FEATURES

The Hacking of Change Healthcare

 

What happened?

This year, the largest health insurance hack in history took place. If you’re a therapist who takes insurance, you’ve probably heard about the Change Healthcare hack already. The hack has implications for mental health practitioners and the healthcare industry.

The saga began in October of 2022 when Optum acquired Change Healthcare. Optum is owned by UnitedHealth Group (UHG). Change Healthcare is a clearinghouse that transfers medical claims between providers’ offices and insurance companies. Although owned by UnitedHealth Group, Change Healthcare processes claims for many different insurance companies including Tricare. One-third of all claims in the United States pass through Change Healthcare, about 15 billion annually.

Change Healthcare was a 40-year-old company and in testimony to the Senate Finance Committee, its cybersecurity system was described as “layered,” as in layers of security that have been added over the last four decades. UHG CEO Andrew Witty said in Senate testimony: “Our team was working to bring this server up to UHG’s standards,” (U.S. Senate Committee on Finance, 2024).

On February 12, 2024, a hacker group with a possible Russian affiliation called ALPHV or BlackCat (The Energy and Commerce Committee, 2024) obtained access to Change Healthcare through stolen credentials. The account did not even have multi-factor authentication. The hackers spent 9 days in Change’s system using privilege escalation to gain further access to the system, all the while extracting patient information. The hackers were not detected inside Change’s system.

On February 21, 2024, the hackers deployed a ransomware attack inside Change Healthcare and encrypted their systems. UnitedHealth Group severed connectivity with Change Healthcare’s data centers. According to his testimony before the Senate Finance Committee, UnitedHealth Group CEO Andrew Witty defended this choice. He warned that the attack would have been worse if the hackers had subsequently gained access to other parts of the network (UnitedHealth Group, 2024). Shutting down Change Healthcare meant that one-third of claims traffic in the United States could no longer be processed. Pharmacies couldn’t fill prescriptions and providers could not be paid for sessions.

The same day, February 21, UHG contacted the FBI. In his Senate testimony, Witty denied that the FBI instructed him to withhold information from patients and providers about the hack. By the afternoon of the 21st, experts were en route to Change’s server center in Nashville to begin rebuilding Change Healthcare’s systems from the ground up, focusing on pharmacy networks (UnitedHealth Group, 2024). On February 22, UGH contacted the US Department of Health and Human Services about the hack. UHG suspended the need for certain types of preauthorizations after the hack since these could not be processed. It also began issuing no-cost, no-interest loans to providers who had no cash resources to operate (U.S. Senate Committee on Finance, 2024).

On March 4, 2024, a Wired article announced that Change Healthcare had paid $22 million dollars for an encryption key from the hackers (Greenberg, 2024a). On March 5, BlackCat’s website appeared to have been taken over by the FBI. A cybersecurity analyst published an article saying that an affiliate of the BlackCat hacker group posted on a Russian-language-only dark-web forum that he had not been paid by BlackCat (Staff, 2024). Hacker groups typically partner with affiliates for jobs like this, splitting the ransom with 80% to the affiliates and 20% to the group (Jones, 2024). Analysts concluded that BlackCat pulled an “exit scam” to avoid paying the affiliates their share (Krebs, 2024). On March 8, another hacker group called RansomHub posted that they were the jilted affiliate. They hadn’t been paid but still had all the data extracted from Change Healthcare from February 12 to 20. They said that they would leak all the data online if UHG didn’t pay them and posted 22 screenshots of patient information online to prove it (Greenberg, 2024b). To date, no one knows whether UHG paid this second ransom.

On March 15, UHG released a press statement announcing that they had restored 99% of Change Healthcare’s pharmacy network services and Change had begun to process claims again. On April 15, prior authorizations were reinstated (U.S. Senate Committee on Finance, 2024). On April 26, UHG announced they had granted more than $6.5 billion in loans to providers, with 34% of that going to “safety-net hospitals” (Senate Finance, 2024). By May 15, the company said it had given $7 billion in loans. After providers regained the ability to repay claims they had 45 days to repay the loans. One senator derided UHG’s efforts to support providers during the outage, saying: “Providers are looking for financial stability and reassurance, not another creditor” (U.S. Senate Committee on Finance, 2024).

If you needed any proof of the thin margins on which healthcare companies operate, listen to lawmakers share stories from their constituents about what happened when they weren’t paid for three weeks.

The effects have been devastating. There were two congressional hearings, one to the Senate Finance Committee and another to the Subcommittee of Oversight and Investigations, which is a part of the House Energy and Commerce Committee. If you needed any proof of the thin margins on which healthcare companies operate, listen to lawmakers share stories from their constituents about what happened when they weren’t paid for three weeks. At one point, a health center in Texas was facing $14 million in outstanding claims. Another Texas group had to eliminate dental services to make ends meet. Mental healthcare providers were singled out as particularly vulnerable, with one senator citing a mental health provider from Providence who missed payments on their mortgage and car due to the Change Healthcare outage (U.S. Senate Committee on Finance, 2024). Ron Wyden, Chair of the Senate Finance Committee, said that mental health providers were left “holding the bag, stuffing envelopes with paper claims” (Wyden, 2024).

Questions about cybersecurity

During senate testimony, CEO Witty said that UHG is working with the FBI to identify whose data was compromised, which is why no one has been notified yet (U.S. Senate Committee on Finance, 2024). The U.S. Department of Health and Human Services (HHS) Office for Civil Rights released a statement on May 31, 2024, explaining that covered entities affected by the data breach may delegate notification responsibilities to Change Healthcare once they find out whose data was compromised (Office for Civil Rights, 2024).

UnitedHealth Group is the fourth largest company in the United States, and about five percent of the nation’s gross domestic product flows through its systems every day. Lawmakers asked, reasonably, what steps a company with these resources had taken to defend against cyberattacks. In the house hearing, one representative referenced UHG’s contracts with Medicare (UHG is the largest private insurer in Medicare Advantage): “when a taxpayer funnels tens of billions in subsidies to your company there is a reasonable expectation they will get a baseline value for their money,” (House, 2024).

BlackCat’s strategy was not brilliant or innovative; it’s more or less hacking 101. Mitre Att&ck is a knowledge base of strategies hackers use. I spoke with a cybersecurity policy analyst who has researched BlackCat. They declined to be identified for fear of retaliation. They told me this type of hack is easy. You could get access to someone’s social media account and then do a search for “password” or “login.” Then you use whatever passwords you obtain to get access to more accounts. They told me, “Whether or not there is a relationship between Ransomhub and the Black Cat affiliate who breached Change Healthcare initially, two threat actors targeting this company in a short period of time tells a pretty clear story: they’re a soft target.”

In his Senate testimony, CEO Witty said that cybersecurity is a standing agenda item at quarterly meetings. Senators asked whether any data handled by Change Healthcare is regularly sent overseas, perhaps information involving protected health information and medical records. Witty said that yes, “U.S. customer data may be processed or accessed outside the United States” (U.S. Senate Committee on Finance, 2024).

There seem to be no consequences in UnitedGroup’s future. United Healthcare is the fourth-largest insurance company in the country and the largest employer of physicians. During senate hearings, one senator pointed out: “United has taken advantage of the crisis that the Change hack created to justify its purchases and acquire physician practices at a lower cost,” which Witty denied. He promised “not to use provider information from the temporary relief program to inform our corporate development strategy” (U.S. Senate Committee on Finance, 2024)

The National Coordinator for Critical Infrastructure Security and Resilience (CISA) released a pledge for software manufacturers to commit to better cybersecurity. However, CISA has no ability to enforce the pledge or compel manufacturers to comply with its standards (Cybersecurity and Infrastructure Security Agency, n.d.).

Another senator pointed out that since UHG is the largest employer of physicians but also an insurance company it may violate Corporate Practice of Medicine (CPOM) laws in several states.

In an open letter to Andrew Witty, the House Committee on Energy and Commerce wrote: “The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised” (open letter, 2024). Senators threatened to bring UHG under further scrutiny following the cyberattack. In his statement, Ron Wyden said “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices” (Wyden, 2024). Another senator pointed out that since UHG is the largest employer of physicians but also an insurance company it may violate Corporate Practice of Medicine (CPOM) laws in several states.

UHG is vertically integrated, which means it can pay itself for services. In 2023 alone, Optum received 62 percent of its total revenue from UHG. One out of every 10 doctors in the US is affiliated with UHG. Senators asked about a Wall Street Journal article that showed UGH sends higher payments to its pharmacy subsidiaries, which Witty denied: “Optum Rx uses the same reimbursement approach for affiliated pharmacies as it does for comparable independent pharmacies” (U.S. Senate Committee on Finance, 2024).

UHG is also vertically integrated in mental healthcare. For example, Alma Mental Health Group (Alma) is a company that contracts providers with several insurance companies, including United Health. Alma is a group practice which means it negotiates the rate for all the providers at the practice. One of Alma’s funders is Optum VC, owned by Optum (Thomabravo, 2024). Providers who bill as part of Alma’s group practice use Alma’s group NPI on claims and are compensated at a higher rate than providers who bill using their individual NPIs. A representative at Optum told me that this is because Alma is compensated at an out-of-network rate. Credentialing for Alma is handled by a designated team at Optum which allows them to credential providers in a matter of days, whereas other group practices have to wait several months, and contracted individual providers must wait upwards of six months. This vertical integration is not free. Providers who are part of this group practice pay a monthly membership fee to Alma (Alma, n.d.). An Alma recruiter told me that Alma also takes a cut of every session’s payout, which they justify as a claims processing fee. Senators did not ask about this at the hearing.

Other mental health companies selling data

Part of the Senate hearings concerned the troubled structure of the United States’ healthcare system. CEO Witty told lawmakers that the system is “deeply fragmented” and currently puts “the burden of finding and navigating care squarely on the shoulders of the people who need help the most” (U.S. Senate Committee on Finance, 2024).

This is commonly apparent in community mental health systems. It’s not uncommon for clinics to suffer from a lack of client referrals even though there’s demand in the community. There simply isn’t an easy solution for improving access to care.

Many markets are suffering simultaneously from a provider shortage and a provider surplus because although there are students who need placements there is not enough funding to pay supervisors to oversee them. Licensed clinicians have become scarce in community mental health settings because wages are too low to support the cost of living. The private practice markets in which I am located, California and Colorado, are oversaturated. I tell people that if they want to pay out of pocket, I know someone who can get them in next week but for certain insurances, there’s a waitlist of three months.

Several tech companies have recently entered the market with the stated goal of improving access to care. Under current market conditions, clinicians have questioned whether profit is possible in the fee-for-service model in these large corporate systems, or whether these companies’ true goal is selling patient and provider data. Teledoc’s online therapy platform BetterHelp was fined $7.8 million in 2023 for selling patient data, (FTC, 2024). If you think this fine is devastating, consider that the company made over $1 billion dollars in 2022 (Lovett, 2023). Similar platform Talkspace had $150 million in revenue in 2023 (Talkspace, n.d.) and is facing a new class action lawsuit this year (McCroskey, 2024). In the past, it has admitted to selling patient data to advertisers and using sessions to train AI (Hill et. al, 2020).

How should clinicians navigate this shifting landscape? Consult professional organizations about the best HIPAA practices and ways to safeguard your information. Always use multi-factor authentication when it’s available. Never share your passwords or HIPAA information anywhere online, even if it’s just in a DM. The Change Healthcare hack has highlighted the need for clinicians to diversify their practices with a healthy case-mix and always have a backup plan for claims filing. Some clinicians left their EHR claims plans behind, preferring to submit directly to online insurance portals.

Some providers left big insurance panels for good, seeking the ease of tech startups. The problem is that many new online therapy platforms are under-regulated. Ron Wyden, who criticized the UHG CEO in hearings this year, has previously voiced concern over “misuse of personal data by Big Tech companies and unscrupulous data brokers” (Wyden, 2022). Providers should be mindful of who they share their clients’ data with, and where.

Angela Nauss, MA, LMFT, is an AAMFT Professional member specializing in treating trauma and PTSD. She is also clinical support personnel at Naropa University in Colorado and the author of several articles about trauma. www.nausstherapy.com


118th Congress. (2024, April 15). Open letter to Andrew Witty from the Congress of the United States House of Representatives, Committee on Energy and Commerce. https://d1dth6e84htgma.cloudfront.net/04_15_24_Letter_to_Change_Healthcare_re_Outage_9fd1950e97.pdfjpcglclefindmkaj/

Cybersecurity and Infrastructure Security Agency. (n.d.). Secure by design pledge. Cisa.gov. https://www.cisa.gov/securebydesign/pledge

Energy and Commerce Committee. (2024, April 29). Majority Committee Staff, Re:  Hearing on the February 21, 2024, cyberattack on Change Healthcare, a subsidiary of UnitedHealth, titled “Examining the Change Healthcare Cyberattack.” https://d1dth6e84htgma.cloudfront.net/Public_Memo_OI_Hearing_05_01_24_Change_Healthcare_Cyberattack_6a53b333f6.pdf

Federal Trade Commission. (2024, May 6). FTC gives final approval to order banning BetterHelp from sharing sensitive health data for advertising, requiring it to pay $7.8 million. https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-gives-final-approval-order-banning-betterhelp-sharing-sensitive-health-data-advertising

GovernmentTechnology. (2024, April 10). New ransomware actor threatens change healthcare. https://www.govtech.com/security/new-ransomware-actor-threatens-change-healthcare

Greenberg, A. (2024a, March 4). Hackers behind the Change healthcare ransomware attack just received a $22 million payment. WIRED. https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/

Greenberg, A. (2024b, April 23). Change Healthcare finally admits it paid ransomware hackers—and still faces a patient data leak. WIRED. https://www.wired.com/story/change-healthcare-admits-it-paid-ransomware-hackers/

Hill, K., & Krolik, A. (2020, August 7). At Talkspace, start-up culture collides with mental health concerns. The New York Times. https://www.nytimes.com/2020/08/07/technology/talkspace.html?smtyp=cur&smid=tw-nytimes

House Committee on Energy and Commerce. (2024, May 1). Oversight Hearing: Examining The Change Healthcare Cyberattack [Video]. https://energycommerce.house.gov/events/oversight-and-investigations-subcommittee-hearing-examining-the-change-healthcare-cyberattack

How Alma benefits providers. (n.d.). https://helloalma.com/for-providers/

Jones, C. (2024, April 8). Second ransomware gang says it’s extorting Change Healthcare. The Register. https://www.theregister.com/2024/04/08/change_healthcare_ransomware/

Krebs, B. (2024, March 5). BlackCat ransomware group implodes after apparent $22M payment by Change Healthcare. https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/

Lovett, L., & Lovett, L. (2023, January 9). BetterHelp Rakes in $1B in 2022, as Teladoc Plans to Integrate Behavioral Health into Its Chronic Care Strategy. Behavioral Health Business. https://bhbusiness.com/2023/01/09/betterhelp-rakes-in-1b-in-2022-as-teladoc-plans-to-integrate-behavioral-health-into-its-chronic-care-strategy/

McCroskey, K. (2024, February 19). Class action claims TalkSpace misleads patients on personalized therapist matches, automatic subscriptions. ClassAction.org. https://www.classaction.org/blog/class-action-claims-talkspace-misleads-patients-on-personalized-therapist-matches-automatic-subscriptions

MITRE ATT&CK. (n.d.) ATT&CK Matrix for Enterprise. Retrieved June 12, 2024 from https://attack.mitre.org/

Office for Civil Rights. (2024, May 31). OCR Updates Change Healthcare Cybersecurity Incident FAQs. U.S. Department of Health and Human Services. https://www.hhs.gov/about/news/2024/05/31/ocr-updates-change-healthcare-cybersecurity-incident-faqs.html

TalkSpace (n.d.). TalkSpace announces fourth quarter and full year 2023 results –Talkspace, Inc. https://investors.talkspace.com/news-releases/news-release-details/talkspace-announces-fourth-quarter-and-full-year-2023-results

ThomaBravo. (n.d.). Alma raises $130M in series D funding led by Thoma Bravo to advance its mission to simplify access to high quality, affordable mental health care. https://www.thomabravo.com/press-releases/alma-raises-130m-in-series-d-funding-led-by-thoma-bravo

UnitedHealth Group (2024). Testimony of chief executive officer, UnitedHealth Group before the Senate Finance Committee “Hacking America’s Health Care: Assessing the Change Healthcare cyber attack and what’s next.” https://www.finance.senate.gov/imo/media/doc/0501_witty_testimony.pdf

U.S. Senate Committee on Finance. (May 1, 2024.) Responses to questions for the record for Andrew Witty U.S. Senate Committee on Finance full committee hearing: Hacking America’s health care: Assessing the Change Healthcare cyber attack and what’s next. https://www.finance.senate.gov/imo/media/doc/responses_for_questions_for_the_record_to_andrew_witty.pdf

U.S. Senate Committee on Finance. (May 1, 2024.) Wyden hearing statement on Change Healthcare cyberattack and UnitedHealth Group’s response. https://www.finance.senate.gov/imo/media/doc/0501_wyden_statement.pdf

Wyden.senate.gov. (2022, June 24). Wyden, colleagues call on mental health apps to provide answers on patient data privacy and sharing practices. https://www.wyden.senate.gov/news/press-releases/wyden-colleagues-call-on-mental-health-apps-to-provide-answers-on-patient-data-privacy-and-sharing-practices

Other articles

Gray Divorce: Splitting Up Later in Life
Feature

Loss, Grief, and Resilience: Finding Light Through the Darkness

In these turbulent times, families have suffered devastating losses of loved ones, from the anguish of COVID-related deaths to gun violence, drug overdose, suicide, environmental disasters, and war. More attention is urgently needed in MFT training and practice to help the bereaved to heal and forge pathways ahead to live and love fully beyond loss.
Froma Walsh, PhD

Meaning of Aging in a Time of Crisis
Feature

Systemic Therapy with Arab American Clients

Arabs are a diverse group with some of the fastest-growing population rates in the United States (U.S.; Dardas & Simmons, 2015). The population includes approximately 3.5 million Arabs and Arab Americans (Aprahamian et al., 2011; Shuraydi, 2020). Arab Americans have traditionally been an understudied and misunderstood minoritized group in the United States (Abuelezam et al., 2018). Misconceptions and stigmas have led to heightened anxiety and mistrust, especially following 9/11, resulting in a cautious attitude toward other Americans.
Eman Tadros, PhD & Marram Salman, MA

Gray Divorce: Splitting Up Later in Life
Feature

Type 2 Diabetes: A Beginner’s Guide for Mental Health Professionals and Related Fields of Study

Type 2 diabetes is a serious health condition that impacts millions of people across the United States and around the world (Calvano et al., 2019; Visaria et al., 2020). In fact, type 2 diabetes mellitus (T2DM) accounts for 90 to 95% of all cases of diabetes (Antwi et al., 2020; Visaria et al., 2020). Considered a metabolic disturbance, diabetes occurs when someone has elevated levels of glucose in the blood. Blood sugar or glucose is the body’s primary energy source, and blood sugar levels are regulated by insulin.
Jerrod Brown, PhD, Jeremiah Schimp, PhD, Tiffany Flaten, MEd, Janina Cich, MA, & Jen Uschold, PT