Understanding the Change Healthcare Breach and Its Impact on Security Compliance

Healthcare ransomware incidents are far too common, but none have wreaked as much havoc as the recent Change Healthcare attack. Rick Pollack, President and CEO of the American Hospital Association stated that “the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.” And congress members have said that “the breach of Change was tantamount to targeting the health care system in its entirety.”

In late February, the ALPHV/BlackCat ransomware gang claimed responsibility for hacking Change Healthcare, a subsidiary of UnitedHealth Group. The intruders disrupted operations and stole up to 4TB of data, including personal information, payment details, insurance records, and other sensitive information. This led to a non-verified ransom payment of $22 million. 

Change Healthcare plays a pivotal role in managing clinical criteria for pre-authorization, verifying coverage, and processing patient claims to third parties. After the attack, Change Healthcare was forced to take key operations offline, and the rebooting of their systems has been patchy. 

The incident jeopardizes the very survival of countless healthcare providers nationwide due to delays in patient care and reimbursement. The hack generated massive economic and legal shockwaves across the U.S. healthcare industry, from major industry players to small town rural physician practices.

If that wasn’t bad enough, fresh reports have surfaced that Change Healthcare is being extorted again by another ransomware group called RansomHub that claims to own sensitive data stolen in the breach.

How has this unprecedented cyber attack impacted security compliance? Let’s find out.

A timeline of the Change Healthcare attack

February 21, 2024

Change Healthcare cyber attack is detected. The company makes an announcement, disconnects networks, and takes operations offline.

February 22, 2024

Hospitals, health systems, and pharmacies report disruptions from the attack.

February 26, 2024

Ransomware group BlackCat claims responsibility for the attack.

February 27, 2024

The Department of Health and Human Services (HHS) warns hospitals to be wary of BlackCat hackers.

February 29, 2024

Change Healthcare confirms BlackCat is behind the attack. BlackCat claims to have stolen six terabytes of data from Change Healthcare, including patient Social Security numbers, medical records, and information on active military personnel.

March 1, 2024

Optum introduces a temporary assistance program for providers without adequate cash flow due to the attack.

March 3, 2024

BlackCat receives an unconfirmed bitcoin payment worth $22M.

March 4, 2024

The AHA deems Change Healthcare’s temporary funding program for affected providers inadequate, and US Senate Majority Leader Chuck Schumer asks Change Healthcare to speed up payments to hospitals. Large health systems lose more than $100M a day due to interruptions.

March 6, 2024

At least five federal lawsuits are filed against Change Healthcare’s parent company, UnitedHealth Group, over the cyberattack.

March 8, 2024

The AHA says it will take several weeks (or months) before hospitals and other healthcare organizations can fully recover from the attack.

March 13, 2024

The federal government initiates an investigation into UnitedHealth and Change Healthcare regarding HIPAA compliance in light of the cyberattack.

March 15, 2024

Change Healthcare’s electronic payments platform resumes operations, with payer implementations in progress. A survey conducted by the American Hospital Association reveals that nearly 94% of hospitals have experienced financial repercussions from the cyberattack.

March 18, 2024

UnitedHealth Group discloses that it has disbursed over $2B to healthcare providers and is rolling out new software to streamline medical claims preparation. The company successfully reinstates 99% of its pharmacy network services.

March 22, 2024

Senator Mark Warner (D-Va.) introduces a bill proposing cybersecurity-related conditions for Medicare accelerated and advance payments during cyberattacks.

April 4, 2024

Change Healthcare asks a U.S. court panel to consolidate at least 24 class actions accusing the payment processor of failing to protect personal data from February’s cyber hack.

April 8, 2024

Senators Josh Hawley (R-MO) and Richard Blumenthal (D-CT), send a letter to UnitedHealth Group Chief Executive Officer Andrew Witty demanding answers about the attack.

April 16, 2024

Reports surface that a relatively new ransomware group – RansomHub – issued a demand stating it had acquired the stolen data from a former ALPHV affiliate. RansomHub demands payment to prevent the data from being leaked. Screenshots are leaked that appear to be Change Healthcare data and files including patient data. The group claims it will sell the stolen data to the highest bidder if Change Healthcare and UnitedHeath refuse to negotiate payment.

Unprecedented collateral damage

A survey conducted by the American Medical Association (AMA) revealed a wide blast radius due to the Change Healthcare cyber incident. The numbers speak for themselves in percentage of surveyed practices affected:

• 36% have seen claims payments suspended
• 32% have not been able to submit claims
• 39% have not been able to obtain electronic remittance advice
• 77% of respondents said they experienced service disruptions 
• 80% of providers said they lost revenue from unpaid claims
• 78% lost revenue from claims that they have been unable to submit
• 55% have used personal funds to cover expenses incurred as a result of the attack

Nearly half of respondents said they’ve been forced to enter new (and potentially costly) arrangements with alternative clearinghouses to conduct electronic transactions. While some practices have received advance payments, temporary funding assistance, and loans, issues persist with all of those measures. Meanwhile, UnitedHealth Group said it’s paid out more than $2B to help health-care providers who have been affected by the cyberattack.

The survey also quoted affected physician practices. Their words reveal the pain being felt across the country:

• “This cyberattack is leading me to bankruptcy, and I am just about out of cash”
• “SOOOO much overtime dealing with this. Cost me an additional $50,000 in payroll.”
• “…estimated $100,000 in unexpected costs.” 
• “This crippled our brand new practice. I am keeping the lights on using personal funds.” 
• “I have not taken a salary for a month and am borrowing from personal funds to keep practice going.”
• “…may bankrupt our practice of 50 years in this rural community…”

OCR investigation underway

Due to the widespread damage of the ransomware attack, the Office for Civil Rights (OCR) at the Department of Health and Human Services decided to open a HIPAA compliance investigation of Change Healthcare.

In a “Dear Colleagues” letter, OCR Director Melanie Fontes Rainer said, “[W]e are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

This is an usual move by the OCR, but “the breach warrants swift investigation to determine if Change Healthcare and its parent company were fully compliant with the HIPAA Rules,” commented Steve Alder, Editor-in-Chief, The HIPAA Journal.

What about HITRUST?

Long before the recent attack, Change Healthcare had earned HITRUST certification status for its enterprise infrastructure and Change Healthcare Platform. The company’s website says, “HITRUST Risk-based, 2-year (r2) Certified status demonstrates that the organization’s major implemented systems and platforms have met key regulations and industry-defined requirements and is appropriately managing risk. This achievement places Change Healthcare in an elite group of organizations worldwide that have earned this certification.”

The HITRUST certification is meant to send a signal to regulators, customers, and stakeholders that they can trust the strength of a certified organization’s cybersecurity and data protection program. While it would be unreasonable to expect any cybersecurity strategy to be infallible, one wonders how solid Change Healthcare’s defenses actually were if they suffered such a crippling attack. 

HITRUST not only provides comprehensive security controls and data security improvement, it’s also the only guaranteed way to achieve HIPAA compliance. In the wake of the Change Healthcare incident, many organizations are scrambling to adopt the HITRUST framework, and for good reason. The HITRUST 2024 Trust Report revealed the HITRUST Assurance Program™ dramatically reduces information breaches, resulting in incredibly low occurrence of breaches — just 0.64%.

The HITRUST framework is widely accepted as a gold standard for compliance, and it’s currently unclear how Change Healthcare may not have fully complied with HITRUST procedures and recommendations. All this has lawmakers posing serious questions to the healthcare service provider.

Lawmakers want to know how and why the Change Healthcare breach happened

On April 1, Senators Josh Hawley (R-MO), ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and Subcommittee Chair, Richard Blumenthal (D-CT), wrote a scathing letter to UnitedHealth Group Chief Executive Officer Andrew Witty demanding information about the attack.

The letter states that, “While we recognize that UHG was indeed the victim of an outside attack, the entire sector is now the victim of UHG’s lack of preparedness and built in redundancies, which could have potentially mitigated the widespread impact of the breach.” 

The senators stated that Change Healthcare was part of U.S. healthcare critical infrastructure processing 15 billion transactions and $1.5T in healthcare claims annually. The company handled as many as one of every three patient records in the country. From the senators’ point of view, “The result of UnitedHealth Group’s failure to properly safeguard against cyber threats and the subsequent, extended outage of its services has been dire.” 

Some questions being posed to the company by the lawmakers include:

1. How did the hackers behind the Change Healthcare cyberattack initially breach the company and gain such significant access to its systems? 
2. Requests for a detailed timeline of all events related to the breach, including the date and background on the discovery, response, and remediation of compromised systems or disabled services.
3. What data, including provider or patient data, was compromised in the attack?
4. Why has it taken so much time for the Change Healthcare and UnitedHealth Group systems to recover from the attack, and why did Change Healthcare not have sufficient redundancy to prevent an outage? 
5. Request to describe Change Healthcare’s plans to respond to potential cyberattacks and why those plans appear to have failed. 
6. What, if any, cybersecurity improvements have Change Healthcare and UnitedHealth Group made since the attack?

The larger security compliance backdrop

As the fallout from the Change Healthcare cyberattack continues, coincidentally, the Cybersecurity and Infrastructure Security Agency (CISA) recently published a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.

CISA’s 447-page Notice of Proposed Rulemaking (NPRM) is now open for public feedback through the Federal Register. According to the NPRM, covered critical infrastructure organizations, such as healthcare, will be required to report incidents within 72 hours after a cyberattack has occurred. Ransomware payments must be reported within 24 hours of being made. However, if payment is accompanied by an incident, the organization has 72 hours to comply with reporting.

CISA was tasked to develop the NPRM by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). With this document, CISA aims to enhance the government’s capacity to monitor incidents and ransomware payments. CIRCIA intends to enable a coordinated, informed U.S. response to the foreign governments and criminal organizations conducting these attacks.

Where does healthcare security compliance go from here?

As the saga of the Change Healthcare cyber attack continues, the overall impact on the industry remains to be seen. Undoubtedly, the company will conduct damage control for some time as well as in-depth forensic investigation into the exact vulnerability that was exploited in the attack. Meanwhile, the healthcare industry will likely increase its reliance on certifications like HITRUST. 

The massive scale of the Change Healthcare incident invites the entire sector to do some serious soul searching. If an organization with such a large footprint was hacked, leading to historical levels of damage, what measures should be implemented to prevent future incidents? Perhaps Red Team testing — where cyber teams act as attackers to find vulnerabilities — will rise in demand. One can only imagine how this would impact the cost of security. Either way, faithfulness towards compliance will undoubtedly become even more of a priority.  

Security has increasingly become a central player in business decision making. Still, many CEOs seem to have been hedging their bets, either through cyber insurance plans or simply minimizing the problem to their peril. But due to the damage resulting from the Change Healthcare incident, cyber might catapult to become the most important issue in the hearts and minds of business leaders today.

In the aftermath of the Change Healthcare cyber attack, the government campaign for stricter compliance will take on even more importance. We can expect more stringent regulation, tiger controls, and stiffer penalties for non-compliance, which comes as no surprise as the stakes have never been higher.