Change Healthcare cyberattack still impacting pharmacies, as H-ISAC issues alert

"More organizations will be compromised," said the info sharing group as it urged updates to ScreenConnect software. The AHA said health systems should assess the effects of staying disconnected from nonimpacted Optum and United Health network services.
By Andrea Fox
09:55 AM

Photo: HIMSS Media

Updated February 27, 2024, to include additional comments.

The Health Information Sharing and Analysis Center released a bulletin on Monday following a February 21 cyberattack on Change Healthcare, resulting in widespread payment processing outages.

WHY IT MATTERS

Health-ISAC said in a threat intelligence bulletin Monday, that based on information published by intelligence firm RedSense, Change Healthcare and other organizations were breached through the ConnectWise ScreenConnect vulnerabilities – CVE-2024-1708 and CVE-2024-1709.

ScreenConnect is a remote desktop software with both on-premises and in-cloud deployments. 

ConnectWise alerted users of a remote code execution flaw that can be leveraged to bypass authentication in ScreenConnect servers on February 19 and advised its customers to update immediately to prevent attacks, because more organizations will be compromised, according to Health-ISAC. 

"We would expect to see additional victims in the coming days," said researchers.

Health-ISAC also stressed that healthcare organizations with ConnectWise ScreenConnect in their environments review the specific indicators and recommendations in the bulletin.

While Change Healthcare, a software and data analytics vendor that is part of Optum and owned by UnitedHealth Group, said Monday in an update posted on its website that it has "a high level of confidence" that Optum and United systems have not been affected by the cyber incident, it has taken its own systems offline.

"Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact," the company said in the update. "This action was taken so our customers and partners do not need to."

Health-ISAC advised organizations to consider the risks and the consequences of also disengaging from Optum, which would affect prior procedure authorizations, electronic prescribing and other patient-care functions. 

"Ultimately, your organization should make its own determination on whether or not to block Optum specifically while considering all the risks and consequences of doing so," the organization said.

The American Hospital Association also issued an advisory Monday to its members about its alignment with the threat intelligence recommendations. 

In a previous alert, AHA had recommended that all healthcare organizations that were disrupted or potentially exposed consider disconnection from Optum until it was deemed safe to reconnect.

According to an email Tuesday from United Health Group, more than 90% of the nation’s pharmacies have modified electronic claims processing to mitigate impacts stemming from the Change Healthcare breach and have implemented offline processing workarounds.

"Both Optum Rx and UnitedHealthcare are seeing minimal reports, including less than 100 out of more than 65 million [pharmacy benefit manager] members not being able to get their prescriptions," a spokesperson said.

THE LARGER TREND

Reuters reported on Monday that the source of the attack behind the disruption at pharmacies is the Blackcat ransomware gang, according to sources citing Alphabet's Mandiant as handling incident response.

In December, the FBI announced that it had seized Blackcat servers and its website, but the ransomware group alleged in a note sent to Krebs on Security that it unseized the server and would offer affiliates a 90% commission.

Blackcat attacked numerous hospitals, according to John Riggi, AHA's national advisor for cybersecurity and risk.

"This also serves as an example of how essential it is for victims of cyberattacks and the healthcare sector to exchange cyberthreat intelligence with the government," he said when the FBI announced that it had decryption keys for Blackcat ransomware victims. 

"Beyond the immediate implications for affected individuals, such breaches have far-reaching consequences, shaking the foundation of trust in healthcare systems' ability to safeguard personal data" and driving investments in technologies that fortify cyber defenses, Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said in an email Tuesday to Healthcare IT News.

ON THE RECORD

"Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute," said Health-ISAC researchers in the bulletin. 

"When considering connectivity to nonimpacted Change Healthcare systems, each healthcare organization should weigh possible clinical disruptions and business impacts caused by severing the connection to nonimpacted Optum, Change Healthcare, UnitedHealthcare and/or United Health Group systems," AHA said in a statement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.