Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

HHS steps in after cyberattack on Change Healthcare prompts ransom payment fears

US Department of Health and Human Services
Photo: J David Ake/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on LinkedIn (Opens in new window) Click to share on WhatsApp (Opens in new window)

Change Healthcare struggled to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks.

The cyber disruption affected thousands of pharmacies and providers across the US, which have implemented workarounds to service patients.

There are indications that the US healthcare giant has made a $22m extortion payment to the infamous BlackCat ransomware group, cyber experts have said. (BlackCat is also referred to as “ALPHV”.)

But the cybercriminal who claims to have given BlackCat access to Change Healthcare’s network says (via a member-only cybercriminal forum) the criminal gang cheated them out of their share of the ransom, and that they still have the sensitive data that the business reportedly paid the group to destroy.

So far spokespeople from Change Healthcare have not answered queries from news outlets on the reports of the ransom payment – stating only that they are “focused on the investigation and restoring services”.

One of the largest healthcare technology companies in the US and a subsidiary of UnitedHealth Group, Change Healthcare handles billions of healthcare transactions per year.

HHS steps in

The attack on Change’s networks disrupted pharmacies, hospitals and other medical facilities’ ability to collect insurance payments. The list of affected Change Healthcare partners the hackers stole sensitive data from included Medicare and a host of other major insurance and pharmacy networks.

Pressure mounted on the US government to step in, which it did this week through the US Department of Health and Human Services.

 “HHS also takes this opportunity to encourage all providers, technology vendors, and members of the healthcare ecosystem to double down on cybersecurity, with urgency.”

US Health and Human Services Department

“Numerous hospitals, doctors, pharmacies and other stakeholders have highlighted potential cash flow concerns to HHS stemming from an inability to submit claims and receive payments. HHS has heard these concerns and is taking direct action and working to support the important needs of the health care community,” HHS said in its release this week.

The Centers for Medicare & Medicaid Services, HHS says, has already acted to assist providers, including by instructing Medicare administrative contractors to expedite claims for electronic data interchange enrollments and accept paper claims.

CMS is strongly encouraging other payers, including state Medicaid and Children’s Health Insurance Program agencies and managed care plans, to waive or expedite solutions for this electronic requirement, HHS says.

US cyber approach

HHS says the incident is a reminder of the interconnectedness of the domestic healthcare ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.

In December 2023, HHS released a concept paper that outlines its cybersecurity strategy for the sector. The concept paper builds on the National Cybersecurity Strategy that President Biden released last year, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks.

“HHS also takes this opportunity to encourage all providers, technology vendors, and members of the healthcare ecosystem to double down on cybersecurity, with urgency,” the agency said.

Paying ransoms

Change Healthcare’s probable ransom payment comes as the Biden administration weighs banning the payment of such money to hackers during cyberattacks.

Nationally, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) advise entities not to pay ransoms, citing the fact that the payments keep ransomware gangs in business and hackers often still hold onto some data after being paid.

The FBI and CISA request ransomware victims notify law enforcement so they can track incidents and assist in future prosecution. When submitting a ransomware report to CISA, organizations can request assistance if they need it, and there is a ransomware response checklist to help organizations start their recovery process.

If an organization submits a report to CISA, it doesn’t have to notify other law enforcement agencies. And the FBI has said companies should not be concerned about the FBI or Department of Justice reporting them to the SEC, noting that the FBI has “no role” in the relationship between a company and its regulator.

What the Biden administration will likely run up against will be the argument put forward by businesses for a while now: It can be cheaper to pay the ransom – even just getting back a segment of the data lost – than it is for the company to totally rebuild its network.

“Numerous hospitals, doctors, pharmacies and other stakeholders have highlighted potential cash flow concerns to HHS stemming from an inability to submit claims and receive payments.”

US Health and Human Services Department

Paying ransomware attackers can be seen as funding terrorism, depending on the nation state the group operates out of, exposing the business to legal and regulatory repercussions. (In 2021, the Foreign Assets Control unit of the US Treasury declared it illegal to pay a ransom in at least some cases, providing advice on the steps companies can take to avoid sanctions penalty risks.)

And there are an increasing number of state-based rules pertaining to making ransom payments.

In November, New York joined several other states in mandating that companies (with some states just making it mandatory for state agencies) report any ransom payments they have made in a certain timeframe.

Under New York’s rules, regulated firms must now report any payment made to hackers within 24 hours of that payment. Also the business must provide a written description within 30 days of the reasons that the payment was necessary, the alternatives that were considered, and the diligence that was performed with respect to the incident to ensure compliance with applicable law.

Threats of litigation

As if being the center of attention for having sensitive data hacked and your critical healthcare services badly affected is not bad enough, Change Healthcare faces possible litigation from patients — with law firms advertising their desire to help them.

Patients who have been affected by the disruptions to their care and access to prescription drugs have been contacted by law firms offering to help them seek redress for being forced to pay out-of-pocket for prescriptions or be delayed in getting refills.

Some of the medications cost thousands of dollars. “This is likely just the start of a litigation bonanza,” Ryan Higgins, a partner at McDermott Will & Emery said.

UnitedHealth responds

UnitedHealth has provided ongoing updates to the public about the attack, processing of claims, payments and its service restoration status.

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, such as Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers,” United Health Group said.

, , , , ,

You may also like