Healthcare cyberattack continues to impact pharmacies as warnings of H-ISAC issues emerge

The Health Information Sharing and Analysis Center issued a bulletin Monday following a cyberattack on Change Healthcare on Feb. 21, resulting in widespread payment processing outages.


Health-ISAC says this in one threat intelligence bulletin On Monday, based on information published by intelligence agency RedSense, Change Healthcare and other organizations, this was breached via the ConnectWise ScreenConnect vulnerabilities – CVE-2024-1708 and CVE-2024-1709.

ScreenConnect is remote desktop software with both on-premises and in-cloud deployments.

ConnectWise warned users on February 19 of a remote code execution flaw that can be used to bypass authentication on ScreenConnect servers and advised its customers to update immediately to prevent attacks, as Health-ISAC says more organizations will be at risk come.

“We expect to see additional victims in the coming days,” investigators said.

Health-ISAC also emphasized that healthcare organizations with ConnectWise ScreenConnect in their environment are assessing the specific indicators and recommendations in the bulletin.

While Change Healthcare, a software and data analytics provider that is part of Optum and owned by UnitedHealth Group, said in an update on its website Monday that it has “a high level of confidence” that Optum and United’s systems are not affected by the cyber incident, it has taken its own systems offline.

“Upon becoming aware of the external threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact,” the company said in a statement. the update. “This action was taken so that our customers and partners do not have to do this.”

Health-ISAC advised organizations to consider the risks and consequences of also withdrawing from Optum, which would impact prior procedure authorizations, electronic prescribing and other patient care functions.

“Ultimately, your organization must determine whether or not to specifically block Optum, while considering all risks and consequences,” the organization said.

The American Hospital Association also has one advisory On Monday to its members about its coordination with the recommendations of the threat information.

In a previous warningAHA had recommended that all healthcare organizations that were disrupted or potentially exposed consider disconnecting from Optum until it was deemed safe to reconnect.


Reuters reported this on Monday source of the attack The Blackcat ransomware gang is behind the disruption at pharmacies, according to sources who cite Alphabet’s Mandiant as responsible for incident handling.

In December, the FBI announced that it had seized Blackcat’s servers and its website, but the ransomware group claimed in a letter to KrebsonSecurity that it had seized the server and would offer affiliates a 90% commission.

Blackcat has attacked numerous hospitals, said John Riggi, AHA’s national advisor for cybersecurity and risk.

“This also serves as an example of how critical it is for victims of cyber attacks and the healthcare industry to exchange cyber threat information with the government,” he said as the FBI announced it has decryption keys for victims of the Blackcat ransomware.


“Regardless of what happened at Change Healthcare, RedSense expects that more organizations will be compromised as the ScreenConnect exploit is apparently quite trivial to perform,” Health-ISAC researchers said in the bulletin.

“When considering connectivity to unimpacted Change Healthcare systems, each healthcare organization must weigh potential clinical disruption and business impact caused by disconnecting unimpacted Optum, Change Healthcare, UnitedHealthcare, and/or United Health Group systems,” AHA said in a statement.

Andrea Fox is editor-in-chief of Healthcare IT News.

Healthcare IT News is a HIMSS Media publication.