Some Change Healthcare IT Services Will Be Back by Mid-March – Source: www.databreachtoday.com

3rd Party Risk Management
,
Fraud Management & Cybercrime
,
Governance & Risk Management

UnitedHealth Group Provides IT Restoration Timeline; AMA Is Not Impressed

Marianne Kolbasuk McGee (HealthInfoSec) •
March 8, 2024    

UnitedHealth Group expects certain key IT systems and services affected by the Feb. 21 cyberattack on its Change Healthcare unit to begin regaining functionality over the next week to 10 days. As of now, pharmacy services, such as electronic prescribing with claims submission and payment transmissions, have been restored.

But the American Medical Association said Change Healthcare’s predicted timeline for recovery of its medical claims processing is highly problematic and that the ongoing disruption will continue to cause financial havoc for physician practices.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

“While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns,” the AMA said. “Full transparency and security assurances will be critical before connections are reestablished with the Change Healthcare network.”

Meanwhile, litigation against Change Healthcare related to the attack is already piling up. At least six proposed federal class action lawsuits have been filed in the last week by individuals claiming similar allegations, including that the company failed to properly secure sensitive health information against compromise by cybercriminals (see: Next Big Bombs to Drop in Change Healthcare Fiasco).

Optum, a unit of UnitedHealth Group that acquired Change Healthcare in 2022 for $7.8 billion, said Change Healthcare processes 15 billion healthcare transactions annually. The company said Change Healthcare’s clinical connectivity solutions touch 1 in 3 patient records in the U.S. (see: The Widespread Effect of the Change Healthcare Mega Hack).

Cybercrime threat actors claiming to be BlackCat took credit for the attack, and UnitedHealth Group last week confirmed the Russian-speaking ransomware group, which also goes by Alphv, was to blame. Last week, BlackCat claimed on the dark web that it had exfiltrated 6 terabytes of “highly selective data” from Change Healthcare pertaining to “all” of the company’s clients.

Since then, a BlackCat affiliate who claimed to be behind the Change Healthcare assault reported that UnitedHealth Group paid a $22 million ransom in the attack. But the affiliate alleges BlackCat administrators kept all of the ransom payment rather than sharing the affiliate’s cut, and by mid-week BlackCat’s Tor-based dark web site claimed law enforcement had shut down its operation. Security experts dispute those claims and accuse the group’s leadership of running an exit scam (see: BlackCat Ransomware Group ‘Seizure’ Appears to Be Exit Scam).

On the legal front, a lawsuit filed on March 6 by plaintiff Jimmy Allen alleges that private information for him and class members “has been or soon will be disseminated on the dark web, to be available for purchase because that is the modus operandi of cybercriminals.”

UnitedHealth Group in an update Thursday about the attack said it is making “substantial progress” in mitigating the impact of “the unprecedented cyberattack on the U.S. health system and the Change Healthcare claims and payment infrastructure.”

The company maintains that based on its ongoing investigation, there is no indication that any other UnitedHealth Group systems have been affected by the Change Healthcare attack.

Restoration Timeline

Assuming the company’s current rate of progress continues, UnitedHealth Group said it expects functionality of Change Healthcare’s electronic payments platform to be available for connection beginning on March 15. Also, testing and reestablishing connectivity to Change Healthcare’s medical claims software will start on March 18, and services are expected to be restored during that week.

But those timelines are not fast enough, said the AMA on Friday. UnitedHealth Group’s estimate for restoration of Change Healthcare’s medical claims processing “means significant financial disruption on physician practices will extend past 26 days before there is the possibility of establishing reliable network connections,” said Dr. Jesse Ehrenfeld, president of the AMA, in a statement.

“The prospect of a month or more without a restored Change Healthcare claims system emphasizes the critical need for economic assistance to physicians, including advancing funds to financially stressed medical practices,” he said.

Nonetheless, Ehrenfeld said, the AMA “agrees” with UnitedHealth’s call for all payers to advance funds to physicians to help preserve medical practice viability during the financial disruption, “especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is reestablished.”

UnitedHealth Group on Thursday said electronic prescribing for its pharmacy services is fully functional and claim submission and payment transmission are also available. “We have taken action to make sure patients can access their medicines in the meantime, including Optum Rx pharmacies sending members their medications based on the date needed,” the company said.

“While we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established – in particular, using our new iEDI claim submission system in the interest of system redundancy given the current environment.”

During the Change Healthcare outage many retail pharmacy chains as well as pharmacies in U.S. military hospitals and clinics reported being unable to process prescription claims for customers and conduct other related processes (see: Change Healthcare Outage Hits Military Pharmacies Worldwide).

UnitedHealth Group earlier in the week said it was offering temporary, interest-free, fee-free funding assistance through its Optum Financial Services unit for certain healthcare provider organizations affected by the Change Healthcare system outage (see: Optum Offering Financial Aid to Some Providers Hit by Outage).

But the American Hospital Association was highly critical of the program, saying the offer was exceedingly limited in terms of who would be eligible for the financing, and that the terms of the funding assistance were onerous (see: Groups Warn Health Sector of Change Healthcare Fallout).

The Optum financial assistance program “is not even a Band-Aid on the payment problems,” the AHA said.

Meanwhile, the U.S. Department of Health and Human Services on Tuesday said it would offer certain regulatory measures to help address “potential cash flow concerns” that have been reported by numerous hospitals, doctors, pharmacies and other stakeholders.

“This incident is a reminder of the interconnectedness of the domestic healthcare ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem,” HHS said.

HHS is urging providers, technology vendors and members of the healthcare ecosystem “to double down” on cybersecurity – with urgency. “The system and the American people can ill afford further disruptions in care,” HHS said.

U.S. Sen. Mark Warner, D-Va., chairman of the Senate Select Committee on Intelligence, said on Friday that in the wake of the Change Healthcare attack, he is planning to introduce legislation that would provide accelerated and advanced payments to providers and vendors “to protect them in the event of future disruptions, as long as they meet minimum cybersecurity standards.”

“While the repercussions of this incident have been primarily – though not wholly – financial, what keeps me up at night is the possibility of a similar widespread attack directly affecting patient care and safety,” he said. “That is why it is time to consider mandatory cyber hygiene standards for healthcare providers and their vendors.”