Change Healthcare begins to restore service after cyberattack – as lawsuits begin

Also: The ALPHV BlackCat ransomware group may have faked a second government takedown, while the extent of the protected-data leak is still unknown.
By Andrea Fox
03:47 PM

Photo: Reza Estakhrian/Getty Images

As it begins to recover from the Change Healthcare cyberattack, UnitedHealth Group said this week that it is enabling its Rx Connect, Rx Edit and Rx Assist services for customers who have configured direct internet access connectivity.

UnitedHealth also offered what it says is a timeline for full restoration of Change Healthcare's services.

"We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week," the company said in an announcement posted to its website about the cyberattack, which began on February 21.

Here's a roundup of other news related to the weeks-long attack – including a new wave of lawsuits from customers impacted by the breach, news on BlackCat ransomware group's current status and expert perspective on why UnitedHealth may have paid the ransom.

ALPHV fakes left after $22M in Bitcoin paid 

According to Recorded Future News Friday, the Department of Justice, Europol and the U.K. National Crime Agency – all part of a December takedown of BlackCat ransomware – denied any involvement in a new takedown notice posted on ALPHV's website. 

“This tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny,” Reegun Jayapaul, principal at Trustwave said in the story.

One BlackCat ransomware affiliate reportedly claimed that after getting the $22 million payment, ALPHV leaders shut down and effectively stole the entire ransom from their affiliates to make the Change Healthcare breach their last hurrah.

Ngoc Bui, a cybersecurity expert at the firm Menlo Security told Healthcare IT News by email this week that it's "highly likely" that ALPHV/BlackCat was responsible for the attack and that "the blog site discussing these matters appears to use a fake seized landing page, possibly indicating an exit scam by hackers." 

The reason for this is the "ransomware group may have taken the money and deactivated servers to avoid law enforcement attention," he said.

Patient delays, privacy, pending lawsuits

Meanwhile, Axios reported Wednesday that the first post-cyberattack patient lawsuits are beginning to emerge, focusing on loss of access to vital prescriptions and treatments.

However, the potential to expose data exfiltrated in the attack, which could be 6TB of data, is also a concern for UHG. The cybercriminals alleged that the stolen data includes protected information held by the U.S. military's Tricare healthcare program, Medicare, CVS Caremark, MetLife, Health Net and others, a Bleeping Computer report said on February 28.

"There are concerns that Change Healthcare's operations might affect the healthcare data of many Americans, given its extensive services and expertise in processing healthcare data," Bui noted.

Stolen data could have far-reaching effects down the line.

"Healthcare information is the most sought after and highest resalable data by attackers and on the dark web because it can be used in so many ways to perpetrate fraud," noted Kurt Osburn, director of risk management and governance at NCC Group, a global cybersecurity consulting firm, in a statement sent by email.

Protecting assets and information is expensive, and takes additional staff and managed services, he said. Most healthcare organizations fail to implement risk-analysis and risk-mitigation tools due to costs.

Michael McLaughlin, principal and cybersecurity and data privacy practice group coleader at the legal firm Buchanan Ingersoll and Rooney, said in an email Thursday that while UHG, which owns Optum's Change Healthcare, has not disclosed the full extent of the data breach, one class-action suit alleges the types of data exfiltrated.

The suit, filed in federal court in Minnesota, claims the ransomware group took personally identifiable information, medical records, dental records, payment information, claims information, patients’ information (i.e. phone numbers, addresses, Social Security numbers and email addresses), insurance records, patient health information and more. 

McLaughlin said that the suit bases the data on the group's claims about its role in the Change cyberattack, and advised taking it with grains of salt.

"I would urge caution in relying on statements of the ransomware actor about the types of data impacted," he wrote. The ransomware actor likely sampled files indicating sensitive information may be contained within "and based their statement on that cursory review," he said.

"This is in no way representative of the data as a whole," said McLaughlin.

Breach magnitude? Too soon to tell

"UHG paying the ransom is not indicative of the sensitivity of the data," McLaughlin said.

He explained that he believed that UHG’s decision to pay likely was primarily driven by the need to resume business operations as quickly as possible "rather than to protect the data from further exposure."

Widespread reports of providers straining in the outage have a number of organizations, like the American Medical Association, appealing to lawmakers in Washington, D.C., to release emergency funds to protect providers nationwide from the financial fallout.

UHG is likely investigating the full scope of the incident trying to understand the individuals impacted and the types of data involved, McLaughlin said. 

It's a resource-intensive process requiring advanced data mining and manual human review of "potentially millions of files."

"We will not know the full scope of the data involved until this process is complete and UHG conducts its notifications of impacted individuals, in accordance with state laws and federal regulations," he said.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.