Short takes: both Clover and Oscar in the black; Aetna prez booted after 11 months; Ava-VSee bedside robot; updates on Change, OneBlood ransomware, Masimo proxy fight

Clover Health’s milestone–a first-ever profitable operating quarter. Not only that, but it was an impressive turnaround from the prior year. With results in their Q2 operating net income of $7.2 million, versus a $28.9 million loss in 2023, these results were far more favorable directionally than the adjusted EBITDA which was $36.2 million versus $9.9 million for the prior year. Insurance revenue was also up 11% to $349.9 million, attributed to member retention and an improved medical cost ratio (MCR) of 71.3%, down from 77.9% in the prior year. Additional revenue from other operations, such as the recently introduced Assistant AI, is minimal. The 2024 forecast stays ‘in the clover’ with raised forecast revenue of $1.35 to $1.375 billion and adjusted EBITDA of $50 million to $65 million. Also helpful is their lifted Star rating from 3 to 3.5 for 2025. FierceHealthcare, Clover earnings release

Rival Oscar Health also stayed Back in Black for the second quarter running–CEO Bertolini wouldn’t have it any other way (or else–see below right). Q2 net income rose to $56.2 million which was a a $71.7 million improvement versus prior year. Adjusted EBITDA also nicely improved to $104.1 million, a $68.6 million improvement. Revenue increased to $2.2 billion, a 46% increase over the prior year. Their MCR went down .9 points. The overall forecast for the year wasn’t provided. Membership was up over 600,000 in their main business of individual and small group insurance, with Bertolini pointing out that this was powered by plan growth in 80% of the states where they operate. Oscar exited Medicare Advantage at the end of 2023, and is shifting to marketing ICHRA, or individual coverage health reimbursement arrangements that permit small businesses to offer employees individual health plans subsidized by employer contributions. After this year, the 58,000 members left in the unprofitable Cigna co-branded small group program will exit [TTA 10 May]. Oscar release, FierceHealthcare

Back in Mr. Bertolini’s old stand, Aetna, results weren’t so cheerful–and their president walked the plank after less than one year. The reorganization announcement was made on the earnings call yesterday, effective immediately. CVS Health CEO Karen Lynch will oversee the daily operations of the health benefits segment along with Aetna’s CFO. CVS VP/chief strategy officer Katerina Guerraz will move over to become Aetna’s chief operating officer.

What initiated it: while health benefits’ revenue stayed in the black, going the wrong way were operating income decreasing 39.1%, the medical benefits ratio (MBR) soaring to 90% from 86% in prior year and the medical loss ratio (MLR) going up to 89.6% from 86.2%. These were attributed to increased utilization, the decline in Medicare Advantage Star ratings, Medicaid acuity, and a revised risk adjustment in the individual exchange business. Something in this immediately doomed now former president Brian Kane, who joined only last September. His last post was at Humana as chief financial officer and leader of their primary care business. CVS Health release, FierceHealthcare, Healthcare Finance

Marrying robots with telemedicine, VSee is partnering with Ava Robotics to create an autonomous robot for telepresence use in hospital intensive care units. This would enable remote emergency physicians to be present at the point of patient care, interact with patients, consult with onsite staff and make treatment decisions. The projected market is smaller regional hospitals and ICUs.  VSee already markets telemedicine carts and portable diagnostic and home care kits. Availability is not disclosed. VSee release, Mobihealthnews

VSee also announced a partnership with Wichita, Kansas community health provider Stand Together for its Aimee telehealth services. Telehealth at their centers will be available to participants for a monthly charge of $4.99 or a single virtual urgent care appointment for $9.99. VSee release

Ransomware strikes again. Non-profit blood donation organization OneBlood was hit on 29 July by a despicable ransomware attack that disabled much of its blood collection services for over 250 hospitals in the southeastern US. They continued to operate at reduced capacity and called for donors of O positive blood, O negative blood and platelet donations. The perpetrator, ransom demands, and breached information were not disclosed. On Monday 5 August, systems were partially restored in time for Tropical Storm Debby’s assault on many southeastern states. From a OneBlood spokesperson: “Our critical software systems have cleared reverification and are operating in a reduced capacity. As we begin to transition back to an automated production environment, manual labeling of blood products will continue. Additionally, we are beginning to return to using our electronic registration process for donors.” DataBreaches.net, FierceHealthcare, HealthcareITNews

Hard-hit Change Healthcare is still playing games with reporting to HHS’ Office of Civil Rights (OCR). Parent UnitedHealth Group reported the ransomware shutdown and data breach to OCR, a full five months after its occurrence. The number reported is the OCR minimum of 500, when it is well known that it affected millions of patients. UHG started direct patient notification on 31 July after weeks of delay, but stated to OCR that they are still determining the number of individuals affected. Provider notifications started in late June [TTA 21 June]. This followed after a hostile dispute earlier that month where UHG tried to push patient notifications onto providers, which HHS decided was 100% UHG’s responsibility. [TTA 5 June]. OCR FAQ update, HealthcareITNews

Masimo and activist shareholder Politan Capital continue to slug it out down to the 19 September shareholders meeting. Back in mid-July, Masimo postponed the meeting, originally scheduled for 25 July. At that time, Masimo filed a complaint in the US District Court for the Central District of California against the two Politan representatives on their board of directors plus Politan’s two nominees that proxy materials contained false statements and violations of the Exchange Act. The suit added that board member Quentin Koffey, also Politan’s chief investment officer, was secretly conspiring with a plaintiffs’ bar law firm currently in litigation with Masimo.

The latest revelation per Strata-gee 7 August: Politan’s countersuit in the Delaware Court of Chancery states that the charges filed by Masimo in the District Court are based on ‘unnamed sources received from a third-party opposition research firm…’ and Masimo’s outside counsel does not know the identity nor ever spoke to the sources. This was filed against CEO Joe Kiani, independent director Craig Reynolds, and director Bob Chapek as a breach of Delaware law.

To date, Masimo has not confirmed their sources to the Delaware court. 

As previously reported [TTA 17 July], the proxy fight was triggered by the value of the company, reduced substantially after Masimo’s snakebit 2022 acquisition of Sound United’s consumer audio brands, Politan’s move to control the company, and kick out the CEO Joe Kiani.  The fight on the Masimo board of directors for two open seats pits the Masimo slate of CEO Joe Kiani and outside candidate Christopher Chavez, against Politan’s Darlene Solomon and William Jellison. Politan already holds two seats and with a win of two additional seats will control the company. Masimo plans to sell the consumer audio and healthcare (baby monitoring) businesses to another unnamed investor, retaining their professional healthcare and pulse oximetry products.

Stay tuned to the next episode of this soap opera.

Short takes: states curbing healthcare cyberattack liability, North Korean hospital ransomwareiste indicted, Walmart leases out 23 clinics to Humana’s CenterWell, Nuro robot delivery revives, $100M Series E for Spring Health

News that class-action specialist law firms won’t like. States are considering limiting hospital cyberattack liability if they adopt cybersecurity measures. Currently, four states–Tennessee, Connecticut, Ohio, and Utah–have laws that curb liability for cyberattacks and data breaches. A fifth state, Florida, is considering it with the governor, Ron DeSantis, pushing for a tougher version to encourage strong cybersecurity adoption. The state lawmakers’ rationale centers on the admission that cyberattacks on hospitals are inevitable and that when hospitals have security in place, they are not negligent. On the opposite side, law firms that specialize in consumer class-action lawsuits argue that hospitals would rather profit than put into place expensive protection for consumer data. 

This Editor’s view tends to be even stronger than that of Governor DeSantis. How can state regulators actually know that a hospital has strong, effective cybersecurity? Hospitals not only have to spend money to constantly update their monitoring, but also have to hire the humans to implement it. In other words, what people or agency on the state level can assess that a hospital or health system has adequate cybersecurity in place and is acting in good faith to protect consumers against predatory data breaches or ransomware? The article in Politico is unfortunately very scant on how these laws work, the liability limitations, and the mechanisms for judging hospital cybersecurity. More to come on this. Also DataBreaches.net–this Editor’s go-to spot for research.

A North Korean ransomwareiste indicted, but he’ll be hard to serve if convicted.  A grand jury in the Federal District Court for the District of Kansas has indicted Rim Jong Hyok of ransomware attacks on 17 hospitals and systems across 11 states plus attacks on government entities from May 2021 through April 2023. The US Department of Justice (DOJ) charge is that Mr. Rim was working for the North Korean intelligence agency, the Reconnaissance General Bureau (RGB), in a cyberhacking group known as Andariel. Andariel developed the Maui ransomware type and used it to attack healthcare and governmental entities.  The ransoms collected from the hospitals were then used to fund cyber attacks and data exfiltration on government agencies, military bases, and multiple companies supporting the US military. The State Department is offering a reward of up to $10 million to locate Rim and others infiltrating US systems. It is highly unlikely that even with a conviction, Rim will serve any US time, but a conviction could initiate sanctions and other national measures. FierceHealthcare, US District Court indictment, US State Department ‘Rewards for Justice’ release

Walmart gives Humana a crack at reopening in-store clinics. After their well-publicized failure in retail health, Walmart is leasing out nearly half of their former Supercenter clinics over to Humana’s CenterWell healthcare services operation. By first half 2025, 23 of the 51 closed Walmart Health clinics in Florida, Georgia, Missouri, and Texas will convert to CenterWell Senior Primary Care and Conviva Care Centers. The focus will be on senior coordinated care with a staff of board-certified physicians, nurse practitioners, medical assistants, social workers, and other staff. Clinics are planned for Tampa/St Petersburg, Orlando, Jacksonville, Atlanta, Dallas/Fort Worth, and Kansas City. Medicare Advantage plans and Original Medicare will be accepted, though no mention is made of the ‘duals’ who are on both Medicare and Medicaid. Walmart will continue to operate pharmacy and optical locations. The CenterWell/Conviva network at present serves 318,000 seniors in about 300 centers across 15 states. Financial terms of the agreement were not disclosed. In retrospect, they should have done this several years ago. CenterWell release, MedCityNews

Another revival–the Nuro robot vehicle delivery service. Some years back, these driverless cars were envisioned to carry everything from pharmacy deliveries to groceries to prepared food, but the robot vehicles had problematic fully autonomous driving software that proved to be unsuitable for crowded urban areas as well as satisfactorily retrofitting or specially designed EVs. Now in another AI-assisted generation with the R3, about 100 retrofitted Toyota Priuses able to go up to 45 mph will be tested in the California Bay Area in Mountain View, Palo Alto, Los Altos, and Menlo Park. Other vehicles to be upgraded to the new software are from Chinese EV manufacturer BYD, which has become famous for exploding cars in its home market. Timing after the California Motor Vehicle approval now is set for Uber Eats deliveries in test in early fall. TechCrunch

Telemental health fundings continue on a roll with Spring Health. Their $100 million Series E has increased their valuation from $2.5 billion to $3.3 billion. This round was led by Generation Investment Management with participation from existing investors, including Kinnevik, William K Warren Foundation, RRE, and Northzone. Their $71 million Series D was in drought-ridden April 2023. Their total funding now is $466.5 million. Spring Health’s concentration is in mental health support and care management as part of employer benefits and for payers, covering 10 million lives through 450 directly contracted employers, strategic payer relationships, and 27,000 groups that access the solution through a channel partner. As noted in Rock Health’s H1 report [TTA 30 July], the competitive telemental health category still leads by far as the most funded clinical category, with about $700 million in raises, over double that of cardiovascular and oncology, and will likely surpass 2023. Release, Mobihealthnews, FierceHealthcare

UK pathology services Synnovis hacked by Qilin ransomwareistes, demand $50M, justify attack due to UK involvement in “wars”

Pathology services provider Synnovis ransomwared, services continue to be disrupted. The Bloomberg report states that the Russia-based ransomware group Qilin is demanding a $50 million payment, in exchange for a code to unlock affected computers and software, which is the usual M.O. The ‘or else’ is that the hackers will post online the patient data stolen in the attack, according to a ‘spokesman’ quoted by Bloomberg, using a messaging account associated with the Qilin gang. FTA:

  • “A representative for the hackers said that they were very sorry for the people who suffered, but refused to accept responsibility for the human cost.”
  • Qilin is no longer in contact with Synnovis since the ransom wasn’t paid within their 120-hour deadline
  • The vulnerability to gain access to the Synnovis computers/software was not disclosed, but is known as a “zero day”. This could not be independently verified by Bloomberg.

Synnovis partners in pathology services with two London-based hospital trusts, King’s College Hospital, Guy’s and St Thomas’, including the Royal Brompton and the Evelina London Children’s Hospital. GP services affected are in the boroughs of Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth. The incident started on 3 June and was announced 4 June. This affected patient tests such as blood, bowel and various swabs that are routine and needed in EDs and surgeries, causing mass reschedulings and diversion of services. TTA 5 June

Procedures continue to be disrupted according to Synnovis’ own Monday update.“We have delivered temporary workarounds including the redirection of non-urgent blood tests and result processing to other pathology labs to allow us to focus on urgent samples received from GPs, to ensure there is sufficient capacity for urgent testing and to respond to the highest priority cases at St Thomas’ Hospital and King’s College Hospital. Changes to processing of testing and results are being communicated directly to GPs and other service users to ensure a smooth transition.” Their analyzers are back online. There is no timetable for full restoration of services.

Synnovis states that they are continuing to work with law enforcement and the UK Information Commissioner, as well as the National Cyber Security Centre (NCSC) and NHS England’s (NHSE) Cyber Operations Team. This story will be updated with further developments.

Breaking: multiple London hospitals, borough GPs declare ‘critical incident’ from ransomware attack via third party pathology vendor

Breaking News. A group of London hospitals, plus GP services across several boroughs, have been affected by a third-party ransomware attack and have declared a critical incident. The vendor, Synnovis, is a provider of pathology services in a partnership between two London-based hospital trusts and SYNLAB UK & Ireland. The attack started on Monday 3 June. Synnovis reported in its statement yesterday that it affected all its IT systems and interrupted many Synnovis pathology systems. Synnovis “was the victim of a ransomware cyberattack”, according to chief executive Mark Dollar. Affected patient tests via Synnovis include blood, bowel and various swabs.

The hospitals affected are King’s College Hospital, Guy’s and St Thomas’, including the Royal Brompton and the Evelina London Children’s Hospital. These hospital trusts are partners in Synnovis with SYNLAB UK & Ireland, Europe’s largest provider of testing services. GP services affected are in the boroughs of Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth. The critical incident has affected primary care and delayed operations on patients plus blood transfusions, with reported diversions of emergency patients, though reports are varying on the last.

According to the Synnovis statement, the incident has been reported to law enforcement and the Information Commissioner, and they are working with the National Cyber Security Centre and the Cyber Operations Team. There is no information yet available attributing a ransomware organization.  Infosecurity-magazine.com, Sky News, BBC News

This is a developing story

News roundup: 100+ medical orgs pile on Change/UHG; Teladoc hit with second class-action suit; Congress demands Oracle EHR improvement–or else; Transcarent intros WayFinding; Centivo buys Eden Health

The fallout from the Change cyberhack hangs like smog over UHG. On Monday, the American Medical Association (AMA), along with about 100 other signatories from nationwide medical associations including CHIME and AHIMA, sent a strongly worded letter to Health and Human Services Secretary Xavier Becerra. It requested a clear delineation of responsibilities for breach reporting requirements created by the 21 February Change Healthcare ALPHV/Blackcat ransomware attack. Reporting is required by HHS’ Office of Civil Rights (OCR) under HIPAA.

Specifically, the AMA letter requested 1) more public clarity around reporting responsibilities to patients for the data breach and 2) that all reporting and notification responsibilities will be handled by Change Healthcare, not the providers. “OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach”. To date, this doesn’t seem to be OCR’s position.

  • The AMA and signatory organizations maintain that it “is the responsibility of the covered entity which experienced the breach—UHG—to fulfill its obligations in regard to reporting the breach to OCR, notifying each affected individual, as well as any further HIPAA breach reporting requirements that may be applicable, such as notifying state Attorneys General and media outlets.”
  • OCR, on the other hand, has gone on the record in April as stating in their FAQs that “while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may vary, depending on the circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.” (Providers can be considered business associates)

In other words, the providers want the full responsibility of contacting patients, state attorneys general, media, and others (e.g. class action lawyers) to be Change Healthcare’s. They do not want to be forced to contact their patients and, in all fairness, at this point do not know which patients were affected because they are not privy to Change Healthcare’s information. UHG has not yet produced a breach report to OCR. AMA letter to Becerra, Healthcare Finance News

When the stock falls, blame the marketing spend! The latest class-action lawsuit filed against Teladoc blames the company for spending money in digital and other media advertising promoting BetterHelp, their telementalhealth unit. The suit cites Teladoc’s public statements such as a “long runway” for BetterHelp’s membership growth and that spending would be inefficient due to the saturated category. Yet spending increased in 2023. The lawsuit charges that this directly deteriorated the company’s revenue, leading to a substantial fall in its stock price. Charged are Teladoc, and at the time CEO Jason Gorevic and CFO Mala Murthy. Stary v. Teladoc Health, Inc. et al., was filed on May 17 in the US District Court for the Southern District of New York. No response yet from Teladoc. Docket on Justia, Mobihealthnews

The House and Senate Veterans’ Affairs Committees jointly introduce legislation on VA’s EHR modernization. The Senator Elizabeth Dole 21st Century Veterans Healthcare and Benefits Improvement Act would require the Department of Veterans Affairs to exercise even greater oversight of the Oracle Cerner implementation in these areas:

  • The quarterly reports to Congress would include additional quality metrics on user adoption, employee satisfaction, and employee retention/turnover where the Oracle Cerner EHR is introduced. This adds to existing required reporting on spending and performance.
  • Regarding additional rollouts, the VA secretary must certify that the sites are ready. He also must furnish corroborating data to Congress “demonstrating that all facilities currently using the Oracle Cerner EHR system have recovered to normal operational levels.”
  • If there is no improvement (presumably to this standard) at Oracle Cerner locations within two years of the bill’s enactment, the program will be terminated.
  • VA must also report on the status of VistA with details about “the operation and maintenance costs and development and enhancement costs” of the software and “a list of modules, applications or systems” within VistA that VA plans to retire or continue to use. 

HIStalk 17 May, NextGov/FCW

‘Not for sale’ Transcarent introduces an AI-assisted platform, WayFinding. The platform designed for end users of Transcarent’s enterprise health navigator combines generative AI with instant access to care providers to integrate benefits navigation, clinical guidance, and care delivery on a single platform. The personalized guidance enables the member to find a provider, find out costs, and guides to the best clinical action to take next. It then connects them to medical professionals or provides direct access into digital point solutions. It integrates information on details of the employer plan, ancillary benefits, the member’s medical history, and connection to clinical specialists. There is no information in the overly padded release on when the new platform will be available or how it will be offered to existing and new customers. This follows on Transcarent’s $124 million Series D funding two weeks ago.  FierceHealthcare, Mobihealthnews, TTA 8 May

Centivo acquires Eden Health virtual care. The purchase price was not disclosed. Centivo, headquartered in Buffalo NY, is  a health plan for self-funded employers. Eden, also providing services to employers, is a concierge provider that offers through a mobile app primary care, mental health, and care navigation services, plus workplace pop-up clinics. Eden also has technology that connects providers’ EMRs to their app. Eden’s services will be fully integrated into Centivo, which will enable it to expand to 50 states and increase from its current 120 employer base to 160. The combined organizations cover about 2 million eligible patients in companies ranging from Fortune 100 size to small businesses. Eden’s CEO will serve as a senior advisor to Centivo, but there is no other indication of employee transition.  Release, FierceHealthcare

Short takes: Legrand acquires Enovation, FDA nixes Cue Health’s Covid tests, Ascension confirms ransomware attack–who did it? (updated), beware of ‘vishing’ courtesy of ChatGPT

Legrand Care acquires Enovation. Enovation is a Netherlands-based digital health company with a connected care platform for care monitoring across prevention, early detection, medication checks, and remote healthcare. Its customer base includes ambulances, pharmacies, clinics, hospitals, and home care. With distribution in healthcare organizations across 18 countries, including Scottish Digital Telecare [TTA 11 Aug 2021], it will join the equally international Legrand’s Assisted Living and Healthcare (AL&HC) business unit with Intervox, Neat, Tynetec, Jontek, and Aid Call. Acquisition cost was not disclosed. Release   Legrand and Tynetec are long-time supporters of TTA.

The hammer drops on embattled Cue Health. The US Food and Drug Administration (FDA) has invalidated Cue Health’s Covid-19 Tests for Home and OTC Use and for the authorized lab test version. Home users were advised to discard unused kits in household trash. Both consumers and providers were advised to retest if symptoms persisted after a negative test result. This followed an FDA inspection of their operations that determined that unauthorized changes to the test kit design were made along with failures in performance testing. A Warning Letter was issued to Cue on 9 May. The company has not yet responded. FDA Safety Communication

Cue was one of many biotech manufacturers that marketed Covid-19 point of care/lab, and home testing kits after obtaining Emergency Use Authorizations (EUA) in 2020 and 2021. It exploded in size and went public in September 2021 at $200 million and $16/share with a valuation of $3 billion. Today HLTH shares trade on NasdaqCM at a little bit over $0.13. Their headquarters facilities in San Diego that once had 1,500 employees must be a lonely place, as the company reported another layoff of 230 employees, about half of remaining staff, after earlier layoff rounds of 245 in February and 880 in 2023. Their remaining test is one for Mpox on a EUA. Two other tests developed for flu and RSV are still under FDA review.  Cue Health’s financial reports for 2023 were dismal with revenue down to $71 million, an 85% reduction versus 2022, and a net loss of $373.5 million. Recent reports indicate that the company will refocus on marketing its Cue Health Monitoring System. Management and board changes have also been drastic, with a CEO change in March (Yahoo Finance) and the CFO departing this past Monday. MedTech Dive

Ascension Health finally acknowledged that its cyberattack was ransomware-based. On Saturday 11 May, their website event update confirmed that the cyberattack was ransomware. The Saturday and Monday 13 May updates also confirm that system operations will continue to be disrupted with no timetable set for restoration to normal status. Impacted systems include their EHR, MyChart, and some hospitals are diverting emergency care. The update page now has 12 regional updates and a general + patient FAQ. Update: in these states, Ascension’s retail pharmacies cannot fill prescriptions: Florida, Wisconsin and the District of Columbia. Their website recommends that patients bring paperwork and prescription containers. Lab and imaging results are delayed. Since the hospitals are on manual systems, overall there are delays in admissions–bring documentation. And the class-action suits have started, with reports that three have been filed already. Healthcare IT News

Who dunnit? DataBreaches.net reported over the weekend that Ascension’s hack has been attributed to interestingly named ransomwareistes Black Basta. Late last week, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Black Basta. It’s another charming ransomware-as-a-service (RaaS) with bad news affiliates like BlackCat/ALPHV wreaking havoc on over 500 organizations globally. No word on whether Ascension has paid ransom. 

Speaking of cybersecurity, now something else to worry about–‘vishing’. This is ‘voice phishing’, another generative AI-facilitated hack that uses snippets of a human voice to pose as people or representing organizations via phone call or voicemail. Not enough? There’s ‘smishing’–SMS or text phishing which can invade your phone with all sorts of nasty messages. These attacks, according to cybersec firm Enea, are up twelve-fold since the launch of ChatGPT. Vishing, smishing, and phishing (email) attacks have increased by a staggering 1,265%. 76% of enterprises lack sufficient voice and messaging fraud protection. Can we go back to the 1990s? 2000s? When we worried about “Nigerian princes” email scams? Becker’s, Enea survey report

Who really has the 4TB of Change Healthcare data 4 sale? And in great timing, Optum lays off a rumored 20K–say wot?

The data is for sale! And the top does not go down, but the price definitely goes up! That old antique auto auction cry is paraphrased here because the 4TB of patient data hacked from Change’s systems is up for sale, since Change/Optum didn’t buy it. Interested parties should stroll over to the dark web and see RansomHub’s listing for details.

Unlike some news sources that got confused, this apparently is the same 4TB that BlackCat/ALPHV affiliate ‘notchy’ stole (technically, exfiltrated) posted about on a dark web site shortly after the attack [TTA 7 Mar]. According to those early reports, ‘notchy’ was dissatisfied that he didn’t get a cut of the $22 million ransom that Optum supposedly paid the BlackCat/ALPHV group.

For their $22 million ransom, which Change has not, repeat NOT, confirmed, ALPHV gave Change a decryptor key. But, they didn’t have the good manners to 1) return the stolen data to Change or delete it, which included highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more, and 2) pay a cut to the affiliate. And then ALPHV shut down and ran out of town.

Here’s the latest updates from DataBreaches. net

Over a month later, an outfit called RansomHub posted, again on the dark web, that it has the 4TB of data. 

As reported here on 10 April, there was an announcement on the RansomHub website, not signed by ‘notchy’, that if Change wasn’t interested in paying for the data, it would be up for sale. There was some confusion, based on a WIRED report, that this was a second breach. The RansomHub information seemed to point to only ‘notchy’s’ data.

DataBreaches followed up with RansomHub to 1) verify they had the data, asking if 2) was it ‘notchy’s data’, and 3) how did RansomHub obtain it if not ‘notchy’? RansomHub also leaked some screenshots of  2011-2013 Medicare claims data. This old data raises even more questions on why this data was even available online and not stored offline…unless…. RansomHub’s 15 April posting included this statement, “The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.” 

By 16 April, DataBreaches reported that the listing read:

Change HealthCare – OPTUM Group – United HealthCare Group – FOR SALE

The data in now for sale. Anyone interested in the purchase should contact RansomHub. 

But does RansomHub actually have it? Are they ‘notchy’, in it with ‘notchy’, brokering ‘notchy’, or is it a second 4TB breach? Stay tuned.

Thousands at Optum won’t care one way or another. Reports since last Thursday have been that first hundreds, then thousands, then up to 20,000, have been laid off. These are based on social media postings on LinkedIn and boards like The Layoff where anyone can post. Optum has not confirmed any layoffs to industry media such as FierceHealthcare and Becker’s Hospital Review / Becker’s ASC Review which published reports starting last Friday. Federal and state WARN notices, which usually confirm mass layoffs by state, have been oddly empty. 

Across the reports, Optum has laid off staff from their California care division (400), home health provider Landmark Health (500), urgent care MedExpress (all as of 18 July), Genoa (OptumRx-unknown). Notices range from immediate, to two weeks into May, and forward. Types of jobs eliminated have been at all levels of regional and corporate, affecting engineers, care management, clinical, case directors, data operations, and integration managers. This LinkedIn post claims up to 20,000. Optum’s silence has let the rumor mill run overtime.

CMS has lowered Medicare Advantage reimbursement, but other insurers factored this in earlier this year. The major whack was the Change Healthcare cyberattack. Though the public posture of UnitedHealth Group is that most of the systems are back or being worked around, the financial truth is that the Change disaster will cost them $1.6 billion in 2024 as announced last week. It does lead one to wonder about how mighty UHG, on an acquisition tear for years through today, always doing well and pleasing Mr. Market, got quite so overstaffed. How would it be overstaffed by thousands or the rumored 20,000 who are suddenly, dramatically unnecessary? That may boost the stock, but it gives the Feds yet another ax to grind, what with the House savaging an absent UHG on the cyberattack handling and their payments to providers [TTA 18 April], DOJ taking a hard cold look into UHG’s business practices, specifically around antitrust between the payer group and Optum [TTA 6 Mar], and approvals for the Amedisys buy stalling.

Here’s a view at variance, not about the layoffs but about how UHG is really doing. STAT’s analysis of UHG’s financial report is that the Change losses barely dent the overall picture and won’t affect 2024 earnings. Q1’s loss was mostly the Brazil writedown. It also confirmed that CEO Andrew Witty had a certain gall to say in prepared remarks that the Change situation would have been so much worse had they not been owned by UHG. Mr. Witty will have some ‘splainin’ to do before the House and the Senate, 30 April and 1 May, respectively.

News roundup: Now Clover Health faces delisting; BlackCat/ALPHV affiliate with 4TB of data puts it up for sale; $58M for Biolinq’s ‘smallest blood glucose biosensor’

Clover Health takes another pass at Nasdaq delisting. Once again, Clover’s Class A shares (CLOV) have been trading with an average closing price of below $1.00 over a consecutive 30 trading-day period, which violates Nasdaq’s continued listing minimum price criteria for the Nasdaq Global Select Market. This was announced in their most recent 8-K filed with the SEC 2 April. Clover has until 30 September to remedy the situation. An additional 180-day period may be elected if Clover transfers to the Nasdaq Capital Market. FierceHealthcare, Becker’s

The delisting is a rerun of their situation last year at this time. Clover considered a reverse stock split to be approved by shareholders but the share price improved on its own and the action was not necessary. This year, it may be. Clover is currently trading at $0.7365. Last August, it hit a high of $1.55 before sliding to below $1.00. An example of a SPAC through Social Capital Hedosophia Holdings, it hit a high of over $15 on 8 January 2021 before cracking that year based on revelations that Clover did not reveal a Department of Justice investigation starting the prior year, which prompted an SEC investigation [TTA 9 Feb 2021], triggering seven shareholder lawsuits that were not settled until December 2023. Clover Health exited the advanced value-based primary care program, ACO REACH, at the end of the 2023 performance year after two years to focus on their Medicare Advantage and Clover Assistant businesses [TTA 6 Dec 2023]. Financially, Clover closed 2023 with revenue of $2.033 billion (down from 2022’s $3.5 billion), net loss of $213.4 million, and an adjusted EBITDA loss of $44.7 million, with the losses improved over 2022. Clover release 

As predicted, 4TB of Change Healthcare data is up for sale. In a typical ransomwareiste move, the affiliate making nasty comments about BlackCat/ALPHV and claiming it had 4TB of data now has put the specs out on a dark web site called Ransomhub. The post first accuses ALPHV of stealing the $22 million ransom paid by UnitedHealth Group and not sharing it with the affiliate. It then claims it has highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more. If Change/UHG isn’t interested, it will be up for sale to the highest bidder. Readers will recall the claims of ‘notchy’ early in the Change Healthcare attack [TTA 7 Mar] though UHG has not confirmed any payment to ALPHV. The demand for payment for the 4TB of data that ‘notchy’ claimed to possess was hardly unexpected. DataBreaches.net

A non-invasive “smallest ever” transdermal biosensor in development may turn the CGM business upside down. Biolinq’s latest round of $58 million will fund a pivotal clinical trial and FDA submission of its intradermal glucose sensor. The funding was led by Alpha Wave Ventures, with participation from Niterra’s corporate venture capital fund jointly operated with Pegasus Tech Ventures and existing investors RiverVest Venture Partners, AXA IM Alts, Global Health Investment Corporation, and four others, for a total since 2014 of $254 million. Crunchbase Current blood glucose sensors penetrate the skin with tiny needles. The Biolinq biosensor uses electrochemical sensors to measure glucose levels from the intradermal space just beneath the surface of the skin, on top of the capillary layer avoiding scarring. To access the intradermal layer, the sensors must be “200 times smaller than a human hair filament” according to Biolinq CEO Rich Yang. It also can combine blood glucose information with relative levels of activity in one device to eventually measure other analytes. The device as currently designed displays key information directly on the sensor–yellow light for high blood glucose, blue for normal. Release, MedCityNews

Mid-week roundup: UK startup Anima gains $12M, Hippocratic AI $53M, Assort Health $3.5M; Abridge partners with NVIDIA; VillageMD sells 11 Rhode Island clinics; $60 for that medical record on the dark web

It may be a little chilly out, but it feels like Springtime For Early Round Funding and Big Partnerships.

Anima, a London-based startup fresh out of Y Combinator, now has a $12 million Series A raise. It was led by Molten Ventures, with participation from existing investors Hummingbird Ventures, Amino Collective and Y Combinator. Its platform combines online consultation with productivity tools for integrated care enablement in one dashboard for primary care. Their founders position it as a single source for patient truth across care settings, avoiding missed diagnoses. As of today, Anima is deployed in over 200 NHS clinics in England caring for a combined 2 million patients and a monthly request volume of over 400,000 requests. They also claim to halve the time the time practices spend on coding, processing, and filing documents and resolve 85% of patient inquiries within a day. Shun Pang, co-founder and CEO of Anima, who trained as a doctor at Cambridge University, told TechCrunch. “The entire clinic collaborates in a real-time multiplayer dashboard, like Figma, and can ping cases to each other, and chat with a Slack-like UX.” he said. He also added that Anima’s processing system can “autonomously ingest any document, like handwritten, diagrams, imaging, and output a summary, with structured fields.” Anima has not entered the US market yet. Anima blog/release, Tech.EU

Hippocratic AI raised a jumbo $53 million Series A for what they term the first safety-focused Large Language Model (LLM) for healthcare. AI of course is the hottest funding area in healthcare. With two previous rounds raised in mid-2023, their total funding is $118 million (Crunchbase), creating a valuation estimated at $500 million. Investors were co-led by Premji Invest and General Catalyst with participation from SV Angel and Memorial Hermann Health System as well as existing investors Andreessen Horowitz (a16z) Bio + Health, Cincinnati Children’s, WellSpan Health, and Universal Health Services (UHS). Their product is a novel staffing marketplace where health systems, payors, and others can “hire” auto-pilot generative AI-powered agents to conduct low-risk, non-diagnostic, patient-facing services to help solve the massive healthcare staffing crisis. This is now being released for phase three safety testing with 5,000 licensed nurses, 500 licensed physicians, and the company’s health system partners. Release

San Francisco-based startup Assort Health now has a seed round of $3.5 million to advance its generative AI approach to healthcare call centers. Its goal is to eliminate front desk stress and call center/service holds. Their system in development uses AI and NLP (natural language processing) to understand a caller’s intent, then to integrates with the medical providers’ EHR, including Epic, to resolve patient inquiries without human intervention. Funding was led by Quiet Capital (!) joined by Four Acres, Tau Ventures, and a number of angel investors from tech companies. Release

Another generative AI company with a substantial Series C under its belt, Abridge, is partnering with super-hot NVIDIA.  The partnership also comes with undisclosed funding from NVIDIA’s VC arm, NVentures, to add to last month’s $150 million raise. Abridge is developing conversational AI technology using LLM and speech recognition to ease the burden of taking notes during the doctor’s appointment, with fluency in 14 languages across 55 medical specialties. Abridge’s technology is designed to capture clinician-patient conversations and structure the scribing. NVIDIA’s partnership will give Abridge access to NVIDIA’s computing resources, foundation models, and expertise in efficiently deploying AI systems at scale. Release

Another episode in the continuing Walgreens Restructuring Saga has VillageMD selling 11 practices to Arches Medical Partners. The practices are located in the Providence metro area of Rhode Island and consist of three urgent cares and eight offices with a total of 50 physicians and 75,000 patients. It is unusual because it is the first time that VillageMD sold their practices instead of closing the offices, which they are doing with 85 to 90 offices. Transaction cost was not disclosed but closed on 2 March. Arches is based in Cambridge, Massachusetts. They acquired these practices but also deploy software from its wholly-owned technology subsidiary, New Era Medical Operations (NEMO), to enable IPAs to negotiate and manage global risk contracts. Arches release, Becker’s, Crain’s Chicago Business

Wondering why ransomwareistes, their affiliates, and hackers in general are attracted to healthcare? It’s the value of a medical record. Going rates on the ‘dark web’ are now topping $60, according to CNBC’s source, a cybersecurity researcher Jeremiah Fowler. By comparison, Social Security number are a bargain $15 and a credit card number but $3. It’s also easier to hack than ever due to affiliate relationships termed ransomware-as-a-service or RaaS. The ransomware is supplied, the affiliate hackers do the work, and they share in the rewards–most of the time (see ‘notchy’ being scammed by BlackCat/ALPHV on the Change Healthcare cyberattack TTA 5 Mar). But this doubles or triples the potential for company extortion, with multiple ‘actors’ attacking a company, extorting a ransom, and then keeping healthcare data and selling it through their channels.

The article concludes that healthcare execs need to get very, very serious about protecting their data. Yet this year has marked healthcare downsizing IT departments in order to save money. This is as security software has proliferated–but has to be purchased and managed. Another distressing fact: this Editor only last week attended a major NYC conference on cybersecurity. Healthcare was mentioned only in passing as a market. Worse, till this Editor questioned a speaker from the floor, was the massive Change Healthcare attack even mentioned–and unfortunately she knew more about it than the speaker!

Is BlackCat/ALPHV faking its own ‘death’? (updated) HHS and CMS come to Change affected providers’ assistance with ‘flexibilities’

BlackCat/ALPHV blames the FBI for another ‘shutdown’ and exits, stage left. BlackCat put up a copy of the shutdown screen (left) that appeared on their old leak website back in December [TTA 22 Dec 23] on their new leak website, claiming that law enforcement shut them down. This was not confirmed by the FBI either way, but Europol and the NCA confirmed to Bleeping Computer that they had no recent activity involving BlackCat. The other tell was that the source code on both screens was different–it was served up on another server.

On a Russian hacker forum called Ramp, BlackCat/ALPHV claimed that they “decided to completely close the project” and “we can officially declare that the feds screwed us over. The source code will be sold, the deal is already being negotiated”. The source code is reportedly up for sale for $5 million.

As to the $22 million, BlackCat/ALPHV never admitted it was paid by Optum/Change (nor is Optum confirming), but the affiliate called “notchy” which didn’t get paid [TTA 5 Mar] shared (to Bleeping Computer) that “a cryptocurrency payment address that recorded only one incoming transfer of 350 bitcoins (about $23 million) from a wallet that appears to have been used specifically for this transaction on March 2nd.” That wallet distributed (seven) equal payments of $3.3 million in bitcoin to other wallets.

(Update) Speaking of “notchy”, let’s not forget that this affiliate claims to have 4 TB of PHI/PII data from Change that could be sold or leaked. Since they never got paid by BlackCat/ALPHV, it’s safe to assume that information will be up, so to speak, for grabs.

When it all adds up–the fake FBI ‘raid’, shutting down servers, the signoff on Tox of “GG’ (good game?), the cutting off of affiliates (which also confirmed this to DataBreaches.net–and may or may not have been paid)–it resembles an exit scam.

(Update) Another excellent summary about ALPHV in Krebs On Security also updates LockBit, which was seized in an international takedown in February, and about governmental entities they ransomwared.  To be continued….

The lobbying of HHS by Congress, the American Hospital Association, and UHG to help out providers has produced some results. On 5 March, Health and Human Services (HHS) issued a statement that summarized various ‘flexibilities’ and workarounds to aid providers who cannot access systems or have to resort to alternatives to ensure continuity of services to patients. These will be administered through the Center for Medicare & Medicaid Services (CMS) and range from prior authorization, advance funding, and claims processing for Medicare. From the statement:

  • Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch.
  • CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages.
  • CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
  • CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies
  • If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs. CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them.

Many payers are also making funds available while systems are offline. Hospitals may also face “significant cash flow problems from the unusual circumstances impacting hospitals’ operations, and – during outages arising from this event – facilities may submit accelerated payment requests to their respective servicing MACs for individual consideration.”

The statement closes with a reminder of HHS’ December concept paper on cybersecurity strategy for healthcare. DataBreaches.net (full statement), Becker’s

(Update) More on how this is affecting patient care focusing on cancer treatment, from the point of view of a Community Oncology Alliance spokesman. In addition, how consolidation is making healthcare more vulnerable to cybercriminals, and comments on UHG and Federal processes and payment offers to date. HealthcareITNews.

And DDoS attacks and questionable downtimes are now common.

Editor’s Update 11 Mar: The DataBreaches.net website had a major DDoS attack on 7 March and was down for two days thru 8 March. It is now fully up and running with our links working.

Multiple US Government websites went down Thursday evening 7 March based on news reports: Department of Homeland Security (DHS), Customs and Border Protection (CBP), Immigration & Customs Enforcement (ICE), Citizenship and Immigration Services (USCIS), US Secret Service and Federal Emergency Management Agency (FEMA). The timing based on the State of the Union address to Congress is, well, interesting. Daily Express   Later reports announced restoration later in evening. Cyberincidents are not exactly unknown on government websites.

Week 2: Change Healthcare’s BlackCat hack may last “for the next couple of weeks”, UHG provides temp funding to providers, AHA slams it as a ‘band aid”–but did Optum already pay BlackCat a $22M ransom? (updated)

The BlackCat/ALPHV ransomware attack on Change Healthcare’s systems continues. At this point, the Optum systems website doesn’t show anything other than a chronological trail of updates and a long list in very small gray type of Change Healthcare systems affected–no more individual checks on working systems and red Xs on the ones that weren’t. 

  • UnitedHealth Group is setting up a program to loan funds, the “Temporary Funding Assistance Program,” to providers who cannot receive payments while Change systems are down. While without fees or interest, the loans will have to be repaid.
  • In a Tuesday 27 Feb conference call with hospital cybersecurity officers reported by STAT, UHG Chief Operating Officer Dirk McMahon said that the program will continue “for the next couple of weeks as this continues to go on.” This is more of a timeline than UHG has otherwise disclosed.
  • The American Hospital Association (AHA) on Monday slammed the “Temporary Funding Assistance Program” as “not even a band-aid on the payment problems” that hospitals are experiencing. The program is, in their view 1) “available to an exceedingly small number of hospitals and health systems” and with “shockingly onerous” and “one-sided contractual terms” and conditions for payback and verification through access to claims payment data. For their members, “their financial future becomes more unpredictable the longer Change Healthcare is unavailable. UnitedHealth Group, which is a Fortune 5 company that brought in more than $370 billion in revenue and $22 billion in profit in 2023, can — and should — be doing more to address the far-reaching consequences that result from Change Healthcare’s inability to provide these essential hospital revenue cycle functions nearly two weeks after the attack.” 4 March letter to UHG   AHA maintains an update page for members and other providers.
  • US Senator Chuck Schumer wrote 1 March to the Center for Medicare and Medicare Services (CMS) requesting that CMS accelerate payments to hospitals, pharmacies and other providers. Also Becker’s
  • AHA wrote 4 March to all four Congressional leaders detailing the effect on providers, UHG’s assistance program’s inadequacies, and requesting assistance from HHS including requesting “Medicare Administrative Contractors to prioritize and expedite review and approval of hospital requests for Medicare advanced payments.”  

Update: According to First Health Advisory, a cybersecurity firm in healthcare, some large providers are losing $100 million daily because of the interruptions to Change/Optum’s payer systems. CNN, Becker’s

And BlackCat went All Quiet on the Ransomware Front. Bleeping Computer confirmed that BlackCat turned off their servers and took their negotiation website offline over the weekend. “The Tox messaging platform used by the BlackCat ransomware operator contained a message that does does not provide any details about what the gang plans next: “Все выключено, решаем,” which translates to “Everything is off, we decide.”” It has now been changed to “GG”.

This may or may not be related to another development–an affiliate of BlackCat/ALPHV claiming that they were scammed of a $22 million ransomware payment from Optum. These affiliates actually carry out the attacks on cybervictims using encryptors from the main entity. Dmitry Smilyanets of threat intelligence company Recorded Future picked up a message posted by “notchy” that said Change/Optum paid $22 million on 1 March to “prevent leakage and decryption key.” ALPHV suspended their account after receiving the payment and never paid them. This affiliate also claims they still have 4 terabytes of data from Change that goes deep into Tricare, Medicare, MetLife, CVS, and many other payers. As proof on the ransom, “notchy” provided a cryptocurrency payment address with a total of nine transactions. In the ultimate irony, “notchy” warned other affiliates to stop dealing with ALPHV. Cutting off affiliate ties and walking away with the cash, preliminary to another rebrand of BlackCat/ALPHV, formerly DarkSide and Black Matter? Also The Registerand DataBreaches.net–which commented that while Optum may have gotten a decryptor, what about All That Data?

Change Healthcare cyberattack persists–is the BlackCat gang back and using LockBit malware? BlackCat taking credit. (update 28 Feb #2)

On Day 7, reports, like recollections, may differ. Today’s Reuters report (26 Feb) attributes the attack on Change Healthcare, which has snarled pharmacies and hospitals since Wednesday [TTA 23 Feb], to a revived BlackCat (a/k/a ALPHV) ransomware operation. Readers will recall that the FBI busted BlackCat right before Christmas last year, seizing their operational darknet websites and putting up a most showy home screen. They worked their way into the BlackCat operation via their affiliate operation. However, BlackCat rebooted a few days later, made an appearance, and went back underground. As Bleeping Computer predicted then, BlackCat is apparently back and, adding insult, not even under a new name. 

Bleeping Computer today reported that BlackCat’s hack went through a critical ConnectWise ScreenConnect auth bypass flaw (CVE-2024-1708 and 1709) which was actively exploited in attacks to deploy ransomware on unpatched servers. This was confirmed by Reuters and Health-ISAC, a healthcare-focused organization engaged in cyber best practices and threat intelligence, via the American Hospital Association’s AHA Cybersecurity Advisory today (26 Feb). AHA is advising healthcare organizations to actively reevaluate their connection or disconnection status of Change Healthcare systems which have been deemed safe by Optum.

As of today, BlackCat did not claim credit for taking down Change’s systems nor is there any report of a ransom demand. It is perhaps too early to determine if there has been any data theft. Nor are there reports of other healthcare or other organizations being attacked through the ScreenConnect flaw.

Optum has a page detailing the status of Change Healthcare’s individual systems here. Optum has a statement that has remained nearly the same on issues with connectivity since last Wednesday.* This Editor’s experience of the page is that it needs refreshing to view the full version. Regarding the systems, they are a long list to scroll through and your Editor lost count after 100. Most have red Xs by them. Some systems are checked green. Change is also holding Zoom calls to update partners. Reuters reported that Alphabet’s cybersecurity unit Mandiant is in charge of investigating the attack.

Change Healthcare processes 15 billion healthcare claims annually. This attack seems to have hit their pharmacy software the hardest. These software tools are used to verify patient eligibility for specific medication and also their insurance coverage. The outage not only covers the big chains like CVS and Walgreens, but also Tricare and the Military Health System (MHS) globally. TTA 22 Feb, updated 23 Feb.

A Friday report in SC Magazine indicated that the malware used by BlackCat was a strain of LockBit malware going through the ConnectWise ScreenConnect bypass flaw. Their source, Toby Goucker, chief security officer at First Health Advisory, stated that their firm found the ScreenConnect flaws and sent out a notification on 19 February. Goucker noted that bad actors prey on the gap between when these vulnerabilities are uncovered and announced, but before when patches are applied. However, Goucker was not able to confirm that Change uses ScreenConnect.

Ironically, the LockBit ransomwareistes were busted only last week by a combined UK NCA and US DOJ/FBI effort. Like weeds, they never go away entirely.

Oddly, Change Healthcare’s website home page does not have a notice about their problem or direct to a page on their or UHG’s site about it for assistance. We know you’re busy, guys, but from this Editor’s marketing perspective not having an information banner and redirect to the Optum page is a basic communication failure.

**This is a developing story and will be updated.**

*Update 27 Feb 9am Eastern Time.

A repeat of Optum’s boilerplate statement on their page today indicates this cyberattack is still unresolved for most of Change Healthcare–and will remain unresolved at least through today:

Update – Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.

We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.
Feb 272024 – 09:03 EST

Identical message 28 Feb 10:48am ET indicating that the effects of this attack are now one week old.

Updated 28 Feb: DataBreaches.net (“The Office of Inadequate Security”) reports that BlackCat is taking credit for it.

“BlackCat informed DataBreaches that yes, they are responsible for the attack. DataBreaches has asked them if they are willing to share any additional details and will update this post if any are received.”

This Editor is also following coverage in the usually reliable The Register which added a reply they obtained from Optum: “Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems.” They are not confirming the perpetrators. 

#2 update from DataBreaches may point to Change Healthcare as well as healthcare in general. Here is part of a Cybersecurity Advisory (CSA) that is an ongoing #StopRansomware effort by the Cybersecurity and Infrastructure Security Agency (CISA). CISA was joined by the FBI and interestingly, the Department of Health and Human Services (HHS). They “are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.” The addition of HHS as well as February 2024 should be noted. “FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.” Could this be behind what is going on at Change Healthcare–a BlackCat full-court press versus US healthcare?

And at least one major hospital CEO wants answers now. Tampa General Hospital CEO John Couris went up to Optum’s CEO Amar Desai in the speaker room at the ViVE conference in Los Angeles on Monday, and the answer was far less than satisfactory. “And his answer to me was, ‘We’ll have an update in two days.’ So I don’t think he knows.” Mr. Couris’ speculates that Change Healthcare will 1) not pay ransom and 2) will rebuild its systems in maybe four weeks–and how that puts hospitals like his that use Change as a clearing house for claims in, to put it mildly, a pickle. MedCityNews

2023’s global cyberattack disaster: healthcare #3 in weekly attacks, 10% of organizations ransomwared–report

An average of 1,100+ cyberattacks per organization per week. Let that sink in.  While it represents only a 1% increase over 2022, and averages are well…averages, this is a lot to handle for any organization even if nowhere near the weekly average.

The report from Check Point Software Technologies, Ltd. an Israel (Tel Aviv HQ) and US-based IT security organization, is depressing reading for any company, especially for healthcare. (Editor’s note: Check Point’s data is derived from ThreatCloud AI, their intelligence engine.) Many of the large numbers are boiled down to averages per organization per week.

  • In terms of general cyber attacks globally, healthcare is #3 with an above-average 1,500 per organization per week attacks on average, right behind #2 government and military, with education far ahead, #1, with 2,046 per organization per week. It was up 3% versus 2022.
  • Retail and wholesale attacks are up 22% annually–a cautionary note for healthcare organizations engaging in retail operations.
  • Regionally, APAC (1,930 attacks) and Africa (1,900 attacks) led with increases at 3% and 12% respectively.

We not only must be concerned with ransomware–but mega-ransomware. These include zero-day exploits (a software flaw exploited by the hacker/ransomwareiste before the vendor or developer finds it). Rather than being content with encrypting data and demanding bitcoin for its release, the hyper version is now data theft followed by extortion campaigns threatening public disclosure of the stolen data, such as by MOVEit and GoAnywhere. Not mentioned here is another vector–business associates and vendors, using ‘social engineering’ tactics to steal passwords and other secure information to gain access into the larger system [TTA 24 Jan

  • 10% of global organizations were targeted by a ransomware attack, up 3 percentage points from 2022
  • Healthcare again was above average, #3 with 12% of organizations experiencing attacks. Government/military was #2 with 16% and education/research with 22% of organizations. 
  • The Americas went up from 5% in 2022 to 9% in 2023. APAC and EMEA were higher and also increased

Advice they give on security is logical: robust data backup, cyber awareness training, up-to-date patches, stronger user authentication, implementing anti-ransomware solutions, and utilizing better threat prevention. Can healthcare do this while leaning out IT, fighting collapsing margins, and transforming care delivery?

Another turkey: potential 9M patients affected by medical transcription vendor data breach

Vendors are hot, hot, hot…with hackers. In another notable vendor data incident, Perry Johnson & Associates (PJ&A), a Henderson Nevada-based provider of transcription services for hospitals and physician practices, reported a data security incident to the US Health & Human Services (HHS) Office of Civil Rights (OCR) on 3 November. The breach occurred in the network and files were copied 27 March-2 May, when it was detected. 8.95 million individuals were affected, with over 4 million individuals in NYC and Syracuse at Northwell Health, the largest health provider in New York State, and Crouse Health. Northwell hasn’t had much luck with transcription providers, having been affected by Nuance Communications’ hack earlier this year by one of their vendors–the Progress Software MOVEit file transfer protocol (FTP) theft traced back to ransomwareistes CLOP [TTA 3 Aug].

Personal health information stolen for all included name, date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. While the records didn’t contain financial information, some patients may have had breaches of their Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.

PJ&A notified affected providers on 29 September and affected patients on 31 October. In addition to the 4 million+ in New York, 1.2 million individuals were served by Cook County Health in Illinois. The rest have not been identified. TechCrunch, News4NY, PJ&A notice 

A Thanksgiving turkey for hospitals: multiple cyber and ransomware attacks

IT incidents were on the Thanksgiving menu at many US hospitals. It was no holiday for the hospitals experiencing attacks and outages, forcing ERs to divert to other hospitals and resort to downtime procedures. The hospitals reporting them are part of Ardent Health Services, a 30-hospital operator. Ransomware has been reported for some as the cause. Not all Ardent hospitals have been reported as affected.

A rundown of what was attacked, and where:

  • The 10-hospital UT Health East Texas (Tyler, Texas) network reverted to downtime procedures after a security incident, outage, and locked down its systems. Ambulances heading to its ERs were diverted to other hospitals.
  • Lovelace Health System in Albuquerque, New Mexico, affecting six hospitals, 33 health care clinics and seven outpatient therapy clinics. 
  • BSA Health System in Amarillo, Texas 
  • The University of Kansas Health System St. Francis Campus in Topeka 
  • Hillcrest HealthCare System (Tulsa, Oklahoma) 
  • Closer to this Editor’s home, two Hackensack Meridian hospitals in New Jersey served by Ardent were ransomwared starting on Thanksgiving: Pascack Valley in Westwood and Mountainside Medical Center in Montclair. Local reports indicated a ransomware attack. The outage continued through the weekend. Other Hackensack Meridian hospitals are not served by Ardent and were not affected.

Ardent has reported this to law enforcement and in their release, stated they are still determining the full impact of the event, though working with partners to restore access to electronic medical records and operations. 

In addition to the Ardent hospitals, on Thursday the six-hospital Vanderbilt University Medical Center (Nashville, Tennessee) reported a cyberattack that compromised a database and was contained. Ransomwareistas Meow claimed that their information was leaked on the dark web. VUMC is not confirming a ransomware attack and stated that the “compromised database did not contain personal or protected information about patients or employees.”

Becker’s 27 Nov, 27 Nov (Hackensack), Asbury Park Press, News12NJ, Ardent Health release, The Record

Killnet racks up 22 more healthcare cybervictims and data thefts; whitepaper on best defense practices

Ransomware attacks keep rolling through healthcare organizations. The latest tally just for Killnet, the rogue group of pro-Russian hacktivists, is up to 22 hospitals from Los Angeles to Egg Harbor, NJ. Becker’s HealthIT on Tuesday reported on 17 listed by BetterCyber on 31 January with another six yesterday. (BetterCyber’s Twitter feed subtracted Dartmouth Health Cheshire Medical Center from the victim list yesterday, thus 22.) Most affected are regional and community hospitals.

According to SC Media’s report on an HHS Cybersecurity Coordination Center (HC3) Alert, health and personal data were ‘exfiltrated’ onto the Killnet list. Quite oddly, and this Editor is sure it’s just a coincidence, the HC3 analyst note linked is offline; on a search to cross-check the link, the HHS pages show up in index form. Also Becker’s HealthIT 1 Feb 

The attacks were DDoS (distributed denial of service), described by HC3 as “thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems.” This ties up IT and slows down services such as websites or information portals. The danger in DDoS attacks, as noted in previous coverage [TTA 22 Dec 22] is that DDoS can be cover for other cybercrimes or information gathering in preparation for same. 

How can a healthcare organization ‘keep calm’ and lessen the impact of cyberattack, as it’s ‘not if, but when?’ A whitepaper by Cynerio,  focuses on microsegmentation, a network security technique that logically divides the data center into distinct security segments down to the individual workload/workflow level, and then defines security controls. (In marketing, market profiling down to buyer personas is similar.) The paper looks at how organizations should focus on four areas: visibility, risk mitigation, real-time defense, and regulatory compliance, then work through multiple considerations. Happily, the whitepaper (no registration required) is mostly understandable to those outside of IT. It also provides three case studies and checklists. Cynerio is a NYC-based healthcare-focused cybersecurity management company that helps hospitals to manage risk and secure their IoT, IoMT, and unmanaged IT and mobile devices.