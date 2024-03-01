



Early on the morning of February 21, Change Healthcare, a company unknown to most Americans and which plays an important role in the US healthcare system, issued a brief statement saying that some of its applications were “currently unavailable.”

In the afternoon, the company described the situation as a “cybersecurity” issue.

Since then, the situation has quickly turned into a crisis.

The company, recently acquired by insurance giant UnitedHealth Group, has reportedly suffered a cyberattack. The impact is broad and expected to grow. Change Healthcare is in the business of maintaining healthcare pipelines: payments, healthcare authorization requests to insurers, and much more. These channels carry a significant load: Change says on its website: “Our cloud-based network supports 14 billion clinical, financial, and operational transactions annually. »

Early media reports focused on the impact on pharmacies, but technicians say that is underestimating the problem. The American Hospital Association says many of its members are not paid and doctors cannot verify whether patients have coverage for care.

But even that's only part of the urgency: CommonWell, an institution that helps health care providers share medical records, information critical to care, also relies on Change technology. The system contained records on 208 million individuals as of July 2023. Courtney Baker, CommonWell's marketing manager, said the network “was deactivated out of an abundance of caution.”

“These are small pools of ripples that will become larger and larger over time, if the problem is not addressed,” said Saad Chaudhry, chief digital and information officer at Luminis Health, a hospital system of Maryland, to KFF Health News.

Here's what you need to know about the hack.

That he has done?

Media reports are pointing the finger at ALPHV, a notorious ransomware group also known as Blackcat, which has become the target of many law enforcement agencies around the world. While UnitedHealth Group said it was an attack “suspected to be nation-state associated,” some outside analysts dispute the link. The gang has previously been accused of hacking casino companies MGM and Caesars, among many other targets.

The Justice Department said in December, before the Change hack, that the group's victims had already paid it hundreds of millions of dollars in ransoms.

Is this a new problem?

Absolutely not. A study published in the JAMA Health Forum in December 2022 found that the annual number of ransomware attacks against hospitals and other providers doubled between 2016 and 2021.

“It’s pretty much the same, man,” said Aaron Miri, chief digital and information officer at Baptist Health in Jacksonville, Florida.

Because attacks disable targets' IT systems, providers must move to paper, slowing them down and making them vulnerable to missing information.

Additionally, a study published in May 2023 in JAMA Network Open examining the effects of an attack on a healthcare system found that wait times, median length of stay, and incidents of patients leaving against medical advice were reduced. all increased – in neighboring emergency departments. The findings, the authors write, mean that cyberattacks “should be considered a regional disaster.”

The attacks devastated rural hospitals, Miri said. And wherever healthcare providers are impacted, patient safety issues follow.

What does this mean for patients?

Year after year, more and more Americans' health data is breached. This exposes people to identity theft and medical errors.

Care can also suffer. For example, a 2017 attack, dubbed “NotPetya,” forced a rural West Virginia hospital to restart operations and hit pharmaceutical company Merck so hard that it was unable to achieve its goals. production of a vaccine against HPV.

Due to the Change Healthcare attack, some patients may be routed to new pharmacies less affected by billing issues. Patient bills also could be delayed, industry executives said. At some point, many patients are likely to receive notifications that their data has been breached. Depending on the exact data that was stolen, these patients may be at risk of identity theft, Chaudhry said. Companies often offer free credit monitoring services in these situations.

“Patients are dying because of this,” Miri said. Indeed, an October preprint by University of Minnesota researchers found a nearly 21% increase in mortality among patients at a hospital hit by ransomware.

How did it happen?

The Health Information Sharing and Analysis Center, an industry umbrella group that disseminates information about the attacks, told its members that flaws in an app called ConnectWise ScreenConnect were to blame. Exact details could not be confirmed.

It's a tool used by technical support teams to remotely troubleshoot IT issues, and the attack is “apparently quite simple to execute,” H-ISAC members warned. The group said it expects additional victims and advised its members to update their technology. When the attack first hit, the AHA recommended that its members disconnect from the systems of Change and its parent company, UnitedHealth's Optum unit. This would affect services ranging from claims approval to referral tools.

Millions of Americans see doctors and other practitioners employed by UnitedHealth and are covered by the company's insurance plans.

UnitedHealth said only Change's systems were affected and that hospitals could securely use other digital services provided by UnitedHealth and Optum, including claims filing and processing systems.

But few news executives are “rushing to reconnect,” Chaudhry said. “It’s an uneasy feeling.”

Miri says Baptist uses the conglomerate's technology and trusts UnitedHealth that it is safe.

Where is the federal government?

Neither executive was optimistic about the future of cybersecurity in healthcare. “It’s going to get worse,” Chaudhry said.

“It’s a shame the federal government doesn’t help more,” Miri said. “You would think that if our nuclear infrastructure was attacked, the federal government would respond with more enthusiasm.”

While the Justice and State departments targeted the ALPHV group, the government remained more behind the scenes in the aftermath of this attack. Chaudhry said the FBI and Department of Health and Human Services participated in calls organized by the AHA to inform members of the situation.

Miri said rural hospitals in particular could use more funds for security and that agencies like the Food and Drug Administration should have mandatory standards for cybersecurity.

Officials recognize to some extent that improvements need to be made.

“This latest attack is just more evidence that the status quo is not working and that we must take action to strengthen cybersecurity in the healthcare sector,” said Senator Mark Warner (D-Va.), Senate Select President. Intelligence Committee and longtime advocate for stronger cybersecurity, in a statement to KFF Health News.

