Breaking: UnitedHealth admits to paying ransomwareistes on Change stolen patient data (updated)

Admitted, finally, to CNBC on Monday. UnitedHealth told CNBC in a statement. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.” UHG’s release alludes to this but without specifics as to what entity was paid (ALPHV? RansomHub?) nor the amount. It vaguely states that it reviewed 22 screenshots “some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor” and that “it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals”. This seems to point to the most recent RansomHub offer of 4TB of Change Healthcare PHI/PII for sale, not the original breach, but UHG’s information is inconclusive for the reader. Also Becker’s.

However, the admission that Change files were breached and a ransom was paid is substantial and points to multiple leaks of the PHI and PII on multiple sites. Despite no identification and notification of customers yet, UHG is offering a support hotline to individuals concerned about the cyberattack, offering free credit monitoring and identity theft protections for two years plus “emotional support.”

Another fun fact that DataBreaches.net points to in its short article is that the Wall Street Journal (also cited by TechCrunch) said that its research indicated that the original breach came from stolen remote access credentials. It took only a week for ALPHV’s hackers to explore the system before deploying the cyberransom and hacking software through Change’s systems. Updated: the WSJ pins the original breach to 12 February but the hackers didn’t ‘detonate’ the ransomware till 21 February. Also multi-factor authentication is standard operating procedure for remote access, but MFA wasn’t enabled on this.  Developing and will be updated. Our article posted on Monday here with links to our prior articles.

Who really has the 4TB of Change Healthcare data 4 sale? And in great timing, Optum lays off a rumored 20K–say wot?

The data is for sale! And the top does not go down, but the price definitely goes up! That old antique auto auction cry is paraphrased here because the 4TB of patient data hacked from Change’s systems is up for sale, since Change/Optum didn’t buy it. Interested parties should stroll over to the dark web and see RansomHub’s listing for details.

Unlike some news sources that got confused, this apparently is the same 4TB that BlackCat/ALPHV affiliate ‘notchy’ stole (technically, exfiltrated) posted about on a dark web site shortly after the attack [TTA 7 Mar]. According to those early reports, ‘notchy’ was dissatisfied that he didn’t get a cut of the $22 million ransom that Optum supposedly paid the BlackCat/ALPHV group.

For their $22 million ransom, which Change has not, repeat NOT, confirmed, ALPHV gave Change a decryptor key. But, they didn’t have the good manners to 1) return the stolen data to Change or delete it, which included highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more, and 2) pay a cut to the affiliate. And then ALPHV shut down and ran out of town.

Here’s the latest updates from DataBreaches. net

Over a month later, an outfit called RansomHub posted, again on the dark web, that it has the 4TB of data. 

As reported here on 10 April, there was an announcement on the RansomHub website, not signed by ‘notchy’, that if Change wasn’t interested in paying for the data, it would be up for sale. There was some confusion, based on a WIRED report, that this was a second breach. The RansomHub information seemed to point to only ‘notchy’s’ data.

DataBreaches followed up with RansomHub to 1) verify they had the data, asking if 2) was it ‘notchy’s data’, and 3) how did RansomHub obtain it if not ‘notchy’? RansomHub also leaked some screenshots of  2011-2013 Medicare claims data. This old data raises even more questions on why this data was even available online and not stored offline…unless…. RansomHub’s 15 April posting included this statement, “The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.” 

By 16 April, DataBreaches reported that the listing read:

Change HealthCare – OPTUM Group – United HealthCare Group – FOR SALE

The data in now for sale. Anyone interested in the purchase should contact RansomHub. 

But does RansomHub actually have it? Are they ‘notchy’, in it with ‘notchy’, brokering ‘notchy’, or is it a second 4TB breach? Stay tuned.

Thousands at Optum won’t care one way or another. Reports since last Thursday have been that first hundreds, then thousands, then up to 20,000, have been laid off. These are based on social media postings on LinkedIn and boards like The Layoff where anyone can post. Optum has not confirmed any layoffs to industry media such as FierceHealthcare and Becker’s Hospital Review / Becker’s ASC Review which published reports starting last Friday. Federal and state WARN notices, which usually confirm mass layoffs by state, have been oddly empty. 

Across the reports, Optum has laid off staff from their California care division (400), home health provider Landmark Health (500), urgent care MedExpress (all as of 18 July), Genoa (OptumRx-unknown). Notices range from immediate, to two weeks into May, and forward. Types of jobs eliminated have been at all levels of regional and corporate, affecting engineers, care management, clinical, case directors, data operations, and integration managers. This LinkedIn post claims up to 20,000. Optum’s silence has let the rumor mill run overtime.

CMS has lowered Medicare Advantage reimbursement, but other insurers factored this in earlier this year. The major whack was the Change Healthcare cyberattack. Though the public posture of UnitedHealth Group is that most of the systems are back or being worked around, the financial truth is that the Change disaster will cost them $1.6 billion in 2024 as announced last week. It does lead one to wonder about how mighty UHG, on an acquisition tear for years through today, always doing well and pleasing Mr. Market, got quite so overstaffed. How would it be overstaffed by thousands or the rumored 20,000 who are suddenly, dramatically unnecessary? That may boost the stock, but it gives the Feds yet another ax to grind, what with the House savaging an absent UHG on the cyberattack handling and their payments to providers [TTA 18 April], DOJ taking a hard cold look into UHG’s business practices, specifically around antitrust between the payer group and Optum [TTA 6 Mar], and approvals for the Amedisys buy stalling.

Here’s a view at variance, not about the layoffs but about how UHG is really doing. STAT’s analysis of UHG’s financial report is that the Change losses barely dent the overall picture and won’t affect 2024 earnings. Q1’s loss was mostly the Brazil writedown. It also confirmed that CEO Andrew Witty had a certain gall to say in prepared remarks that the Change situation would have been so much worse had they not been owned by UHG. Mr. Witty will have some ‘splainin’ to do before the House and the Senate, 30 April and 1 May, respectively.

News roundup: Congress hammers absent UHG on Change cyberattack–and more; 10% unhinged at Hinge Health; Steward Health nears insolvency; Two Chairs $72M Series C

UnitedHealth Group facing direct Congressional criticism–and didn’t show up to answer it. The House Energy and Commerce Committee held a hearing yesterday on the BlackCat/ALPHV cyberattack on UHG/Optum’s Change Healthcare systems. Representatives of the American Hospital Association, which we noted led the earliest efforts to assess the situation, help health systems, and then lobby Health and Human Services to assist providers, the College of Healthcare Information Management Executives, and the Healthcare Sector Coordinating Council testified to a restive group of House representatives. Though reports have said that UHG had previously briefed the committee and CEO Andrew Witty will appear before the Senate Finance Committee on 30 April, both Republicans and Democrats didn’t spare the criticism. Other issues, such as healthcare provider consolidation, cybersecurity coordination, and vertical integration through acquisitions as represented by UHG and Change, entered into the hearing. And it went pretty far. Rep. Buddy Carter (R-GA): “The FTC has failed the American people by allowing vertical integration to happen, and it needs to be busted up.” Rep. Anna Eshoo (D-CA): “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our healthcare system,” and called it “outrageous”. 

The current administration’s proposed $800 million investment in hospital cybersecurity protections was typed as “woefully insufficient.” 

Returning to the main issues, Larry Bucshon, MD (R-IN) stated that both the government and private companies were slow in assisting providers. John Riggi, AHA’s national adviser for cybersecurity and risk testified that “The federal government did not step in for weeks. Needed flexibilities under Medicare were not immediately available. It took 18 days for CMS to begin allowing providers to apply for advancing accelerated payments.” On how it affected providers, 94% of respondents in an AHA provider survey felt a financial impact from the attack, over half reported a “significant or serious” impact, and 74% of hospitals reported a direct effect on patient care. Payers are resisting advanced payments. UHG was even accused of exploiting the cyberattack to purchase additional practices by Rep. John Joyce, MD (R-PA). Becker’s, Chief Healthcare Executive, STAT

This Editor has previously noted that UHG is taking a $1.6 billion charge for the cyberattack and is separately facing a DOJ investigation on multiple antitrust issues between the payer group and Optum, including their Amedisys buy [TTA 6 Mar]. UHG is also facing multiple class-action lawsuits from practices currently and expected from patients affected by the theft of PHI and PII [TTA 28 Mar]. It’ll be a busy spring and summer for UHG’s legal department.

Hinge Health cuts 10% of staff. Reasons given were the standard tropes of ‘long-term sustainable business’, ‘accelerate our path to profitability, speed up decision making, and better focus our investments’ plus ‘realign our organization’. Their employee group is estimated at 1,700 on LinkedIn, making this about 170 staff released in various functions including engineers. The company is preparing for an IPO, which may not be this year, since they claim to have $400 million in cash on the books. Hinge’s last raise was an October 2021 $400 million Series E led by Tiger Global and Coatue Management for a total funding of $826.1 million over 10 raises (Crunchbase). At that time, their valuation was a bubbly $6.2 billion. Their virtual musculoskeletal rehabilitative therapy for back and joint pain care has since then expanded to rehab for pelvic pain, bowel, and bladder control. TechCrunch  As predicted in our Rock Health Q1 review, Hinge is a perfect example of companies “pursuing IPO and M&A exit pathways concurrently to keep options open” by presenting their financials as if they were already public companies. 

Steward Health Care nears bankruptcy court. And the Optum buy of Stewardship Health practices won’t save it in time. Steward’s lenders are giving the health network until the end of April–two weeks away–to prove it can repay its considerable debts. Its recovery plan which included the Stewardship sale has been criticized as unworkable given the volume of debt and the regulatory implications of selling their hospital assets. The Optum acquisition is required to undergo a 30-day review by Massachusetts’ Health Policy Commission (HPC)–and while it was announced at the end of March, it had not started by mid-April. Given UHG’s other problems and scrutiny of practice purchases by the DOJ and FTC, Optum may walk away or wait. No purchase price had been announced but it would be a drop in a bottomless well anyway. The mounting problems of Steward Health Care are detailed in Healthcare Dive’s analysis.

And to end on a more optimistic note, Two Chairs, a telemental health provider out of San Francisco, scored a $72 million Series C. Lead investors are Amplo and Fifth Down Capital with debt financing from Bridge Bank. The new raise, majority equity, brings Two Chairs’ total funding to $103 million. Their hybrid virtual and in-person therapy model is available at present in California, Florida, and Washington and markets to consumers, payers (Aetna nationally, Kaiser Permanente in Washington and Northern California), providers, and employers. The company states it will use the fresh funding to expand its markets and improve its technology platform. Currently, they have more than 500 clinicians on staff, most of whom are full-time. Their differentiator in the crowded telemental health category is their emphasis on measurement-based care, aided by a “matching consult,” facilitated by a proprietary 300-variable algorithm that creates the right therapist-client match (the ‘two chairs’ of the company’s name), which studies indicate is the most important factor in determining a good outcome.  Release, FierceHealthcare, MedCityNews

Mid-week news roundup: US offers $10M for BlackCat/ALPHV info; most Change systems still down; Risant closes Geisinger buy; SureScripts exploring sale; DarioHealth 2023 revenue -23%; Amazon Pharmacy same-day delivery NYC and LA

US State Department pays well for Big Breach information. Interestingly, this US agency through the Diplomatic Security Service has a special program, Rewards for Justice (RFJ), for cyberattacks that are deemed “malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”. The activities of the now-disappeared (ha ha!) BlackCat/ALPHV  ransomware-as-a-service (RaaS) group, identified on 29 February as the culprits in the massive Change Healthcare/Optum system takedown, are now listed as qualifying for a reward, presumably as disruptive to US healthcare and not just UnitedHealth Group. Contact Rewards for Justice via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). That is, if you dare! Rewards for Justice release, Becker’s

Six weeks later, most Change services are still X-d on the Optum Solution Status page. A quick rundown of the hundred or so programs that Change provides to enterprises has a long line of Xs with some triangles containing ! (partial outage) or yellow boxes (degraded performance). The green checkmarks are clustered in high-priority areas such as pharmacy solutions and clinical decision support. Otherwise, they are scattered across categories. The summary on the top of page (dropdown) lists workarounds for specific programs such as batch processing and transitioning over to Optum systems unaffected by the attack. This Editor bets that most of these Change legacy systems will come back only partially if at all–many will be abandoned and replaced by Optum systems. Hat tip to HIStalk 29 March

Risant Health, the non-profit community hospital system founded by but separate from Kaiser Permanente, has closed its acquisition of Pennsylvania-based Geisinger Health as of 2 April.  Jaewon Ryu, MD, JD, currently Geisinger’s president and CEO, will move to CEO of Risant Health, with Terry Gilliland, MD, replacing him at Geisinger. The Risant plan announced last April is that Kaiser will fund $5 billion to Risant, which will acquire now four or five health systems over the next four to five years. The health systems will retain their names and operational areas. The purpose of Risant is to bring community systems it acquires greater access to capital, technology, and resources for facility improvements, innovation, and investment in patient care. Keeping an eye on 109-year-old Geisinger. Risant release

Mega e-prescription system Surescripts is exploring a sale. Silicon Valley investment bank TripleTree is handling the search for buyers. Currently, Surescripts is owned 50% by CVS Caremark and Cigna-owned Express Scripts, with two trade groups, the National Association of Community Pharmacies and the National Association of Chain Drug Stores, owning the other 50%. It isn’t disclosed in the Business Insider ‘reveal’ what group(s) is interested in selling all or part of its ownership. Since Surescripts holds 95% of the e-prescribing market, any buyer or investor would need be mega flush to buy into it. 

DarioHealth didn’t have a great 2023. Net revenue was down 23% versus 2022: $20.4 million to the prior year’s $27.7 million. The chronic condition management company managed to narrow its 2023 net loss of $59.4 million from $62.2 million in 2022. A lot of the problems seemed to center on their Q4, with net revenue that declined to $3.6 million from $6.8 million in Q4 2022 and a net loss that increased to $14.3 million from $12.6 million in Q4 2022.  Dario’s gross profits for 2023 were down 38% to $6 million, a decrease of 38% versus 2022’s $9.7 million. The changing financial picture was attributed to a new private label platform with Aetna launching in 2024, changing from a B2C to a B2B2C model, and February’s “transformational acquisition” of Twill (Happify) in telemental health. As this Editor noted then, it was a feat of funding legerdemain that rivaled a Frank Lorenzo deregulation-era airline acquisition. Their information around 2023 earnings isn’t much different. Dario provides a combined app and in-person approach to musculoskeletal (MSK) therapy, diabetes (including GLP-1 drugs), hypertension, weight management, and behavioral health. Mobihealthnews, Dario release

And speaking of pharmacy, Amazon Pharmacy expanded same-day medication-delivery offerings to NYC residents and the greater Los Angeles area. This adds to same-day prescription delivery available in Phoenix, Austin, Seattle, Indianapolis, Miami, and Texas, including free drone delivery in College Station. How it works: Amazon has small facilities and pharmacists near the areas, ready to fill and deliver medications in minutes using genAI and machine learning tools. Delivery in NYC/Manhattan will be by bike and in LA, electric vans or other commercial vehicles. (Editor’s note: bike delivery in the outer boroughs is like LA–impractical.) Amazon Prime members have additional benefits. Competition here are online companies like Mark Cuban Cost Plus and GoodRx’s prescription service. But perhaps it’s a good time to sell Surescripts? Mobihealthnews

Is BlackCat/ALPHV faking its own ‘death’? (updated) HHS and CMS come to Change affected providers’ assistance with ‘flexibilities’

BlackCat/ALPHV blames the FBI for another ‘shutdown’ and exits, stage left. BlackCat put up a copy of the shutdown screen (left) that appeared on their old leak website back in December [TTA 22 Dec 23] on their new leak website, claiming that law enforcement shut them down. This was not confirmed by the FBI either way, but Europol and the NCA confirmed to Bleeping Computer that they had no recent activity involving BlackCat. The other tell was that the source code on both screens was different–it was served up on another server.

On a Russian hacker forum called Ramp, BlackCat/ALPHV claimed that they “decided to completely close the project” and “we can officially declare that the feds screwed us over. The source code will be sold, the deal is already being negotiated”. The source code is reportedly up for sale for $5 million.

As to the $22 million, BlackCat/ALPHV never admitted it was paid by Optum/Change (nor is Optum confirming), but the affiliate called “notchy” which didn’t get paid [TTA 5 Mar] shared (to Bleeping Computer) that “a cryptocurrency payment address that recorded only one incoming transfer of 350 bitcoins (about $23 million) from a wallet that appears to have been used specifically for this transaction on March 2nd.” That wallet distributed (seven) equal payments of $3.3 million in bitcoin to other wallets.

(Update) Speaking of “notchy”, let’s not forget that this affiliate claims to have 4 TB of PHI/PII data from Change that could be sold or leaked. Since they never got paid by BlackCat/ALPHV, it’s safe to assume that information will be up, so to speak, for grabs.

When it all adds up–the fake FBI ‘raid’, shutting down servers, the signoff on Tox of “GG’ (good game?), the cutting off of affiliates (which also confirmed this to DataBreaches.net–and may or may not have been paid)–it resembles an exit scam.

(Update) Another excellent summary about ALPHV in Krebs On Security also updates LockBit, which was seized in an international takedown in February, and about governmental entities they ransomwared.  To be continued….

The lobbying of HHS by Congress, the American Hospital Association, and UHG to help out providers has produced some results. On 5 March, Health and Human Services (HHS) issued a statement that summarized various ‘flexibilities’ and workarounds to aid providers who cannot access systems or have to resort to alternatives to ensure continuity of services to patients. These will be administered through the Center for Medicare & Medicaid Services (CMS) and range from prior authorization, advance funding, and claims processing for Medicare. From the statement:

  • Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch.
  • CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages.
  • CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
  • CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies
  • If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs. CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them.

Many payers are also making funds available while systems are offline. Hospitals may also face “significant cash flow problems from the unusual circumstances impacting hospitals’ operations, and – during outages arising from this event – facilities may submit accelerated payment requests to their respective servicing MACs for individual consideration.”

The statement closes with a reminder of HHS’ December concept paper on cybersecurity strategy for healthcare. DataBreaches.net (full statement), Becker’s

(Update) More on how this is affecting patient care focusing on cancer treatment, from the point of view of a Community Oncology Alliance spokesman. In addition, how consolidation is making healthcare more vulnerable to cybercriminals, and comments on UHG and Federal processes and payment offers to date. HealthcareITNews.

And DDoS attacks and questionable downtimes are now common.

Editor’s Update 11 Mar: The DataBreaches.net website had a major DDoS attack on 7 March and was down for two days thru 8 March. It is now fully up and running with our links working.

Multiple US Government websites went down Thursday evening 7 March based on news reports: Department of Homeland Security (DHS), Customs and Border Protection (CBP), Immigration & Customs Enforcement (ICE), Citizenship and Immigration Services (USCIS), US Secret Service and Federal Emergency Management Agency (FEMA). The timing based on the State of the Union address to Congress is, well, interesting. Daily Express   Later reports announced restoration later in evening. Cyberincidents are not exactly unknown on government websites.

Reality Bites Again: UHG being probed by DOJ on antitrust, One Medical layoffs “not related” to Amazon, the psychological effects of cyberattacks

When It Rains, It Really Pours for UnitedHealth Group. On the heels of their Optum/Change Healthcare ransomware disaster are recent reports that the US Department of Justice is investigating UHG over multiple antitrust concerns. According to the Wall Street Journal, DOJ is examining certain relationships between the company’s UnitedHealthcare insurance unit and its Optum services unit, specifically around Optum’s ownership of physician groups. UHG has been aggressively buying and buying interests in practice groups for several years, announcing quite publicly that their goal was to own or control 5% of US physicians. In 2022 and 2023, they bought CareMount, Kelsey-Seybold, Atrius Health, Healthcare Associates of Texas, and Crystal Run Healthcare (Becker’s). Local reporting by the Examiner News in Westchester, NY, brought much of this history to light. In that area, it started with local practice group CareMount and their 25% layoff after being folded into Optum Tri-State with ProHealth in Long Island and NYC and Riverside Health–a layoff pattern that accelerated in the practice groups in 2023.

DOJ lost out on their challenge to the Change Healthcare acquisition in November 2022, deciding not to appeal the Federal District Court decision in 2023 [TTA 23 Mar 2023]. But DOJ never sleeps; they are examining with a microscope UHG’s $3.3 billion bid for home health provider Amedisys that started in August 2023 and has not moved forward. DOJ has a long memory, a Paul Bunyan-sized ax to grind, and doesn’t like losing. One wonders if now UHG has buyer’s remorse after fighting for two years to buy Change.

In the Alternate Reality Department, One Medical CEO Trent Green insisted that their reorganization and layoffs were unrelated to their acquisition by Amazon. Those of us who are a little less credulous know that with 98% of acquisitions, staff are laid off. Overlapping areas wind up being pinkslipped, no matter their individuals’ quality or even difference in business: finance, HR, legal, marketing, IT, operations, compliance, sales, account managers…the list is almost endless. According to the Washington Post article (also Becker’s), One Medical cuts, estimated at up to 400, also included front desk staff, office managers, health coaches, behavioral health specialists and a pediatrician–people who aren’t employed by other Amazon units. One Medical’s corporate offices in New York, Minneapolis, and St. Petersburg, Florida are closing, and its San Francisco office space is reduced to one floor. TTA 14 Feb

One Medical has never been profitable, as this Editor noted when the acquisition was announced as part of the “race to transform healthcare models”. This wasn’t going to last long with Amazon, which has been aggressively been cutting and dumping in other units such as Audible, Prime, and Halo. Marketing Amazon-style with deeply discounted memberships to Prime members also has its limitations. One Medical has a scant 200 mostly urban offices, which means that members outside those areas only have access to virtual visits. It had previously cultivated a patient population of young, mostly healthy and lower-cost urbanites, who as they grow older and have families might stick with the practice–or find it not compatible with or targeted to their needs in middle age. Management has changed: Green replaced Amir Dan Rubin, MD, as CEO last September. CFO Bjorn Thaler will move to a new position focused on growth initiatives. A layer of regional general managers will report to an Amazon head of operations, and legal, finance, and technology teams will report to Amazon’s healthcare business structure. Inbound calls now go to Mission Control, a central call center, and even those humans will be in future supplemented by an AI-enabled chatbot.

Iora Health, One Medical’s specialized (acquired) unit in Medicare Advantage and Medicare Shared Savings Programs including the advanced ACO REACH model, in October was rebranded as One Medical Senior, with an intention for all One Medical offices to serve age 65+–but with current patients, many with multiple chronic conditions, now reporting cutbacks in callbacks, appointment length, physician load, and services provided such as transportation. One clinic had 20 staff cut back to five with patients pushed out to virtual visits–hardly appropriate for a high needs, older, less technologically savvy patient population in value-based care, quality-measured models. Editor’s note: having had some experience in ACO and VBC World, Amazon may as well get out of ACOs because practices in these primary care models require specialized and dedicated management, reporting, and population nurturing. They don’t mainstream well.  I have also read that ironically, Iora was profitable for OneMedical, which is 1) why they bought it and 2) ran it separately.

In this Editor’s view, human costs are a factor shown to be absent from Amazon’s business calculations for success–which doesn’t quite square with the mission of healthcare for healthier patients and better outcomes.

Speaking of the reality of human cost, let’s spare a thought for those dealing with the effects of a cyberattack or data breach. They are the IT staff, pharmacists, software specialists, front line clinicians, billing specialists, doctors, therapists, business managers, coders…the list goes on. They share their feelings of frustration, helplessness, distress, aloneness, and financial fear on Reddit, Twitter/X and other forums. Few think of them taking the brunt of patient frustration and their state of mind day after day as Change/Optum’s disaster goes on and on. Writer Molly Gamble of Becker’s has the final and most sympathetically descriptive say in her brief but important article about When ransomware strikes, who to call?  A full read is recommended.

Helplessness or loss of control, especially at a collective level, can be psychologically and emotionally taxing. Recognizing a threat but not knowing what to do about it can increase one’s stress, anxiety and fear. The lack of a known end point of a cyberattack like Change is experiencing can intensify psychological distress. Some independent therapists, for instance, have noted they have halted their insurance billing for a week due to the downtime and expressed fear about going longer without income. 

These mental effects, while lesser-discussed, are exactly what cyberthreats intend to bring on. Cyberterrorists want to create mental and physical harm, and research has found that the psychological effects of cyber threats can rival those of traditional terrorism.

Week 2: Change Healthcare’s BlackCat hack may last “for the next couple of weeks”, UHG provides temp funding to providers, AHA slams it as a ‘band aid”–but did Optum already pay BlackCat a $22M ransom? (updated)

The BlackCat/ALPHV ransomware attack on Change Healthcare’s systems continues. At this point, the Optum systems website doesn’t show anything other than a chronological trail of updates and a long list in very small gray type of Change Healthcare systems affected–no more individual checks on working systems and red Xs on the ones that weren’t. 

  • UnitedHealth Group is setting up a program to loan funds, the “Temporary Funding Assistance Program,” to providers who cannot receive payments while Change systems are down. While without fees or interest, the loans will have to be repaid.
  • In a Tuesday 27 Feb conference call with hospital cybersecurity officers reported by STAT, UHG Chief Operating Officer Dirk McMahon said that the program will continue “for the next couple of weeks as this continues to go on.” This is more of a timeline than UHG has otherwise disclosed.
  • The American Hospital Association (AHA) on Monday slammed the “Temporary Funding Assistance Program” as “not even a band-aid on the payment problems” that hospitals are experiencing. The program is, in their view 1) “available to an exceedingly small number of hospitals and health systems” and with “shockingly onerous” and “one-sided contractual terms” and conditions for payback and verification through access to claims payment data. For their members, “their financial future becomes more unpredictable the longer Change Healthcare is unavailable. UnitedHealth Group, which is a Fortune 5 company that brought in more than $370 billion in revenue and $22 billion in profit in 2023, can — and should — be doing more to address the far-reaching consequences that result from Change Healthcare’s inability to provide these essential hospital revenue cycle functions nearly two weeks after the attack.” 4 March letter to UHG   AHA maintains an update page for members and other providers.
  • US Senator Chuck Schumer wrote 1 March to the Center for Medicare and Medicare Services (CMS) requesting that CMS accelerate payments to hospitals, pharmacies and other providers. Also Becker’s
  • AHA wrote 4 March to all four Congressional leaders detailing the effect on providers, UHG’s assistance program’s inadequacies, and requesting assistance from HHS including requesting “Medicare Administrative Contractors to prioritize and expedite review and approval of hospital requests for Medicare advanced payments.”  

Update: According to First Health Advisory, a cybersecurity firm in healthcare, some large providers are losing $100 million daily because of the interruptions to Change/Optum’s payer systems. CNN, Becker’s

And BlackCat went All Quiet on the Ransomware Front. Bleeping Computer confirmed that BlackCat turned off their servers and took their negotiation website offline over the weekend. “The Tox messaging platform used by the BlackCat ransomware operator contained a message that does does not provide any details about what the gang plans next: “Все выключено, решаем,” which translates to “Everything is off, we decide.”” It has now been changed to “GG”.

This may or may not be related to another development–an affiliate of BlackCat/ALPHV claiming that they were scammed of a $22 million ransomware payment from Optum. These affiliates actually carry out the attacks on cybervictims using encryptors from the main entity. Dmitry Smilyanets of threat intelligence company Recorded Future picked up a message posted by “notchy” that said Change/Optum paid $22 million on 1 March to “prevent leakage and decryption key.” ALPHV suspended their account after receiving the payment and never paid them. This affiliate also claims they still have 4 terabytes of data from Change that goes deep into Tricare, Medicare, MetLife, CVS, and many other payers. As proof on the ransom, “notchy” provided a cryptocurrency payment address with a total of nine transactions. In the ultimate irony, “notchy” warned other affiliates to stop dealing with ALPHV. Cutting off affiliate ties and walking away with the cash, preliminary to another rebrand of BlackCat/ALPHV, formerly DarkSide and Black Matter? Also The Registerand DataBreaches.net–which commented that while Optum may have gotten a decryptor, what about All That Data?

BlackCat is back, claims theft of 6TB of Change Healthcare data

What’s known as of Thursday 29 February (Leap Day) about the Change Healthcare cyberattack:

  • Change and Optum have attributed it to BlackCat/ALPHV as of today. From Becker’s HealthIT:  “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” an Optum spokesperson emailed Becker’s on Feb. 29. “We are actively working to understand the impact to members, patients and customers.”
  • BlackCat is claiming it stole 6 terabytes (TB) of data in the breach. From Bleeping Computer 28 Feb:

BlackCat said that they allegedly stole 6TB of data from Change Healthcare’s network belonging to “thousands of healthcare providers, insurance providers, pharmacies, etc.”

The ransomware gang claims that they stole source code for Change Healthcare solutions and sensitive information belonging to many partners, including the U.S. military’s Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and tens of other healthcare insurance providers.

Per BlackCat’s claims, the sensitive data stolen from Change Healthcare contains a wide range of information on millions of people, including their:

  • medical records
  • insurance records
  • dental records
  • payments information
  • claims information
  • patients’ PII data (i.e., phone numbers, addresses, social security numbers, email addresses, and more)
  • active U.S. military/navy personnel PII data

Tyler Mason, UnitedHealth Group VP, had earlier stated to Bleeping Computer that 90% of the 70,000+ affected pharmacies switched to new electronic claims procedures to avoid the Change Healthcare issues. 

While this cybertheft appears breathtaking in its scope and perfect revenge as a “dish best eaten cold” for the December takedown of their websites, the amount and type of data in the exploit may be exaggerated for purposes of negotiating a rich settlement. As of today, BlackCat has not offered a number for ransom. This theft may be worth far more in selling the data to other cybercriminals in Russia, Eastern Europe, and China than demanding a ransom from UHG/Optum, which may decide to rebuild systems rather than pay up [TTA 27 Feb].

Change Healthcare cyberattack persists–is the BlackCat gang back and using LockBit malware? BlackCat taking credit. (update 28 Feb #2)

On Day 7, reports, like recollections, may differ. Today’s Reuters report (26 Feb) attributes the attack on Change Healthcare, which has snarled pharmacies and hospitals since Wednesday [TTA 23 Feb], to a revived BlackCat (a/k/a ALPHV) ransomware operation. Readers will recall that the FBI busted BlackCat right before Christmas last year, seizing their operational darknet websites and putting up a most showy home screen. They worked their way into the BlackCat operation via their affiliate operation. However, BlackCat rebooted a few days later, made an appearance, and went back underground. As Bleeping Computer predicted then, BlackCat is apparently back and, adding insult, not even under a new name. 

Bleeping Computer today reported that BlackCat’s hack went through a critical ConnectWise ScreenConnect auth bypass flaw (CVE-2024-1708 and 1709) which was actively exploited in attacks to deploy ransomware on unpatched servers. This was confirmed by Reuters and Health-ISAC, a healthcare-focused organization engaged in cyber best practices and threat intelligence, via the American Hospital Association’s AHA Cybersecurity Advisory today (26 Feb). AHA is advising healthcare organizations to actively reevaluate their connection or disconnection status of Change Healthcare systems which have been deemed safe by Optum.

As of today, BlackCat did not claim credit for taking down Change’s systems nor is there any report of a ransom demand. It is perhaps too early to determine if there has been any data theft. Nor are there reports of other healthcare or other organizations being attacked through the ScreenConnect flaw.

Optum has a page detailing the status of Change Healthcare’s individual systems here. Optum has a statement that has remained nearly the same on issues with connectivity since last Wednesday.* This Editor’s experience of the page is that it needs refreshing to view the full version. Regarding the systems, they are a long list to scroll through and your Editor lost count after 100. Most have red Xs by them. Some systems are checked green. Change is also holding Zoom calls to update partners. Reuters reported that Alphabet’s cybersecurity unit Mandiant is in charge of investigating the attack.

Change Healthcare processes 15 billion healthcare claims annually. This attack seems to have hit their pharmacy software the hardest. These software tools are used to verify patient eligibility for specific medication and also their insurance coverage. The outage not only covers the big chains like CVS and Walgreens, but also Tricare and the Military Health System (MHS) globally. TTA 22 Feb, updated 23 Feb.

A Friday report in SC Magazine indicated that the malware used by BlackCat was a strain of LockBit malware going through the ConnectWise ScreenConnect bypass flaw. Their source, Toby Goucker, chief security officer at First Health Advisory, stated that their firm found the ScreenConnect flaws and sent out a notification on 19 February. Goucker noted that bad actors prey on the gap between when these vulnerabilities are uncovered and announced, but before when patches are applied. However, Goucker was not able to confirm that Change uses ScreenConnect.

Ironically, the LockBit ransomwareistes were busted only last week by a combined UK NCA and US DOJ/FBI effort. Like weeds, they never go away entirely.

Oddly, Change Healthcare’s website home page does not have a notice about their problem or direct to a page on their or UHG’s site about it for assistance. We know you’re busy, guys, but from this Editor’s marketing perspective not having an information banner and redirect to the Optum page is a basic communication failure.

**This is a developing story and will be updated.**

*Update 27 Feb 9am Eastern Time.

A repeat of Optum’s boilerplate statement on their page today indicates this cyberattack is still unresolved for most of Change Healthcare–and will remain unresolved at least through today:

Update – Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.

We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.
Feb 272024 – 09:03 EST

Identical message 28 Feb 10:48am ET indicating that the effects of this attack are now one week old.

Updated 28 Feb: DataBreaches.net (“The Office of Inadequate Security”) reports that BlackCat is taking credit for it.

“BlackCat informed DataBreaches that yes, they are responsible for the attack. DataBreaches has asked them if they are willing to share any additional details and will update this post if any are received.”

This Editor is also following coverage in the usually reliable The Register which added a reply they obtained from Optum: “Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems.” They are not confirming the perpetrators. 

#2 update from DataBreaches may point to Change Healthcare as well as healthcare in general. Here is part of a Cybersecurity Advisory (CSA) that is an ongoing #StopRansomware effort by the Cybersecurity and Infrastructure Security Agency (CISA). CISA was joined by the FBI and interestingly, the Department of Health and Human Services (HHS). They “are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.” The addition of HHS as well as February 2024 should be noted. “FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.” Could this be behind what is going on at Change Healthcare–a BlackCat full-court press versus US healthcare?

And at least one major hospital CEO wants answers now. Tampa General Hospital CEO John Couris went up to Optum’s CEO Amar Desai in the speaker room at the ViVE conference in Los Angeles on Monday, and the answer was far less than satisfactory. “And his answer to me was, ‘We’ll have an update in two days.’ So I don’t think he knows.” Mr. Couris’ speculates that Change Healthcare will 1) not pay ransom and 2) will rebuild its systems in maybe four weeks–and how that puts hospitals like his that use Change as a clearing house for claims in, to put it mildly, a pickle. MedCityNews

Mid-week roundup: Colorado terms Friday Health Plans; Cano 3 continue to savage board; Amazon Pharmacy layoffs; hacking attacks: QuickBlox, Barts Health; Phreesia buys MediFind; financing pops for K Health, Amino

Colorado liquidates, terminates insolvent insurtech Friday Health Plans. The Colorado Division of Insurance (DOI) had placed it into receivership in June after the company declared it would close, unable to find funds to operate its plans. On Monday, the DOI moved to liquidate its operations and terminate the plan effective 31 August. Their 30,000 policyholders on individual Affordable Care Act (ACA) exchange plans will be scrambling to find new coverage. In the receivership move, DOI had hoped that Friday had enough funds to keep the state plan solvent through end of year, but they did not. According to the Colorado Sun, Friday still owed unpaid Federal taxes as well as roughly $2 million in fee payments to the state’s insurance exchange, Connect for Health Colorado, which left the DOI without much hope. Friday had previously just about shut down its headquarters in Alamosa. This leaves not only 30,000 individuals scrambling, but also out eight months and perhaps thousands of dollars in deductibles as these plans tended to be high deductible. Colorado DOI opened a special enrollment period (SEP) for Friday policyholders and insurance brokers starting immediately through 31 October.  Providers are protected somewhat through the state’s Colorado Insurance Guaranty Association but many stopped taking Friday-covered patients last month. Friday’s crash-and-burn is the worst example of an insurtech’s demise to date and not promising for policyholders in other states such as Texas, Georgia, Oklahoma, and Nevada. Healthcare Dive

The Cano 3 attack in the continuation war with the Cano Health board. In the latest episode of this telenovela, resigned directors Barry Sternlicht, Elliot Cooperstone, and Lewis Gold, who among them have about 35% of the company’s shares, are still supporting interim CEO Mark Kent but pressing hard to oust three of the directors reelected at the last shareholder meeting, including Marlow Hernandez, the founder and former CEO. What’s new is that they have declared war on Sol Trujillo as chairman and Angel Morales as chair of the audit committee as allies of Dr. Hernandez. In addition to divesting five directors and the interim chief legal officer plus ending their high monthly equity awards, they support divesting non-core assets. Mark Kent will have to be Clark Kent ducking into the phone booth to succeed in this. Press release  Mr. Sternlicht cannot be in a good mood, as Starwood Capital Group is in default on a $212.5 million mortgage on an Atlanta office property, Tower Place 100, in the continuing souring of the commercial real estate market. Fortune

Amazon Pharmacy has laid off 80 employees, mostly pharmacy technicians and team leaders, in continuing cutbacks there. This is the former PillPack. One would think that it would be expanding based on the growing medical needs of One Medical and Amazon Clinic. About the latter which was to roll out nationally today but was questioned on data privacy grounds, as of today there is no update announcement. To date, Amazon has released an amazing 27,000 workers. Semafor, Becker’s

Cybersecurity also racked up some hacks in the past week or so:

  • A popular software framework used in telehealth and financial applications, QuickBlox, was found to have several critical security flaws. The QuickBlox SDK (Software Development Kit) and API (Application Programming Interface) that are used for developing chat and video applications had a vulnerability that led researchers to take over multiple accounts and compromise the user database and extract PHI. The vulnerability also permitted a hacker to impersonate a physician or patient and alter health records. This was reported by Team82 and Check Point Research (CPR) teams but have since been fixed. Blow-by-blow with screenshots in Cybersecuritynews and overview in Becker’s.
  • Barts Health NHS Trust was hacked by BlackCat, a/k/a ALPHV. What was stolen was about 70 terabytes of data, which BlackCat claims as the largest breach in UK medical history. ALPHV listed the stolen data, including employee identification documents, including passports and driver licenses, and internal emails labeled “confidential”, around 30 June. Barts runs five London-based hospitals and serves more than 2.5 million patients. The Barts Health hack adds to NHS misery with an earlier attack on a University of Manchester NHS dataset with information on 1.1 million patients across 200 hospitals. The same CLOP Russian ransomware gang that got Johns Hopkins [TTA 19 July] also got Ofcom, the UK’s communications regulator.  TechCrunch

Yes, there is good news in M&A and funding:

Phreesia is buying MediFind. No purchase price or management transition was disclosed. Phreesia is a patient intake platform that grew from a tablet used in practices for scheduling and patient check-in to a fully featured platform for workflow, claims, outreach and patient education. MediFind uses machine learning and analytics to connect patients with leading experts, clinical trials, health systems, and healthcare technologies. Phreesia is one of the few 2019 vintage IPOs to not crater–it’s trading on the NYSE at above $32 though as recently as end of 2021 its share price was double. Phreesia release.

K Health gained an unlettered venture round of $59 million from Cedars-Sinai, its new partner, plus current investors, including Valor Equity Partners, Mangrove Capital Partners, and Pico Venture Partners. This brings funding for this Israeli company to $330 million through a Series E. K Health’s platform uses a chat function that pre-screens patients with symptoms, uses AI to suggest possible diagnoses based on that person’s medical history, age, and gender, and will connect with a doctor or nurse if needed–which sounds somewhat like Babylon Health and Zipnosis. The chat can be used for primary care, some pediatric areas, urgent and chronic care management. K Health claims that 10 million individuals have interacted with K Health’s AI, and 3.1 million patients in 48 states have chatted with a doctor or nurse. FierceHealthcare

Amino, a navigation platform, received $42 million in credit financing from Oxford Finance. This was the final part of its $80 million venture raise in May. Amino connects physical and mental healthcare providers and benefits programs with members at self-insured employers and health plans, managed by third-party administrators, brokers, and human resources. Members access recommendations for providers and relevant benefits. Amino’s total funding is $125 million, mostly in venture rounds. Its last letter round was a Series C in 2017. It’s a busy sector with similar companies like Accolade, Rightway, and Transcarent.  Mobihealthnews