top of page

Change Healthcare: The Breach That Shook An Industry And Proposed New Legislation


 

Michael Civisca The Beacon Blog Small Business

 

On February 21, 2024, Change Healthcare, a recently acquired subsidiary of UnitedHealth Group, fell victim to a ransomware attack that accessed Change’s oldest system, rendered backups useless, and included a combination of an employee phishing incident, the lack of proper multi-factor authentication (MFA), and surprisingly enough, the HVAC portal system.  


Change Healthcare Cyber Breach
Change Healthcare

The attack on Change Healthcare forced the company to shut down its systems, affecting hundreds of industry services including critical benefits verification, claims submission, patient prescription and reimbursement fulfillment plans, and disrupting healthcare operations for millions of Americans. 


Who was affected in the Change Healthcare Breach?

The breach included highly sensitive information such as medical diagnoses, test results, personal identifiers, and Social Security numbers. According to data released by First Health Advisory, a digital health risk assurance firm, they described the breach as the largest healthcare cyber incident in American history, potentially affecting up to a third of all Americans and costing providers more than $100 million per day in losses.


To prevent the 6TB (Terabytes) of data from being sold on the dark web, UnitedHealth Group decided to pay the hackers $22 million after realizing the potential scope of the breach. But who can be certain that the data won’t someday be compromised?


The Change Healthcare fallout 

UnitedHealth Group CEO, Andrew Witty, after testifying in March and apologetically explaining that the attack was due to a serious security oversight, was again questioned in May by the Senate Finance Committee. The worst of the breach had seemingly passed and Change Healthcare was back online. However, Witty still could not provide the number of people who may have had their data stolen, frustrating the committee.

  

While Change Healthcare addresses ongoing reputational damage and rebuilds trust with its partners, the ripple effect continues to reach many budget-restricted patients who have struggled to fill prescriptions. Many people were told they had to pay out-of-pocket and submit reimbursement forms while the system was under repair.

The partners and companies caught in the breach experienced increased administrative expenses. Without revenue coming in through the billing process, many small medical firms had to take high-interest loans (some as high as 50% interest) to continually make payroll, pay doctors and nurses, janitors, and all the staff needed to run the healthcare system.


Assessing the problem

The questioning by the Senate Finance Committee focused on the size and magnitude of UnitedHealth and its dominant position in the health industry. The fact that UnitedHealth is so big creates a special data security vulnerability; Producing a wide lateral effect across the entire healthcare infrastructure. Surprisingly, the Department of Health and Human Services has not conducted a proactive cybersecurity audit in seven years.


The significant vulnerabilities in the healthcare cybersecurity infrastructure are prompting legislative action and raising questions about the responsibilities of various stakeholders.


Senator Warner proposes a new cybersecurity bill
Senator Mark Warner

“I’ve been sounding the alarm about cybersecurity in the healthcare sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide…” 

- Sen. Mark Warner (D-VA).




Getting MSSPs into the breach mix

Senator Mark Warner (D-VA) has proposed a new bill that would impose minimum cybersecurity standards on healthcare organizations, requiring them to meet specific requirements for data protection and business conduct. In return, healthcare providers who suffer a breach could then qualify for government programs providing advanced payments. 


This legislation comes in response to the frustration expressed by Congress over the lack of necessary data care redundancies at companies like UnitedHealth and Change Healthcare. 


Warner’s bill aims to address these shortcomings by mandating stricter cybersecurity measures. The implications of this legislation extend beyond healthcare organizations themselves, potentially affecting Managed Security Service Providers (MSSPs) that serve as trusted advisors.


The bill could lead to MSSPs being held partially responsible for breaches that occur under their watch. For larger MSSPs, this development may require being involved in security decisions at the corporate level of their clients. Smaller MSSPs, supporting local and regional healthcare facilities, might also face increased expectations to enhance their protective measures for customers.


While these new requirements could pose challenges, they also present opportunities for MSSPs to expand their services and partnerships. For instance, companies like Cynerio, a cybersecurity solutions provider that focuses on the healthcare industry, have already begun expanding their partnerships to offer enhanced benefits to MSSPs so they can better serve their clients.


American Hospital Association push back

However, the proposed legislation faces significant opposition. The American Hospital Association (AHA) has expressed its disagreement with legislative intervention, arguing that mandatory cybersecurity requirements unfairly place too much blame on hospitals for successful cyberattacks.


The AHA claims that many recent attacks, including the Change Healthcare incident, originated from third-party vendors rather than the hospitals themselves.  


MSSPs challenges

This resistance from the AHA highlights the challenges that MSSPs will need to assess. MSSPs may need to balance the potential new legal requirements with the concerns of their healthcare clients, who may feel unfairly targeted by such legislation. The proposed bill and the ongoing debate underscore the critical need for improved cybersecurity measures in the healthcare sector. 


Avalon Cyber’s Senior Regional Director of eDiscovery in Buffalo NY, Scott Rothschild stated, “No matter how complex a company’s IT infrastructure is, employees at all levels can still make mistakes, such as falling for phishing scams, misconfiguring servers, or failing to apply security patches promptly. We see it time and time again.  We help companies and law firms every day navigate before and after social engineering attacks.  Unfortunately, many times we are called in after the breach, but that’s beginning to change as more companies realize data care is just the new normal.”

Change Healthcare moving forward

Congress stated there were multiple opportunities to prevent, detect, and mitigate this attack and UnitedHealth Group failed at every single one after discovering those failures. It is reasonable to understand that technology develops quickly, and new vulnerabilities are continuously being discovered; Keeping up with these advancements and ensuring all systems are up-to-date is a perpetual challenge for any company. 


In response to the attack, Change Healthcare has engaged experts from various tech giants, including Google, Microsoft, Cisco, and Amazon to help rebuild their technology infrastructure and enhance security protocols. The cost is expected to be unprecedented.


As of June 2024, approximately 80% of Change Healthcare’s functionality has been restored, with full restoration expected in the coming weeks. Key services like pharmacy and medical claims processing are operating at levels similar to before the attack.


The future

The U.S. government is taking steps to enhance data security in the healthcare sector, including developing voluntary healthcare-specific cybersecurity performance goals. There may be discussions about adding Mandatory Public Disclosures as standard practice. This would require companies to publicly disclose their cybersecurity strategies. This would allow consumers to understand the measures being taken to protect their data.


Perhaps government could implement a cybersecurity rating system for companies, similar to credit ratings. The more proactive a company is with their data care efforts - the higher their rating score. Government could also require companies to conduct regular cybersecurity audits by independent third-parties.  


This massive cyber breach is yet another call to action that our country needs top cybersecurity standards that protect essential infrastructure across the country. Most importantly, all Industries, especially healthcare, are in need of more stringent regulations and strict federal enforcements. 


Contact Port Haven Cyber at connect@porthavencyber.com today or

call 716-704-0907 to discuss your security questions.


 

Port Haven Cyber. Cybersecurity for small businesses.

We specialize in empowering small companies with education and cost-effective solutions.  We have developed special rates with our partners to help small businesses stay safe and informed while they grow.  Our tools blend advanced malware detection with trade-craft detection, offering a unique shield against the ever-evolving tactics of cyber issues. 


bottom of page