Dubbed the “most significant and consequential cyberattack in American history” by Becker’s Hospital Review, Russian hacker group ALPHV, also known as “Noberus” or “BlackCat,” organized a ransomware attack on Change Healthcare on February 21st of this year, extorting $22 million only to continue the attack regardless.
A subsidiary of UnitedHealth Group—a health services and insurance company that owns UnitedHealthcare—Change Healthcare is a medical revenue management and billing service used for about one in three patients nationally to complete around 15 billion transactions annually. As a direct result of the attack, healthcare providers have been losing an estimated $100 million daily, CBS News reports. While UnitedHealth Group is attempting to provide financial assistance during these difficult times, having reportedly advanced more than $2.5 billion for the cause already thus far, these efforts have far from fixed the issue entirely, with patient prescriptions still often being delayed and larger practices still struggling to meet payroll for their staff. Furthermore, relief funds must be repaid within 45 business days, according to Reuters.
Further still, as explained by the American Medical Association, due to the theft of protected health information by BlackCat, there is the potential risk of identity fraud and related scams. According to cybersecurity threat analyst Brett Callow in an interview with CNBC, ransomware groups commonly exaggerate the amount of information they’ve obtained. Nevertheless, the stolen information, which violates policies ensuring patient privacy and confidentiality under the Health Insurance Portability and Accountability Act, or HIPAA, remains a real concern, with Change Healthcare still yet to disclose exactly what information may have been stolen, according to Reuters. However, Callow further points out it can take an entity weeks to find out exactly what was exposed during a data breach. On the 13th of March, the Department of Health & Human Services, or HHS, opened an investigation into the matter, but definitive answers have yet to be given.
With all that being said, although the full extent of the damage is still being assessed in some regards and adverse effects continue to be felt nationally, UnitedHealth Group is making strides in restoring its services. According to Reuters, UHG has begun to process $14 billion worth of medical claims as of March 22nd. Also, on this day, UHG put a timeline on their official website roughly predicting when services would be back up and functioning. According to this timeline, MedRx (a medical technologies company that deals with electronic claims) is predicted to be back online the week of March 25th, and HealthQx (a data-driven service intended to evaluate the cost efficiency and quality of various medical providers and plans) the week of April 8th, with other services also predicted to come back online during this period. Check out UnitedHealth Group’s official product restoration timeline for more information regarding these services and when they will be back online. Slowly but surely, progress is being made to curb the negative effects of BlackCat’s attack.