Ransomware Hackers Disrupt Healthcare Payment System

/

By Darius Tahir, KFF Health News

Early in the morning of Feb. 21, Change Healthcare, a company unknown to most Americans that plays a huge role in the U.S. health system, issued a brief statement saying some of its applications were “currently unavailable.”

By the afternoon, the company described the situation as a “cyber security” problem.

Since then, it has rapidly blossomed into a crisis.

The company, recently purchased by insurance giant UnitedHealth Group, reportedly suffered a cyberattack. The impact is wide and expected to grow. Change Healthcare’s business is maintaining health care’s pipelines — payments, requests for insurers to authorize care, and much more. Those pipes handle a big load: Change says on its website, “Our cloud-based network supports 14 billion clinical, financial, and operational transactions annually.”

Initial media reports have focused on the impact on pharmacies, but techies say that’s understating the issue. The American Hospital Association says many of its members aren’t getting paid and that doctors can’t check whether patients have coverage for care.

But even that’s just a slice of the emergency: CommonWell, an institution that helps health providers share medical records, information critical to care, also relies on Change technology. The system contained records on 208 million individuals as of July 2023. Courtney Baker, CommonWell marketing manager, said the network “has been disabled out of an abundance of caution.”

“It’s small ripple pools that will get bigger and bigger over time, if it doesn’t get solved,” Saad Chaudhry, chief digital and information officer at Luminis Health, a hospital system in Maryland, told KFF Health News.

Here’s what to know about the hack:

Who Did It?

Media reports are fingering ALPHV, a notorious ransomware group also known as BlackCat, which has become the target of numerous law enforcement agencies worldwide. While UnitedHealth Group has said it is a “suspected nation-state associated” attack, some outside analysts dispute the linkage. The gang has previously been blamed for hacking casino companies MGM and Caesars, among many other targets.

The Department of Justice alleged in December, before the Change hack, that the group’s victims had already paid it hundreds of millions of dollars in ransoms.

(Update: UnitedHealth confirmed Thursday that Blackcat was responsible for the hacking. “We are actively working to understand the impact to members, patients and customers,” Tyler Mason, a vice president at UnitedHealth, told TechCrunch.

Another UnitedHealth executive said the payment system could be disrupted “for the next couple of weeks,” according to STAT News.

In a post on its website, BlackCat took credit for the cyberattack and claimed to have stolen millions of Americans’ sensitive health and patient information. The post was later deleted.)

Is This a New Problem?

Absolutely not. A study published in JAMA Health Forum in December 2022 found that the annual number of ransomware attacks against hospitals and other providers doubled from 2016 to 2021.

“It’s more of the same, man,” said Aaron Miri, the chief digital and information officer at Baptist Health in Jacksonville, Florida.

Because the assaults disable the target’s computer systems, providers have to shift to paper, slowing them down and making them vulnerable to missing information.

Further, a study published in May 2023 in JAMA Network Open examining the effects of an attack on a health system found that waiting times, median length of stay, and incidents of patients leaving against medical advice all increased — at neighboring emergency departments. The results, the authors wrote, mean cyberattacks “should be considered a regional disaster.”

Attacks have devastated rural hospitals, Miri said. And wherever health care providers are hit, patient safety issues follow.

Care can also suffer. For example, a 2017 attack, dubbed “NotPetya,” forced a rural West Virginia hospital to reboot its operations and hit pharma company Merck so hard it wasn’t able to fulfill production targets for an HPV vaccine.

Because of the Change Healthcare attack, some patients may be routed to new pharmacies less affected by billing problems. Patients’ bills may also be delayed, industry executives said. At some point, many patients are likely to receive notices their data was breached. Depending on the exact data that has been pilfered, those patients may be at risk for identity theft, Chaudhry said. Companies often offer free credit monitoring services in those situations.

“Patients are dying because of this,” Miri said. Indeed, an October preprint from researchers at the University of Minnesota found a nearly 21% increase in mortality for patients in a ransomware-stricken hospital.

How Did It Happen?

The Health Information Sharing and Analysis Center, an industry coordinating group that disseminates intel on attacks, has told its members that flaws in an application called ConnectWise ScreenConnect are to blame. Exact details couldn’t be confirmed.

It’s a tool tech support teams use to remotely troubleshoot computer problems, and the attack is “apparently fairly trivial to execute,” H-ISAC warned members. The group said it expects additional victims and advised its members to update their technology. When the attack first hit, the AHA recommended its members disconnect from systems both at Change and its corporate parent, UnitedHealth’s Optum unit. That would affect services ranging from claims approvals to reference tools.

Millions of Americans see physicians and other practitioners employed by UnitedHealth and are covered by the company’s insurance plans. UnitedHealth has said only Change’s systems are affected and that it’s safe for hospitals to use other digital services provided by UnitedHealth and Optum, which include claims filing and processing systems.

But not many chief information officers “are jumping to reconnect,” Chaudhry said. “It’s an uneasy feeling.”

Miri says Baptist is using the conglomerate’s technology and that he trusts UnitedHealth’s word that it’s safe. Neither executive was sanguine about the future of cybersecurity in health care.

“It’s going to get worse,” Chaudhry said.

“It’s a shame the feds aren’t helping more,” Miri said. “You’d think if our nuclear infrastructure were under attack the feds would respond with more gusto.”

While the departments of Justice and State have targeted the ALPHV group, the government has stayed behind the scenes more in the aftermath of this attack. Chaudhry said the FBI and the Department of Health and Human Services have been attending calls organized by the AHA to brief members about the situation.

Miri said rural hospitals in particular could use more funding for security and that agencies like the Food and Drug Administration should have mandatory standards for cybersecurity.

There’s some recognition among officials that improvements need to be made.

“This latest attack is just more evidence that the status quo isn’t working and we have to take steps to shore up cybersecurity in the health industry,” said Sen. Mark Warner (D-Va.), the chair of the Senate Select Committee on Intelligence and a longtime advocate for stronger cybersecurity, in a statement to KFF Health News.

KFF Health News is a national newsroom that produces in-depth journalism about health issues.

Facebook Pain Groups Attacked by Spammers

/

By Pat Anson, Editor

The websites all have innocent sounding names, like Personal Medical Treatments, Personal Health, and Health Care Solutions Plus.

Their articles also sound interesting, with titles like “7 Ways to Relieve Fibromyalgia Pain” and “Alternatives Treatments: The Rx for Chronic Pain is Changing.”

But when you dig a little deeper things don’t add up. The websites have no advertising, so how are they funded? Why do they all seem to be based in Pakistan or Panama?  Did “Zafar Iqbal” really write that article about alternative pain treatments in Duluth, Minnesota?

And why are all of their articles apparently stolen from other websites – a clear violation of copyright laws?

Those are some of the questions being asked by administrators and members of chronic pain support groups on Facebook, who have been deluged with thousands of links to these bogus websites for the last few months.

The links are usually posted by new group members who only recently joined Facebook and have very little information in their profiles. As fast as the bogus links and the suspicious posters are deleted, they return under new names with new links to articles such as the following:

"To a Friend With a Chronic Illness Who’s Feeling Hopeless" was apparently stolen from The Mighty.com

“How Painkillers Make Headaches and Chronic Pain Worse Over Time" was taken from TheHeartySoul.com.

“In the Shadow of an Opioid Crisis, Super Bowl Ad Spotlights Chronic Pain Patients” (allegedly written by the mysterious Zafar Iqbal) was copied and pasted from StatNews (the real author is Rebecca Robbins).

Pain News Network has been victimized in this scam too. Columnist Ellen Lenox Smith emailed me this week asking why her column “8 Tips for Patients Newly Diagnosed with Ehlers-Danlos” reappeared without permission in CaringCare.Info.

“Is this appropriate?” Ellen wanted to know.

No Ellen, it is not. It’s fraud and copyright theft.

The problem has become so acute that the administrators of a large Facebook support group recently closed it to new members.

“Due to an attack by plagiaristic & duplicate posters we are putting a temporary moratorium on new members,” wrote Barbara Mills, who made the move reluctantly because she knows many pain sufferers are looking for friendship and support in Facebook groups such as hers.

Barbara told me in the recent past she was offered money to post the links herself, but declined.

More is at stake here than plagiarism, copyright laws and unhappy editors like me who hate seeing their articles stolen. I think the ultimate goal of these con artists is to hack into our computers and smartphones. Click on one of their links, and you could pick up an unwanted cookie, computer virus, or even a “keylogger” that can be used to record your internet activity, usernames and passwords.

People who sign up for their newsletters by providing their email address are also putting themselves at risk, not just for a deluge of spam, but for malicious programs such as a "trojan horse" they could download without even knowing it.

If you’re a Facebook member and you see these suspicious posts, what should you do?

  • If you’re not familiar with the website, don’t share or “like” it. That only spreads the post like a virus to your friends and other groups. It’s also precisely what the spammers want you to do.

  • If you see someone constantly sharing links to bogus websites, check the poster’s profile. If they have only a few photos, no friends and just recently joined Facebook, chances are they are fake.

  • If you’re an administrator and you see these bogus posts appearing in your closed Facebook group, you may have to start deleting offenders and close your group to new members until the problem stops.

  • Report suspicious posts and posters to Facebook by clicking here.

  • Keep your anti-virus software up-to-date and your firewall on.

If you’re feeling really adventurous, you can visit HypeStat, which I use to see how legit a website is.  Enter the website’s URL, click search and scroll down the page. You’ll see what country a website is registered in and how long they’ve been around. 

You might even run into the prolific Zafar Iqbal, who has apparently abandoned Duluth and is now writing articles about British Airways crews making peanut allergy announcements and how cannabis kills 30,000 people a year.  

Facebook has been a godsend for pain sufferers around the world seeking support, friendship, and solutions to their chronic pain issues. It’s a shame that others are taking advantage of the pain community -- which is already under attack in so many ways, not just online.