Healthcare Groups Push for Help in Wake of Ransomware Attack on Change – Source: securityboulevard.com

Healthcare providers groups are ramping up pressure on the federal government, lawmakers, and UnitedHealth Group to help hospitals, healthcare clinics, and pharmacies that have gone more than two weeks without payments following the devastating ransomware attack on Change Healthcare, a UnitedHealth company.

Meanwhile, notorious ransomware-as-a-service (RaaS) group BlackCat – also known as ALPHV – appears to have shut down operations after stealing the $22 million ransom from the affiliate group that open up access to Change and shut down its systems.

It’s a drama that’s been unfolding since February 21, when Change Healthcare shut down its online systems after detecting the attack. The shutdown had a ripple effect throughout the industry because Change operates as a go-between for healthcare organizations and health insurance companies, running myriad operations that range from processing medical and insurance claims to moving payments to filling out drug prescriptions.

The situation not only has essentially stopped payments from flowing but also has put the brakes on many pharmacy orders.

Pressure on Congress, Agencies

The American Hospital Association (AHA) this week sent a letter to Congressional leaders urging them to take action to help healthcare facilities that have already lost billions of dollars in revenue and threaten the viability of some smaller and rural hospital.

“The staggering loss of revenue means that some hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services,” Richard Pollack, president and CEO of AHA, wrote in a four-page letter to Congress.

According to a report in Politico, the Biden Administration’s National Security Council is discussing plans to get funding to hard-hit hospitals. In addition, the Health and Human Services (HHS) Department said it is taking steps to help, including allowing Medicare providers to change clearinghouses used to process claims, encourage Medicare Advantage organizations and Part D sponsors to remove or relax prior authorization, and “strongly” encourage Medicaid and Children’s Health Insurance Program managed care programs to do the same.

“HHS has heard these concerns and is taking direct action and working to support the important needs of the health care community,” the agency said.

HHS’ move came days after James Madara, executive vice president and CEO of the American Medical Association (AMA), sent one to HHS Secretary Xavier Becerra asking him to loosen federal funds to help pay healthcare providers until the payments can begin flowing again.

UnitedHealth Plan Criticized

In a letter to UnitedHealth President and CEO Dirk McMahon, Pollack criticized a program to give struggling hospitals some help, writing that “the Temporary Funding Assistance Program that your company announced [March 1] is not even a band-aid on the payment problems you identify.”

The program offers temporary funding to loosen cash-flow problems hospitals are struggling with. However, Pollack criticized multiple parts of the plan, including suggested workarounds like manually typing claims into payer portals or sending faxes, all of which are expensive, labor-intensive, and ineffective.

In addition, the program is only open to an “exceedingly small number of hospitals and health systems,” and while it tries to address the inability of payers to make payments through Change Healthcare, it doesn’t account for providers’ inability to accurately and on time send claims to payers.

The AHA comes with some weight behind it, representing almost 5,000 member hospitals, health systems and other healthcare organizations and more than 270,000 physicians, 2 million nurses, and other caregivers.

BlackCat Grabs and Goes

Among all this turmoil in the healthcare industry has been activity on the cybercriminal side that saw an affiliate of BlackCat saying that Change had paid a $22 million ransom to regain access to 4TB of stolen data. Typically in RaaS relationships, the affiliate gets a percentage of the ransom paid, with the RaaS group getting the rest.

However, the affiliate calling themselves “Notchy” complained in a message on Ramp Forum saying that BlackCat, after getting the payment, shut down the affiliate’s account and took off with the money. The affiliate also said it still kept the 4TB of data on a range of Change Healthcare partners, including CVS-CareMark, MetLife, Health Net, and Medicare.

For its part, BlackCat reportedly has shut down operations and put its source code up for sale, adding that it is negotiating with a buyer. In a note translated from Russian, a BlackCat representative said the blame for the decision to halt operations on the U.S. government.

Law enforcement agencies form the United States and elsewhere infiltrated the group, seized its online operations, and created decryption tool to allow victims to regain control of their encrypted files. Last month, the State Department upped the pressure, offering a reward of up to $10 million for information about the group’s leaders.

BlackCat reorganized after the law enforcement shut down its operations, but now apparently have taken the money and run in a move that some cybersecurity pros saw as the key part of a larger exit strategy, possibly to rebrand and then reappear.