UnitedHealth Group is laying out a timeline to restore its systems as a cyberattack on its Change Healthcare subsidiary continues to disrupt the health care industry for nearly a third week.
The company said Thursday it's still working "aggressively" to restore its services after the attack Feb. 21 caused it to shut down its insurance claims and payment platforms, leaving health care providers and pharmacies across the nation unable to process prescriptions or pay employees, but as of now, its electronic prescribing is back to being "fully functional."
As for the other affected services, UnitedHealth said Change's electronic payment functionality will be available again starting March 15, while the testing and reestablishing of its claims software will begin March 18 and be restored through the rest of the week.
Until then, the company is urging providers and payers to use workarounds it has established in the wake of the attack, such as its iEDI claim submission system, until all Change services are fully restored, though many groups say these haven't been viable replacements.
"All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices and that patients can get their medications," said Andrew Witty, CEO of UnitedHealth Group. "We're determined to make this right as fast as possible."
Hackers in Change Healthcare attack receive $22M in alleged ransom
The hackers behind the continuing ransomware attack affecting U.S. pharmacies received a payment believed to be a ransom for stolen data.
Acting as a pipeline between health care and insurance providers, Change operates 15 billion medical transactions each year, representing more than $1.5 trillion in health care claims, its website states. The Justice Department also says the company manages half of all medical insurance claims in the country.
That all came to a halt, however, when notorious ransomware group AlphV/BlackCat attacked, and the shutdown of Change's financial services left those dependent on them scrambling to fill prescriptions, process claims, bill patients, verify insurance coverage, pay employees, refill hospital medication, supply inventories and more.
On Friday, UnitedHealth set up a temporary funding assistance program to help bridge the cash flow gap for providers, who won't need to repay the advances until claim flows are back to normal. But providers have argued the finances available with the program aren't enough to keep them afloat, and the same goes for the workarounds the company has provided in terms of missing services.
But while many medical providers continue to struggle without revenue from insurers or patients — with at least one having to close down due to a missed payroll cycle — the hackers appear to be rolling in dough, allegedly after receiving a $22 million ransom payout from UnitedHealth.
Two days after an AlphV-owned Bitcoin address received a payment worth nearly $22 million, an AlphV affiliate posted to an underground cybercriminal platform saying the ransomware group cheated them out of their share of a ransom Change paid to "prevent data leakage and decryption key," according to a screenshot from Dmitry Smilyanets, a researcher for security firm Recorded Future.
#ALPHV scamming affiliates? $22M paid and withdrawn pic.twitter.com/0ocKoXNLme
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) March 4, 2024
Groups like AlphV often use affiliates to do the actual hacking with its ransomware and then give the affiliates some of the payouts. But the affiliate said AlphV "kept lying and delaying" their payment until the group finally "emptied the wallet and took all the money."
However, if Change did pay a ransom, its chosen recipient may have been misguided, as the affiliate also said the 4TB of "critical" patient data hackers accessed in the attack — including medical records and payment and insurance information — remained with the affiliate, not with the larger group Change allegedly paid to withhold releasing the stolen data.
Dirk McMahon, COO of UnitedHealth, responded to the ransom report first published in WIRED, saying, "We're not going to talk about that." He added, "What I would tell you is, across the board on the investigation, we're working closely with law enforcement, and this is an ongoing investigation."
Some medical groups, though, aren't ready to skip over the data worries. In a statement Friday, the president of the American Medical Association, Dr. Jesse Ehrenfeld, said that although the timeline information and financial assistance programs are helpful, UnitedHealth must do more to address these concerns outright
"Full transparency and security assurances will be critical before connections are reestablished with the Change Healthcare network," the statement read.