May 17, 2024
Change Healthcare Cyber Event – Holy Cow! What Happened?
On February 21st, Change Healthcare (a member of the United Healthcare Group) first reported a cyber incident. The incident caused Change Healthcare to take their systems offline. This affected billing, care-authorizations, prescription fulfillment, and more across the whole continent. They were ransomed for $22M. They paid it. The FBI found and broke up the hacking group that performed the hack. Some of the original hackers formed another group and extorted Change Healthcare for another $22M. You can’t make this stuff up!
Change Healthcare hacking leads to billing delays, security concerns | AP News
“UnitedHealth Group CEO Andrew Witty testified at two congressional hearings earlier [in May], where he said that the hackers breached Change using stolen credentials on a server where multifactor authentication was not enabled. The hackers then spent nine days within the system stealing data before deploying ransomware Feb. 21.”
Senator presses UnitedHealth for details on Change cyberattack (fiercehealthcare.com)
“Rick Pollack, President and CEO of the American Hospital Association, stated, ‘The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.’”
“In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1 billion or more.”
Change Healthcare attack expected to exceed $1 billion in costs (securityintelligence.com)
“[HHS] Director Rainer indicated that OCR is making Security Rule compliance an enforcement priority, and a HIPAA risk analysis initiative was announced last year. She noted that covered entities frequently do not have a risk analysis on the front end.”
Many of our client’s EHR/EMR systems could not send prescriptions to pharmacies, both on-premise and in the cloud systems. Many third-party medical billing systems could not operate. Submissions for Medicaid were problematic for many because clearinghouses were taken offline. It was an overall nightmare for the entire healthcare system.
Congress and HHS are painfully aware that the current HIPAA laws are not enough, and voluntary compliance is not working. Expect the HIPAA Security Rule to get a major overhaul, if not outright replacement, towards the end of this year.
What did the federal government THINK was going to happen when CMS sort-of-enticed-but-mostly-forced every practice to move from paper files to digital files? There was/is HUGE money in these digital EHR systems so patient privacy took a back seat. Yes, going digital makes it easier and faster for practitioners to get a person’s medical records. But now it’s easier for China to get them too.
This widely reported breach underscores that ransomware encryption is usually the very last thing a hacker does to a system after exfiltrating as much data as possible. In fact, if a target continues to provide valuable data for exfiltration, the hacker will not do anything that might alert the target. The hacker might continue exfiltrating data for years. Files are encrypted only when discovery is imminent.
Make sure MFA is mandatory for all email and EHR accounts. Tell your IT administrator that you want to see a report showing that MFA is mandatory and enabled for all email and EHR accounts. Microsoft says that over 90% of all breaches start with an email. Blackpoint Cyber says that they see ten cloud incidents for every one on-premise incident.
Categories:
