As Change Healthcare’s outage drags on, fears develop that affected person knowledge may very well be launched

A cyberattack at U.S. well being tech large Change Healthcare has floor a lot of the U.S. healthcare system to a halt for the second week in a row.

Hospitals have been unable to verify insurance coverage advantages of in-patient stays, deal with the prior authorizations wanted for affected person procedures and surgical procedures, or course of billing that pays for medical companies. Pharmacies have struggled to find out how a lot to cost sufferers for prescriptions with out entry to their medical health insurance data, forcing some to pay for pricey drugs out of pocket with money, with others unable to afford the prices.

Since Change Healthcare shut down its network suddenly on February 21 in an effort to comprise the digital intruders, some smaller healthcare suppliers and pharmacies are warning of crashing money reserves as they battle to pay their payments and workers with out the regular circulate of reimbursements from insurance coverage giants.

Change Healthcare’s mother or father firm UnitedHealth Group stated in a filing with government regulators on Friday that the well being tech firm was making “substantial progress” in restoring its affected techniques.

Because the near-term impression of the continued outages on sufferers and suppliers turns into clearer, questions stay concerning the safety of thousands and thousands of individuals’s extremely delicate medical data dealt with by Change Healthcare.

From Russia, a prolific ransomware gang taking credit for the cyberattack on Change Healthcare claimed — with out but publishing proof — to have stolen huge banks containing thousands and thousands of sufferers’ personal medical knowledge from the well being tech large’s techniques. In a brand new twist, the ransomware gang now seems to have faked its personal demise and dropped off the map after receiving a ransom cost value thousands and thousands in cryptocurrency.

If affected person knowledge has been stolen, the ramifications for the affected sufferers will probably be irreversible and life-lasting.

Change Healthcare is without doubt one of the world’s largest facilitators of well being and medical knowledge and affected person data, dealing with billions of healthcare transactions yearly. Since 2022, the well being tech large has been owned by UnitedHealth Group, the most important medical health insurance supplier in the USA. Lots of of 1000’s of physicians and dentists, in addition to tens of 1000’s of pharmacies and hospitals throughout the U.S., depend on it to invoice sufferers based on what their medical health insurance advantages allow.

That measurement presents a specific danger. U.S. antitrust officials unsuccessfully sued to block UnitedHealth from buying Change Healthcare and merging it with its healthcare subsidiary Optum, arguing that UnitedHealth would get an unfair aggressive benefit by having access to “about half of all Americans’ health insurance claims pass each year.”

For its half, Change Healthcare has repeatedly prevented saying up to now whether or not affected person knowledge has been compromised within the cyberattack. That has not assuaged healthcare executives who fear that the data-related fallout of the cyberattack is but to come back.

In a March 1 letter to the U.S. government, the American Medical Affiliation warned of “significant data privacy concerns” amid fears that the incident “caused extensive breaches of patient and physician information.” AMA president Jesse Ehrenfeld was quoted by reporters as saying that Change Healthcare has supplied “no clarity about what data was compromised or stolen.”

One cybersecurity director at a big U.S. hospital system advised TechCrunch that although they’re in common contact with Change and UnitedHealth, they’ve heard nothing up to now concerning the safety or integrity of affected person data. The cybersecurity director expressed alarm on the prospect of the hackers probably publishing the stolen delicate affected person knowledge on-line.

This individual stated that Change’s communications, which have step by step escalated from suggesting that knowledge may need been exfiltrated, all the best way as much as acknowledging an energetic investigation with a number of incident response companies, counsel it’s only a matter of time earlier than we learn the way a lot has been stolen, and from whom. Clients will bear a part of the burden of this hack, this individual stated, asking to not be quoted by title as they aren’t licensed to talk to the press.

Ransomware gang pulls ‘exit scam’

Now, the hackers appear to have disappeared, including to the unpredictability of the state of affairs.

UnitedHealth initially attributed the cyberattack to unspecified government-backed hackers, however later walked again that declare and subsequently pointed the blame at the Russia-based ransomware and extortion cybercrime group known as ALPHV (also referred to as BlackCat), which has no recognized hyperlinks to any authorities.

Ransomware and extortion gangs are financially motivated and typically employ double-extortion tactics, first scrambling the sufferer’s knowledge with file-encrypting malware, then swiping a duplicate for themselves and threatening to publish the information on-line if their ransom demand isn’t paid.

On March 3, an affiliate of ALPHV/BlackCat — successfully a contractor that earns a fee for the cyberattacks they launch utilizing the ransomware gang’s malware — complained in a posting on a cybercrime discussion board claiming that ALPHV/BlackCat swindled the affiliate out of their earnings. The affiliate claimed within the put up that ALPHV/BlackCat stole the $22 million ransom that Change Healthcare allegedly paid to decrypt their recordsdata and stop knowledge leaking, as first reported by veteran security watcher DataBreaches.net.

As proof of their claims, the affiliate supplied the exact crypto wallet address that ALPHV/BlackCat had used two days earlier to allegedly obtain the ransom. The pockets confirmed a single transaction worth $22 million in bitcoin at the time of cost.

The affiliate added that regardless of having misplaced their portion of the ransom, the stolen knowledge is “still with us,” suggesting the aggrieved affiliate nonetheless has entry to reams of stolen delicate medical and affected person knowledge.

UnitedHealth has declined to confirm to reporters whether or not it paid the hackers’ ransom, as a substitute saying the corporate is targeted on its investigation. When TechCrunch requested UnitedHealth if it disputed the reviews that it paid a ransom, an organization spokesperson didn’t reply.

By March 5, ALPHV/BlackCat’s web site was gone in what researchers consider is an exit rip-off, the place the hackers run off with their new fortune by no means to be seen once more, or keep low and reform later as a brand new gang.

The gang’s darkish net web site was changed with a splash display purporting to be a regulation enforcement seizure discover. In December, a worldwide regulation enforcement operation took down portions of ALPHV/BlackCat’s infrastructure however the gang returned and shortly started concentrating on new victims. However this time, safety researchers suspected the gang’s own deception at play, fairly than one other lawful takedown effort.

A spokesperson for the U.Ok. Nationwide Crime Company, which was concerned within the preliminary ALPHV/BlackCat’s disruption operation final 12 months, advised TechCrunch that ALPHV/BlackCat’s ostensibly seized web site “is not a result of NCA activity.” Different international regulation enforcement businesses additionally denied involvement within the group’s sudden disappearance.

It’s not unusual for cybercrime gangs to reform or rebrand as a approach to shed reputational points, the type of factor one may do after being busted by regulation enforcement motion or making off with an affiliate’s illicit earnings.

Even with a cost made, there is no such thing as a assure that the hackers will delete the information. A current international regulation enforcement motion geared toward disrupting the prolific LockBit ransomware operation discovered that the cybercrime gang did not always delete the victim’s data because it claimed it might if a ransom was paid. Firms have begun to acknowledge that paying a ransom does not guarantee the return of their files.

For these on the front-lines of healthcare cybersecurity, the worst-case situation is that stolen affected person data change into public.

The affected person security and financial impacts of this are going to be felt for years, the hospital cybersecurity director advised TechCrunch.

Do you’re employed at Change Healthcare, Optum or UnitedHealth and know extra concerning the cyberattack? Get in contact on Sign and WhatsApp at +1 646-755-8849, or by email. You can too ship recordsdata and paperwork through SecureDrop.