Change Healthcare begins restoring service after cyberattack – while lawsuits begin

As it begins to recover from the Change Healthcare cyberattack, UnitedHealth Group said this week it is enabling its Rx Connect, Rx Edit and Rx Assist services to customers who have configured direct Internet access.

UnitedHealth also offered a timeline for the full restoration of Change Healthcare’s services.

“We expect to begin testing and restoring connectivity to our claims network and software on March 18, with service restoring that week,” the company said in a statement. announcement posted on its website about the cyberattack, which began on February 21.

Here’s a roundup of other news related to the weeks-long attack — including a new wave of lawsuits from customers affected by the breach, news on the current status of the BlackCat ransomware group, and expert perspectives on why UnitedHealth may have to pay the ransom has paid.

ALPHV counterfeits remained after $22 million in Bitcoin was paid

According to Recorded future news On Friday, the Ministry of Justice, Europol and the UK’s National Crime Agency – all part of a December takedown of the BlackCat ransomware – denied any involvement in a new takedown notice posted on ALPHV’s website.

“This tactic serves as a means for them to pull off one last major scam before they reemerge with less scrutiny,” said Reegun Jayapaul, director of Trustwave in the story.

One BlackCat ransomware partner reportedly claimed that after receiving the $22 million payment, the ALPHV leaders closed their doors and essentially stole the entire ransom money from their affiliates to allow the Change Healthcare to break through their last hurray.

Ngoc Bui, a cybersecurity expert at the company Menlo Security, explains Healthcare IT news by email this week that it is “highly likely” that ALPHV/BlackCat was responsible for the attack and that “the blog site discussing these matters appears to be using a fake seized landing page, possibly indicating an exit scam by hackers.”

The reason for this is that the “ransomware group may have taken the money and disabled servers to avoid law enforcement attention,” he said.

Delays for patients, privacy, ongoing lawsuits

In the meantime, Axios reported this on Wednesday the first patient lawsuits after the cyber attack are starting to emerge, focusing on the loss of access to essential prescriptions and treatments.

However, the potential to expose data exfiltrated during the attack, which could be 6TB of data, is also a concern for UHG. The cybercriminals claimed that the stolen data contained proprietary information held by the US military’s Tricare health program, Medicare, CVS Caremark, MetLife, Health Net and others. Beeping computer report said on February 28.

“There are concerns that Change Healthcare’s activities could impact the healthcare data of many Americans, given its extensive services and expertise in processing healthcare data,” Bui said.

Stolen data can have far-reaching consequences in the long term.

“Healthcare information is the most sought-after and marketable data by attackers and on the dark web because it can be used in so many ways to commit fraud,” said Kurt Osburn, director of risk management and governance at NCC Group, a global cybersecurity organization. consultancy, in an emailed statement.

Protecting assets and information is expensive and requires additional staff and managed services, he said. Most healthcare organizations fail to implement risk assessment and mitigation tools due to cost.

Michael McLaughlin, director of the cybersecurity and data privacy practice group at the law firm Buchanan Ingersoll and Rooney, said in an email Thursday that while UHG, owner of Optum’s Change Healthcare, has not disclosed the full extent of the data breach, one class action lawsuit alleges the types of data that have been exfiltrated.

The lawsuit, filed in federal court in Minnesota, alleges that the ransomware group took personally identifiable information, medical records, dental records, payment information, claims information, patient information (i.e. phone numbers, addresses, social security numbers and email addresses), insurance. records, patient health information and more.

McLaughlin said the lawsuit bases the data on the group’s claims about its role in the Change cyberattack, and recommended taking it with a grain of salt.

“I would urge caution in relying on statements from the ransomware actor about the types of data affected,” he wrote. The ransomware actor likely sampled files indicating they may contain sensitive information “and based his statement on that cursory assessment,” he said.

“This is in no way representative of the data as a whole,” McLaughlin says.

The extent of the infringement? Too early to tell

“UHG paying the ransom is not an indication of the sensitivity of the data,” McLaughlin said.

He explained that he believed UHG’s decision to pay was likely driven primarily by the need to resume business operations as quickly as possible “rather than to protect the data from further exposure.”

With widespread reports of providers under pressure from the outage, a number of organizations, such as the American Medical Association, have called on lawmakers in Washington, D.C., to release emergency funds to protect providers across the country from the financial consequences.

UHG is likely investigating the full scope of the incident and trying to understand the individuals affected and the types of data involved, McLaughlin said.

It’s a labor-intensive process that requires sophisticated data mining and manual human review of “potentially millions of files.”

“We will not know the full scope of the data involved until this process is complete and UHG conducts its notifications of affected individuals in accordance with state law and federal regulations,” he said.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.