What happened?
This year, the largest health insurance hack in history took place. If you’re a therapist who takes insurance, you’ve probably heard about the Change Healthcare hack already. The hack has implications for mental health practitioners and the healthcare industry.
The saga began in October of 2022 when Optum acquired Change Healthcare. Optum is owned by UnitedHealth Group (UHG). Change Healthcare is a clearinghouse that transfers medical claims between providers’ offices and insurance companies. Although owned by UnitedHealth Group, Change Healthcare processes claims for many different insurance companies including Tricare. One-third of all claims in the United States pass through Change Healthcare, about 15 billion annually.
Change Healthcare was a 40-year-old company and in testimony to the Senate Finance Committee, its cybersecurity system was described as “layered,” as in layers of security that have been added over the last four decades. UHG CEO Andrew Witty said in Senate testimony: “Our team was working to bring this server up to UHG’s standards,” (U.S. Senate Committee on Finance, 2024).
On February 12, 2024, a hacker group with a possible Russian affiliation called ALPHV or BlackCat (The Energy and Commerce Committee, 2024) obtained access to Change Healthcare through stolen credentials. The account did not even have multi-factor authentication. The hackers spent 9 days in Change’s system using privilege escalation to gain further access to the system, all the while extracting patient information. The hackers were not detected inside Change’s system.
On February 21, 2024, the hackers deployed a ransomware attack inside Change Healthcare and encrypted their systems. UnitedHealth Group severed connectivity with Change Healthcare’s data centers. According to his testimony before the Senate Finance Committee, UnitedHealth Group CEO Andrew Witty defended this choice. He warned that the attack would have been worse if the hackers had subsequently gained access to other parts of the network (UnitedHealth Group, 2024). Shutting down Change Healthcare meant that one-third of claims traffic in the United States could no longer be processed. Pharmacies couldn’t fill prescriptions and providers could not be paid for sessions.
The same day, February 21, UHG contacted the FBI. In his Senate testimony, Witty denied that the FBI instructed him to withhold information from patients and providers about the hack. By the afternoon of the 21st, experts were en route to Change’s server center in Nashville to begin rebuilding Change Healthcare’s systems from the ground up, focusing on pharmacy networks (UnitedHealth Group, 2024). On February 22, UGH contacted the US Department of Health and Human Services about the hack. UHG suspended the need for certain types of preauthorizations after the hack since these could not be processed. It also began issuing no-cost, no-interest loans to providers who had no cash resources to operate (U.S. Senate Committee on Finance, 2024).
On March 4, 2024, a Wired article announced that Change Healthcare had paid $22 million dollars for an encryption key from the hackers (Greenberg, 2024a). On March 5, BlackCat’s website appeared to have been taken over by the FBI. A cybersecurity analyst published an article saying that an affiliate of the BlackCat hacker group posted on a Russian-language-only dark-web forum that he had not been paid by BlackCat (Staff, 2024). Hacker groups typically partner with affiliates for jobs like this, splitting the ransom with 80% to the affiliates and 20% to the group (Jones, 2024). Analysts concluded that BlackCat pulled an “exit scam” to avoid paying the affiliates their share (Krebs, 2024). On March 8, another hacker group called RansomHub posted that they were the jilted affiliate. They hadn’t been paid but still had all the data extracted from Change Healthcare from February 12 to 20. They said that they would leak all the data online if UHG didn’t pay them and posted 22 screenshots of patient information online to prove it (Greenberg, 2024b). To date, no one knows whether UHG paid this second ransom.
On March 15, UHG released a press statement announcing that they had restored 99% of Change Healthcare’s pharmacy network services and Change had begun to process claims again. On April 15, prior authorizations were reinstated (U.S. Senate Committee on Finance, 2024). On April 26, UHG announced they had granted more than $6.5 billion in loans to providers, with 34% of that going to “safety-net hospitals” (Senate Finance, 2024). By May 15, the company said it had given $7 billion in loans. After providers regained the ability to repay claims they had 45 days to repay the loans. One senator derided UHG’s efforts to support providers during the outage, saying: “Providers are looking for financial stability and reassurance, not another creditor” (U.S. Senate Committee on Finance, 2024).
If you needed any proof of the thin margins on which healthcare companies operate, listen to lawmakers share stories from their constituents about what happened when they weren’t paid for three weeks.
The effects have been devastating. There were two congressional hearings, one to the Senate Finance Committee and another to the Subcommittee of Oversight and Investigations, which is a part of the House Energy and Commerce Committee. If you needed any proof of the thin margins on which healthcare companies operate, listen to lawmakers share stories from their constituents about what happened when they weren’t paid for three weeks. At one point, a health center in Texas was facing $14 million in outstanding claims. Another Texas group had to eliminate dental services to make ends meet. Mental healthcare providers were singled out as particularly vulnerable, with one senator citing a mental health provider from Providence who missed payments on their mortgage and car due to the Change Healthcare outage (U.S. Senate Committee on Finance, 2024). Ron Wyden, Chair of the Senate Finance Committee, said that mental health providers were left “holding the bag, stuffing envelopes with paper claims” (Wyden, 2024).