the breach and no notification letters have been sent, but now that it has been confirmed that protected health information has been breached, the clock starts ticking for sending notification letters, which must be sent no later than 60 days from the date of discovery that protected health information was involved, which means individual notifications should start to be issued by the middle of June.

An update has been provided on the recovery process. Change Healthcare is now processing payments at around 86% of pre-incident levels and around 80% of functionality has now been restored, although it will likely be several weeks before all systems are fully operational.

Apr 17, 2024: Ransom Hub Group Starts Leaking Stolen Change Healthcare Data

The Ransom Hub ransomware group has started leaking screenshots of some of the data stolen in the Change Healthcare ransomware attack. Ransom Hub obtained the data from an affiliate of the ALPHV/Blackcat group after the ransomware operators pulled an exit scam and didn’t pay the affiliate. The screenshots leaked so far show data-sharing agreements with its clients, and some of the screenshots show patient data.

Ransom Hub has confirmed that no ransom payment has been made so far (other than the $22 million payment to ALPHV/Blackcat) and that if the ransom is not paid in the next 5 days, Ransom Hub will sell the stolen data to the highest bidder.

With the outage continuing, healthcare providers are continuing to struggle financially. A survey conducted by the American Medical Association (AMA) on its members found more than one-third of physician practices have had claims payment suspended due to the ransomware attack, one-third have not been able to submit claims, two-fifths have not been receiving electronic remittance advice, and one-fifth have been unable to verify eligibility for benefits.

80% of surveyed providers report losing revenue as a result of the outage due to unpaid claims, 78% have lost revenue due to the inability to submit claims, and around half have lost revenue because they have been unable to charge patient co-pays. The continued outage has forced 48% of providers to enter into new agreements with alternative clearinghouses to allow them to conduct electronic transactions, and those agreements have been costly.

“These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians,” said AMA President Jesse M. Ehrenfeld, MD, MPH. “The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open.”

Apr 16, 2024: Lawmakers Demand Answers About Cause of Change Healthcare Data Breach and Continuing Outage

Lawmakers have been asking questions about how a ransomware attack could cause so much disruption and why an attack of this nature was not anticipated. Senators Josh Hawley (R-MO), ranking member of the Senate Judiciary Subcommittee on Privacy, Technology, and the Law, and Subcommittee Chair, Richard Blumenthal (D-CT), wrote to UnitedHealth Group CEO Andrew Witty asking for further information on how Change Healthcare’s network was breached, why there was a lack of redundancy to prevent a major outage, what steps are being taken to fill the revenue gap that healthcare providers are experiencing, and what is being done to identify the individuals who had their information stolen in the attack.

Members of the House of Representatives Committee on Energy and Commerce wrote to Witty demanding answers about the status of the recovery and restoration of systems and asked what cybersecurity protocols and resources were in place prior to the attack.

Anna G. Eshoo (D-CA), ranking member of the Energy and Commerce Health Subcommittee, criticized Change Healthcare’s anti-competitive practices which have contributed to the massive disruption, and questions were asked about how the government has allowed a company to get so large through mergers and acquisitions to the point where it has created a single point of failure that has brought the healthcare industry to its knees.

Apr 9, 2024: Consolidated Change Healthcare Data Breach Lawsuit Sought

At least two dozen Change Healthcare data breach lawsuits have now been filed by individuals who believe they have been affected, although no notification letters have been issued to date confirming that to be the case. Several lawsuits have also been filed by healthcare providers affected by the Change Healthcare outage to recover the losses they have incurred.

One of the problems for Change Healthcare is that lawsuits have been filed in several states. Change Healthcare has filed a motion to have all of the lawsuits consolidated and transferred to the Middle District of Tennessee, where the company is located and where Change Healthcare says the key custodians, witnesses, and evidence are located. Should there be no consolidation, Change Healthcare says there will likely be duplicative discovery, the company may face inconsistent pretrial rulings and will have to spread its resources thinly.

Change Healthcare argues that all of the lawsuits filed so far include common factual and legal issues arising from the cyberattack and they assert substantially identical causes of actions. Change Healthcare denies any wrongdoing and states in the filing that all of the actions are “based on an incorrect and unfounded theory that, because a cyberattack occurred, Change’s security must have been deficient and plaintiffs must have been harmed.”

Apr 8, 2024: Ransom Hub Claims to Have Stolen Change Healthcare Data

Paying a ransom does not guarantee the deletion of the stolen data, as Change Healthcare has discovered. While the ALPHV/Blackcat group behind the attack appears not to have published or sold the stolen data, the affiliate who conducted the attack retained a copy and has passed the data on to another threat group, a relatively new ransomware group called Ransom Hub.

Ransom Hub claims to have the only copy of the stolen Change Healthcare data and is now threatening to leak that data if a ransom is not paid. The group has given a deadline of 12 days to pay the ransom and has confirmed that none of the stolen data has been leaked to date. It is currently unclear how much Ransom Hub is demanding. UnitedHealth Group has already paid a $22 million ransom to the ALPHV/Blackcat group and may be unwilling to pay out more when there is a risk that there may be further extortion attempts if any further payment is made.

Mar 30, 2024: Protected Health Information Stolen in Change Healthcare Cyberattack

UnitedHealth Group has confirmed that it has started to analyze the files that were exposed in the Change Healthcare ransomware attack. It has been five weeks since the attack was discovered, but it was not possible to analyze the exposed files until now. First, it was necessary to ensure that data could be safely obtained, and then there were complex mounting and decompression procedures to complete.

The extent of the Change Healthcare data breach has not yet been confirmed, and UnitedHealth Group is not in a position to state what types of data have been exposed at this stage, although did say that personally identifiable health information, eligibility and claims information, and financial information have likely been exposed or stolen. UnitedHealth Group is unable to provide a timeline on how long it will take to review the affected data. As far as UnitedHealth Group has been able to determine, the stolen data has not been posted on the dark web.

An update has been provided on the recovery process. Several key systems have now been restored, although many remain offline. UnitedHealth Group confirmed that eligibility processing, clinical data exchange, and retrospective episode-based payment models should be restored in the next 3 weeks and said $3.3 billion has been made available to providers through its temporary financial assistance program. The repayment terms have also been updated with UnitedHealth Group stating that loans will not have to be repaid until 45 days after receipt of the invoice.

Mar 25, 2024: Change Healthcare Breach Notification Confusion

The American Hospital Association (AHA) and the Washington State Hospital Association (WSHA) have been contacted by their members who have been left confused about the “Dear Colleague” letter from HHS Office for Civil Rights (OCR) Director Melanie Fontes Rainer regarding the Change Healthcare breach notification requirements. While the data breach occurred at Change Healthcare, the letter appeared to suggest that the affected covered entities may be required to issue breach notification letters.

According to the AHA, Change Healthcare is a covered entity but also acts as a business associate, and the responsibility for notifying OCR and issuing individual notifications should lie with Change Healthcare, should it be determined that there has been a reportable breach of protected health information.

“We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already,” said the AHA in a letter to the OCR Director. “Our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack.”

The WSHA has provided clarification for its members, recommending that they review their business associate agreements with Change Healthcare, specifically the requirements for the timing of notifications about data breaches and who is responsible for sending those notifications.

Today, the HHS Centers for Medicare and Medicaid Services (CMS) and the Administration for Strategic Preparedness and Response (ASPR) released guidance for covered entities affected by the Change Healthcare ransomware attack.

In the guidance, HHS Deputy Secretary Andrea Palm, ASPR Administrator and Assistant Secretary Dawn O’Connell, and CMS Administrator Chiquita Brooks-LaSure said they are being contacted by affected providers who report that they have struggled to get answers from healthcare plans about the availability of prospective payments or the flexibilities required while the Change Healthcare platform is unavailable.

The guidance includes contact information for health plans where affected providers can get the answers they seek, and also reminds healthcare providers about the importance of adopting the HHS’s voluntary cybersecurity performance goals, which will help them to strengthen cybersecurity and prevent cyberattacks.

Mar 15, 2024: Initial Access Vector Identified but Not Disclosed

UnitedHealth Group has confirmed that it has identified the initial access vector used to gain access to Change Healthcare’s systems but has not publicly disclosed what that access vector is. Mandiant and Palo Alto Networks have been assisting with the forensic investigation and now that the initial access vector is known, UnitedHealth Group has been able to identify a safe point for data restoration – a vital step in the recovery process as it now means that work can commence on restoring the affected systems that are currently not operational and start the process of analyzing the affected data.

UnitedHealth Group said it will continue to provide updates as its investigation progresses and has confirmed that new instances of certain systems have been stood up, including its Rx Connect (Switch) and Rx ePrescribing services. Rx Connect, Rx Edit, and Rx Assist services are also now available for customers with direct internet access connectivity. All major pharmacy and payment systems are now up and running and more than 99% of claims volume is now flowing.

Mar 13, 2024: HHS’ Office for Civil Rights Starts Investigation of Change Healthcare Ransomware Attack

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has confirmed that it has initiated an investigation of the Change Healthcare ransomware attack. OCR investigates all data breaches of 500 or more records to determine whether the breached entity was compliant with the HIPAA Rules, but these investigations are usually initiated several months after a data breach is reported. Change Healthcare has yet to report any data breach and still has 5 weeks left to do so, per the reporting requirements of the HIPAA Breach Notification Rule, which requires data breaches to be reported within 60 days of the date of discovery of a data breach.

The unusual step was taken by OCR due to the massive impact the ransomware attack has had on providers and patients. OCR explained the decision in a “Dear Colleague” letter, which was uploaded to the HHS website on March 13, 2024. “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health,” explained OCR Director Melanie Fontes Rainer in the letter.

What may be alarming for many HIPAA-covered entities is the potential for OCR’s Change Healthcare investigation to be extended to the affected providers. “OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary,” explained OCR in the letter. “While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

Mar 8, 2024: UnitedHealth Group Provides Recovery Timeline

UnitedHealth Group has provided a Change Healthcare cyberattack update today, just over two weeks after the ransomware attack was discovered. UnitedHealth Group confirmed that its ePrescribing service is fully functional; however, it does not anticipate making electronic payments available until March 15, 2024. UnitedHealth Group plans to start testing its claims and network software on March 18, 2024, and will then be able to restore those systems.

Prior authorizations have been suspended for most outpatient services for Medicare Advantage plans, there is a hold on utilization reviews for inpatient admissions until March 31, 2024, and drug formulary exception review has been suspended for Medicare Part D pharmacy benefits. Affected pharmacies have been notified by Optum Rx that the pharmacy benefit manager will reimburse them for claims filed during the outage “with the good faith understanding that a medication would be covered.”

Due to the continuing outage, UnitedHealth Group has confirmed that it is extending its financial assistance program to include providers who have exhausted all available connection options and those who work with payers who are unable to advance finance during the outage. The terms of the financial assistance program have also been changed, with repayment not required until all claims flows have completely resumed. The previous terms required payment to be made within 5 days of the request being issued; however, that time frame has been extended to 30 days after receipt of the invoice.

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said UnitedHealth Group CEO, Andrew Witty. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices and that patients can get their medications. We’re determined to make this right as fast as possible.”

Mar 6, 2024: $22 Million Ransom Paid to ALPHAV/Blackcat

There have been reports that a $22 million ransom was paid to the ALPHAV/Blackcat group by UnitedHealth Group subsidiary, Optum. When a ransom is paid to a RaaS group, the decryption keys are usually provided, and the leaking of data is prevented; however, ALPHAV/Blackcat appears to have shut down its operation and performed an exit scam, where the $22 million ransom payment is kept and the affiliate who conducted the attack is not paid.

ALPHAV/Blackcat has shut down its servers, taken its ransomware negotiation site offline, and posted a message “Everything is off, we decide.” A spokesperson for the group claimed that its operation was shut down by law enforcement and that it would be selling its source code. After such a high-profile attack, the shutdown of the operation is understandable. Ransomware groups often shut down and rebrand, as was the case following the ransomware attack on Colonial Pipeline by the DarkSide ransomware group.

RaaS groups usually pay their affiliates around 70% of any ransom payments they generate and retain the other 30%, but it appears that ALPHAV/Blackcat has decided to keep the lot. The affiliate behind the attack – Notchy – claims not to have been paid their cut of the 350 Bitcoin ransom paid by Optum and provided proof that the payment had been made. Notchy also claims to have a copy of the stolen data, although it is currently unclear what will happen to that data. It is probable that attempts will be made to sell the data to obtain payment for conducting the attack.

It is still unclear what is in that dataset as neither UnitedHealth Group nor Change Healthcare have confirmed the extent of any data breach. Notchy said that the data includes sensitive information from Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust, and tens of insurance companies.

The number of lawsuits filed against Change Healthcare and UnitedHealth Group over the Change Healthcare ransomware attack is mounting. While the extent of any Change Healthcare data breach has yet to be confirmed, several class action lawsuits have already been filed in Tennessee and Minnesota. The lawsuits assert claims of negligence that resulted in the theft of patients’ sensitive data, and many more are likely to be filed over the common weeks and months.

Mar 5, 2024: UnitedHealth Group Announces Temporary Funding Assistance for Affected Providers

Healthcare providers across the United States have been experiencing financial problems due to the continuing Change Healthcare outage, which is preventing them from receiving payments for the healthcare services they are providing. Due to the continuing billing problems, healthcare providers have been forced to use cash reserves to purchase supplies and cover payroll and other expenses.

To assist the affected providers, UnitedHealth Group has announced that it has established a financial assistance program and that providers affected by the continuing outage can apply for temporary funding through Optum Financial Services. Providers that wish to take advantage of this temporary funding will be paid based on prior claims volume, and the funding will be interest and fee-free.

“We understand the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem,” said UnitedHealth Group. “While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”

While the funding program has been welcomed, only a limited number of providers will be able to submit claims as the financial assistance program is only available to providers affected by the disruption to payment distribution, and not to providers that have experienced claims submission disruption. The terms are also a cause of concern, as UnitedHealth Group said the funds would need to be paid back when normal operations resume, and payment will be required within 5 days of being provided with notice. The terms and conditions also state that Optum Financial Services will be able to take back the funds without advance communication.

The American Hospital Association (AHA) said many providers are experiencing severe cash flow problems and the financial assistance program, while welcomed, falls far short of what is required as it fails to address the problem of not being able to bill in a timely manner due to the disruption to Change Healthcare’s clearinghouse and claims submission systems. Further, the AHA said the terms are “shockingly onerous.”

Mar 2, 2024: Change Healthcare’s ePrescribing Service Restored

Yesterday, Change Healthcare confirmed that a new instance of its ePrescribing service has been set up although Clinical Exchange ePrescribing providers’ tools are not yet operational. In an update on its website, Change Healthcare said, “Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types. As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.”

UnitedHealth Group said it has already processed around 3 million transactions and the daily volume is increasing as more vendors reconnect to its system, and that 90% of claims are now flowing uninterrupted. The volume is expected to increase to more than 95% by the week commencing March 11, 2024. While progress is being made with the recovery of its systems, Change Healthcare’s payment capabilities have not yet been restored.

Feb 29, 2024: Blackcat Ransomware Attack Confirmed by Change Healthcare

Change Healthcare has confirmed that its February 2024 cyberattack was a ransomware attack by the ALPHV/Blackcat ransomware group. “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” explained Change Healthcare on its website. “Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact on members, patients, and customers.”

The extent of any Change Healthcare data breach has still not been confirmed; however, ALPHV/Blackcat has added Change Healthcare to its data leak site and claims that 6 terabytes of data were stolen in the attack. The stolen data allegedly includes highly sensitive data from Medicare, CVS, Caremark, Health Net, and the U.S. military medical health agency Tricare, as well as the source code of Change Healthcare’s applications. The cybercriminal group also claims that the stolen data includes the data of millions of patients, including health and dental records, insurance information, claims information, personal information, and Social Security numbers.

Feb 27, 2024: ALPHV/Blackcat Ransomware Group Responsible for Change Healthcare Cyberattack

It has been 7 days since the Change Healthcare cyberattack. According to Reuters, sources close to the investigation have confirmed that this was a ransomware attack by the ALPHV/Blackcat ransomware group, although UnitedHealth Group/Change Healthcare has yet to confirm that this was a ransomware attack. Change Healthcare had previously stated that it suspected a nation-state actor was behind the attack, but ALPHV/Blackcat is a financially motivated cybercriminal group.

ALPHV/Blackcat is one of the most active ransomware-as-a-service (RaaS) groups. In December 2023, the U.S. Justice Department, Europol, and the U.K.’s National Crime Agency (NCA) were involved in an operation to disrupt the group, and while that operation was successful, the group was able to rapidly restore its infrastructure and continue its attacks. In response to the takedown, the group claimed that it had removed restrictions for its affiliates who were free to conduct attacks on previously prohibited targets, including healthcare providers.

ALPHV/Blackcat engages in double extortion tactics, where data is exfiltrated before file encryption. A ransom demand is issued and payment is required to obtain the keys to decrypt data and to prevent stolen data from being uploaded to its data leak site. A ransom demand will undoubtedly be issued but, at this stage, it is unclear how much that ransom is or the extent of any Change Healthcare data breach. Given the amount of data processed through Change Healthcare, if there has been a data breach it could be massive.

Today, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint cybersecurity alert about the ALPHV/Blackcat ransomware group following several attacks on the healthcare sector. Since December 2023, healthcare has been the sector attacked most frequently by the ALPHV/Blackcat group.

Change Healthcare has been providing updates on the attack and recovery and has confirmed on its website that, “We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.” Yesterday, Change Healthcare said “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”

Feb 23, 2024: Change Healthcare Announces Cyberattack

Nashville, TN-based Change Healthcare has announced that it is dealing with a cyberattack that has disrupted its IT systems. Change Healthcare is a revenue and payment cycle management provider whose systems connect payers, providers, and patients within the US healthcare system. Each year, 15 billion healthcare transactions are completed through Change Healthcare’s systems, and its clinical connectivity solutions touch the health records of 1 in 3 Americans. The UnitedHealth Group subsidiary provides prescription processing services through Optum, which serves around 67,000 U.S. pharmacies and 129 million patients.

An intrusion was detected on February 21, 2024, and immediate action was taken to prevent further unauthorized access to its network. In a filing with the U.S. Securities and Exchange Commission (SEC), Change Healthcare’s parent company, UnitedHealth Group, confirmed that the cyberattack on Change Healthcare had affected dozens of its systems, which have had to be taken offline. It is not possible to provide a timeline for when those systems will be brought back online.

An investigation has been launched into the incident and it is too early to tell if any patient data has been exposed or stolen. The identity of the threat actor behind the attack is not known, although UnitedHealth Group suspects this was an attack by a nation-state actor. The American Hospital Association has issued a warning to its members advising them to immediately disconnect from Optum and switch to manual processes as a precaution until it is confirmed that it is safe to reconnect.

Change Healthcare said the cyberattack has caused enterprise-wide connectivity issues and cybersecurity experts are working round the clock to mitigate the attack and restore access to its systems. The attack is causing massive disruption to billing and payment operations at healthcare providers across the United States, including hospitals, clinics, and pharmacies. Pharmacies have been unable to send orders through insurance plans and are experiencing delays in processing prescriptions.