Change Healthcare Cyberattack : Nebraska Hospital Association

Change HealthCare Cyberattack: Latest Information and Resources

Change Healthcare, a health care technology company that is part of Optum and owned by UnitedHealth Group, announced Feb. 21 they were hit with a cyberattack that disrupted a number of its systems and services, according to a statement posted on its website. Change Healthcare indicated it had disconnected its systems “in the interest of protecting our partners and patients.” Due to its sector-wide presence and the concentration of mission critical services it provides, the reported interruption could have significant cascading and disruptive effects on the health care field within revenue cycle, pharmacy, certain health care technologies, clinical authorizations and other services.

4/23/24

Cyberattack UnitedHealth Group Provides Update on Data Impacted By Cyberattack
UHG agrees to provide breach notifications on behalf of providers and customers

UnitedHealth Group (UHG) on April 22 issued a news release regarding its preliminary review of the data involved in the cyberattack on Change Healthcare, a UHG subsidiary. Although UHG was clear that it was not making an official breach notification, it noted that an “initial targeted data sampling” determined that files containing protected health information and personally identifiable information had been exfiltrated during the cyberattack. UHG noted that it would likely take “several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.” In the meantime, UHG stated that it is in communication with law enforcement and regulators and “will provide appropriate notifications when the company can confirm the information involved.”

Importantly, UHG stated that it has offered to “make notifications and undertake related administrative requirements on behalf of any provider or customer” at the appropriate time. On March 21, the American Hospital Association made a similar request in a letter to the Department of Health and Human Services Office for Civil Rights asking that UHG — not hospitals, health systems and other downstream victims of this attack — provide any breach notifications required by law. Agreeing with the AHA, UHG announced yesterday that it will undertake this responsibility to “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack.”

Finally, UHG announced that it has established a dedicated call center to offer free credit monitoring and other support services for those whose personal data may have been impacted by the cyberattack. The call center can be reached at 1-866-262-5342 and further details can be found on the UHG website changecybersupport.com. Hospitals should refer patients and other interested parties to these resources.

3/28/24

Change Healthcare Cyber Response: Resources for Providers, Pharmacies, Payers, Government Partners and Patients

Download here

3/22/24

Change Healthcare to begin processing $14B in claims

Change Healthcare said March 22 it plans to restore its biggest clearinghouse platforms over the weekend and start processing $14 billion in claims.

The UnitedHealth Group subsidiary said it brought the Assurance claims preparation system back online March 18 and intends to reinstate Relay Exchange, its largest clearinghouse, the weekend of March 23.

3/21/24

OCR Urged to Clarify that Hospitals and Health Systems Should Not Be Required to Make Any Breach Notifications in Relation to Change Healthcare Cyberattack

If it is determined that a breach of protected health information occurred in connection with the Change Healthcare cyberattack, then the Department of Health and Human Services’ Office for Civil Rights should exercise its enforcement discretion and clarify that Change Healthcare and UnitedHealth Group will be required to make any breach notifications — not hospitals, health systems and other downstream victims of this attack, the AHA and Federation of American Hospitals today urged OCR.

“Given the scope and scale of the cyberattack on Change Healthcare, without a unified notification process, patients could possibly face multiple notifications of this same breach, which could unnecessarily increase public confusion, misunderstandings and added stress,” the AHA and FAH said. “To be clear: America’s hospitals and health systems have long honored HIPAA’s core privacy objectives. Our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack.”

“Given what you rightly describe as the ‘unprecedented magnitude’ of this attack, OCR must preemptively relieve hospitals and other providers of any potential breach notification burdens, which would cause significant patient confusion and undoubtedly be costly and resource-intensive,” AHA and FAH said.
The AHA and FAH letter responds to a March 13 OCR announcement that it is initiating an investigation into the Change Healthcare cyberattack.

FURTHER QUESTIONS
If you have further questions, please contact Chad Golder, AHA general counsel, at cgolder@aha.org.

3/18/24

UnitedHealth launching medical claims solution

UnitedHealth Group has advanced more than $2 billion to providers and is launching software for medical claims preparation beginning March 18 following the cyberattack on its Change Healthcare subsidiary in late February.

The software will be made available to thousands of providers in the next several days, with "third-party attestations available prior to services becoming operational. Following this initial phase, remaining services restoration will continue through ongoing phases of activation until all customers have been connected." Read more.

3/14/24

Supporting our Provider Community impacted by Change Healthcare Cyberattack

Update from BlueCross BlueShield Nebraska

3/14/24

CMS Releases FAQs on Medicare CHOPD Accelerated and Advance Payments

Today, CMS released a set of frequently asked questions (FAQs) that provides Medicare providers, suppliers, and other interested parties information on Change Healthcare/Optum Payment Disruption (CHOPD) accelerated and advance payments. The FAQs include general information, application criteria, repayment of CHOPD accelerated payments, and other information.

3/13/24

Federal government launches investigation into UnitedHealth over Change hack (Becker's)

The federal government is launching an investigation into UnitedHealth Group following the February cyberattack on its Change Healthcare subsidiary that has significantly affected providers' financial stability nationwide. Read more.

3/12/24

Change Healthcare Cyberattack Prompts Breach Notification Questions

Following the Change Healthcare cyberattack on Feb. 21, the AHA has received questions from hospitals and health systems about their obligations for breach notifications and other requirements regarding data privacy and patient information. Please note that to date, neither Change Healthcare nor its parent company UnitedHealth Group has publicly indicated that the cyber adversaries responsible for this attack have taken any data, including protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

The AHA has worked with its outside counsel at Jones Day to address questions on this issue. The information contained herein does not constitute legal advice. Hospitals should consult their organization’s legal counsel and other leadership when assessing these issues.

With those caveats in mind, at this initial stage, hospitals should consider the following:

1. Assess Relationship with Change Healthcare
Change Healthcare Products Utilized. Change Healthcare offers over 400 solutions for its customers. Hospitals should consult with their business and IT teams now to determine, specifically, which Change Healthcare products are utilized. Hospitals using Change Healthcare products should then assess whether it acts as a business associate or as a covered entity clearinghouse under HIPAA, as the relationship may impact the investigation and notice obligations.
Business Associate Agreements (BAA) and Underlying Service Agreements. Hospitals should review BAAs and underlying service agreements with Change Healthcare for provisions relating to security incidents and breach notification obligations (e.g., delegation of breach notification functions, timing for notices, etc.) and indemnification, limitation of liability, insurance coverage, arbitration of disputes, etc.

2. Assess Initial Regulatory Obligations
Duty to Investigate. Regardless of any notification (or lack thereof) from Change Healthcare as to whether PHI was impacted, hospitals should assess the facts and investigate credible information and evidence of any potential data breach impacting their data, including by seeking status updates from Change Healthcare directly. HIPAA regulations treat breaches as “discovered” as of the date a covered entity knew, “or, by exercising reasonable diligence” would have known of the breach. The date of discovery of a breach triggers breach notification timing requirements.
Requirements Upon Notice of Breach. If Change Healthcare, acting as a business associate, provides notice of a breach of unsecured PHI, hospitals should conduct a HIPAA risk assessment to determine whether there is a low probability that PHI has been compromised. This risk assessment must consider, at least, the following four factors: (i) the nature and extent of PHI involved (e.g., type of identifiers); (ii) the unauthorized person who used or received the PHI (e.g., threat actors); (iii) whether PHI was actually acquired or viewed (e.g., exfiltration); and (iv) the extent to which risk to PHI has been mitigated. If Change Healthcare provides notice of a breach of personal information that does not constitute PHI, a HIPAA risk assessment may not be necessary, but state law and other requirements may still apply.

3. Assess Business Considerations
Review of Privacy and Security Policies. Hospitals should review internal privacy and security policies to facilitate and ensure compliance with a hospital’s own procedures for purposes of potential future government audits. Hospitals also should review their public-facing privacy policies for provisions relating to arbitration, class action waivers, etc., to assess data breach class-action litigation risks, particularly because litigation has already been initiated related to the incident.
Timely Insurance Notice. Importantly, hospitals should review insurance policies, identify and review notice provisions and requirements, and contact applicable carriers (e.g., cyber and business interruption) to notify of potential incidents as the situation develops.

Continued Monitoring and Assessment. Hospitals should continue to monitor and assess internal IT systems for suspicious activity or inconsistent outcomes and maintain logs/documentation of such assessments. They also should continue regular conversations with Change Healthcare to stay updated on progress of its internal assessments and, ideally, broader communications before a hospital’s potential involvement is publicized by Change Healthcare or otherwise. Apart from cyber and privacy matters, hospitals also may consider obligations, risks and available flexibilities including in the health care, civil litigation and insurance recovery spaces.

3/10/24

Joint Letter to Health Care Leaders on Cyberattack on Change Healthcare from HHS and DOL

3/9/24

CMS Announces Accelerated and Advance Payment Program for Providers and Suppliers Affected by Change Healthcare Cyberattack

The Centers for Medicare & Medicaid Services (CMS) March 9 issued a notice formally announcing terms for hospitals, physicians and other providers impacted by the Change Healthcare cyberattack to apply for accelerated and advance payments (AAPs). CMS stated that hospitals, health systems and others should contact their Medicare Administrative Contractors (MACs) for more information and to apply.

CLICK HERE TO READ THE NOTICE.

AAP PROGRAM DETAILS
The term “accelerated” payments references Part A institutional providers and “advance” payments references to Part B suppliers. The two terms are used to align with statutory authority, but the programs are treated similarly. Both providers and suppliers may request AAPs from their MACs consistent with the terms and conditions below. Please note that CMS confirmed with the AHA that all types of hospitals are eligible for AAPs, including long-term care hospitals, inpatient rehabilitation facilities, critical access hospitals, PPS-exempt cancer hospitals and children’s hospitals.

Eligibility.

The eligibility criteria for the program include, among other requirements, that each provider/supplier must:
•   Not be receiving periodic interim payments;
•   Be unable able to submit claims to receive payments from Medicare. Please note that CMS confirmed for the AHA that this refers to an inability to submit electronic claims;
•   Have experienced a disruption in claims payment or submission due to a business relationship that they or their third-party payers have with Change Healthcare or another entity that uses Change Healthcare or requires the provider/supplier to use Change Healthcare;
•   Have been unable to obtain sufficient funding from other available sources to cover the disruption in claims payment, processing or submission attributable to the incident;
•   If currently in bankruptcy, alert CMS about this status and include case information;
•   Not be under active medical review or program integrity investigation; and
•   Not have any outstanding delinquent Medicare overpayments.

AAP Amount.

Providers and suppliers can request AAPs of up to 100% of a 30-day payment amount. MACs will determine this 30-day amount for each provider/supplier based on the total claims paid between Aug. 1, 2023 and Oct. 31, 2023, divided by three. Please note that CMS confirmed with the AHA that “total claims” includes both Part A and B claims — i.e., both sets of claims will be included in the calculated 30-day payment amount.

Repayment and Recoupment.

The following information relates to repayment and recoupment.
•   Recoupment will begin immediately at a 100% recoupment rate.
•   Repayment in full is required 90 days after the date that the AAP is issued.
•   After 90 days, a demand letter will be sent if there is a remaining balance.
•   There is a 30-day grace period before interest on the remaining balance begins; that is, on the 31st day after the demand letter is sent, interest will begin to accrue.
•   The interest rate is the prevailing rate set by the Department of Treasury, which is currently 12.375%; CMS has previously stated it does not have authority to waive interest or change this rate.
•   If a provider/supplier is experiencing financial hardship, they may request an Extended Repayment Schedule after a demand is issued.

3/8/24

UnitedHealth Group Provides Updates on Response to Change Healthcare Cyberattack
Updates include a timeline for restoration of systems, funding support for providers

UnitedHealth Group late yesterday announced a series of updates on its response to the unprecedented cyberattack against its subsidiary Change Healthcare. In the announcement, UHG outlines anticipated timelines for restoring Change Healthcare’s affected systems for pharmacy services, payments and medical claims. In addition, UHG provided new details about funding support for providers affected by the outage and said that for Medicare Advantage plans it is temporarily suspending prior authorizations for most outpatient services and utilization review for MA inpatient admissions. Please see the UHG webpage for more details.

Highlights of AHA Media Efforts on Change Healthcare Cyberattack

March 5, The Wall Street Journal – Calls Mount for Government Help As Change Healthcare Hack Freezes Medical Payments

March 5, The New York Times – Cyberattack Paralyzes the Largest U.S. Health Care Payment System

March 5 – The Washington Post – Officials Rush To Help Hospitals, Doctors Affected by Change Healthcare Hack

March 5, Reuters – U.S. To Accelerate Some Payments to Hospitals After UnitedHealth Hack

March 3, The Washington Post – Health-care hack spreads pain across hospitals and doctors nationwide

March 3, CNN This Morning – Cyberattack on Insurance Provider Causes Billing, Prescription Delays

March 1, NBC News – Ransomware attack on U.S. health care payment processor ‘most serious incident of its kind’ American Hospital Association CEO Rick Pollack said effects of the attack "are continuing to be felt throughout the entire health care system."

Feb. 29, CBS Evening News – Cyberattack on UnitedHealth still impacting prescription access: "These are threats to life"

Feb. 29, Associated Press – A large US health care tech company was hacked. It’s leading to billing delays and security concerns

3/5/24 HHS Statement Regarding the Cyberattack on Change Healthcare

3/5/24 CMS announces flexibilities in response to Change Healthcare attack

The Centers for Medicaid & Medicare Services today announced flexibilities intended to help providers continue to serve patients in the wake of the cyberattack on Change Healthcare. They include expedited claims processing; guidance for Medicare Advantage and Part D programs to remove or relax prior authorization, utilization management and filing requirements; and exceptions, waivers or extensions available through Medicare Administrative Contractors in addition to paper claim submissions. CMS also encourages Medicaid and Children's Health Insurance Program agencies to offer the same flexibilities during the Change Healthcare system outages.

LATEST INFORMATION AS OF 3/1/24

UnitedHealth Group’s Change Healthcare Launches Temporary Funding Assistance Program, E-prescribing Service in Relation to Ongoing Cyberattack

Change Healthcare, a health care technology company that is part of Optum and owned by UnitedHealth Group, today announced a “Temporary Funding Assistance Program” webpage and a new instance of its Rx ePrescribing service for customers affected by the ongoing cyberattack on Change Healthcare. Optum says the funding will be for certain providers “who receive payments that were processed by Change Healthcare.” See the webpage for more details. Please note, the AHA has not evaluated the terms of Optum’s temporary funding program and is providing this to our membership for informational purposes only.

BACKGROUND
Change Healthcare announced Feb. 21 it was experiencing a cyberattack and this week acknowledged the attack was perpetrated by threat actor ALPHV Blackcat. See the Feb. 26 AHA Advisory for details on the indicators of compromise associated with the attack and a Feb. 27 updated joint federal advisory #StopRansomware: ALPHV Blackcat.

CONNECTION TO SYSTEMS
UnitedHealth Group continues to say that based on its ongoing investigation, there’s no indication that Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue. The AHA continues to recommend that all health care organizations maintain disconnection from applications specified by Change Healthcare that remain unavailable due to this cyberattack as identified on the Change Healthcare application status page.
Each health care organization should continue to monitor and independently evaluate information provided by Change Healthcare to inform its own risk-based decisions regarding nonimpacted systems. When considering connectivity to nonimpacted systems, each health care organization should weigh possible clinical disruptions and business impacts caused by severing the connection to nonimpacted Optum, Change Healthcare, UnitedHealthcare and/or UnitedHealth Group systems.

There is still currently no timetable for recovery of all Change Healthcare systems.

BE MINDFUL OF POTENTIAL FRAUD
High profile health care cyberattacks create a ripe environment for all types of fraudsters and cyber adversaries to target hospitals and patients. Be cautious of any email or phone call seeking to obtain personally identifiable information, health insurance information, passwords, financial information or seeking change of payment instructions. Be on heightened alert for phishing emails. If you believe payments have been diverted to unauthorized accounts immediately contact your financial institution and the FBI at www.ic3.gov. If staff or patients have become a victim of identity theft, resources are available at www.identitytheft.gov. Report health insurance fraud to https://tips.oig.hhs.gov/.

AHA RESOURCES
Visit AHA’s Change Healthcare cyberattack webpage for the latest advisories and advocacy to support hospitals and health systems and ensure patient access to care.

FURTHER QUESTIONS
If you have further questions, please contact John Riggi, AHA’s national advisory for cybersecurity and risk at jriggi@aha.org. For the latest cyber threat intelligence and resources, visit www.aha.org/cybersecurity.

2/28/2024

Agencies Update #StopRansomware Advisory on ALPHV Blackcat

The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services today issued an updated joint advisory #StopRansomware: ALPHV Blackcat. The updated advisory provides new indicators of compromise and tactics, techniques and procedures associated with the ALPHV Blackcat ransomware as a service. ALPHV Blackcat is alleged to be involved in ongoing attacks impacting the health care field.

Please share the updated joint advisory with your IT and/or cybersecurity teams.

ACTIONS TO TAKE TODAY

Organizations should take action immediately to mitigate against the threat of ransomware.
Network defenders should enter their indictors of compromise into their network defenses and threat hunting tools as soon as possible.
Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
Prioritize remediation of known exploited vulnerabilities.
Enable and enforce multifactor authentication with strong passwords.
Close unused ports and remove applications not deemed necessary for day-to-day operations.

AHA Cybersecurity Advisory
February 26, 2024

TLP:WHITE1

Change Healthcare, a health care technology company that is part of Optum and owned by UnitedHealth Group, continues to experience a cyberattack that is having effects on the entire health care system. Since the cyberattack began Feb. 21, the AHA has been sharing information with members to help them navigate this evolving incident.

As part of those efforts, Health-ISAC, which AHA partners with closely, today issued a bulletin to provide additional information regarding maintaining network connectivity with UnitedHealth Group, Optum and UnitedHealthcare, and indicators of compromise. The following issues and recommendations are outlined in the Health-ISAC bulletin and consistent with guidance that AHA has issued about this incident.

Please share this advisory with your organization’s information technology and/or cybersecurity teams.

NETWORK CONSIDERATIONS

Change Healthcare has indicated it has taken appropriate action to contain the incident so that customers and partners do not need to sever network connections to available vital services.

Change Healthcare continues to say on its webpage “that we have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this Issue.” The AHA continues to be encouraged by this public statement, and health care organizations should give this statement strong consideration.

Accordingly, the AHA and Health-ISAC continue to recommend that organizations immediately reevaluate their risk of keeping any network services shut down to Optum, Change Healthcare, UnitedHealthcare and/or UnitedHealth Group which has been deemed safe by them. Each health care organization should continue to monitor and independently evaluate information provided by Change Healthcare to inform its own risk-based decisions regarding nonimpacted systems.

When considering connectivity to nonimpacted Change Healthcare systems, each health care organization should weigh possible clinical disruptions and business impacts caused by severing the connection to nonimpacted Optum, Change Healthcare, UnitedHealthcare and/or United Health Group systems.

The AHA and Health-ISAC continue to recommend that all health care organizations maintain disconnection from applications specified by Change Healthcare that remain unavailable due to this cyberattack, as identified on the Change Healthcare application status page.

The AHA independently provided the above connectivity guidance on Feb. 23 during a national call with the field and again in a Feb. 24 Cybersecurity Advisory.

INDICATORS OF COMPROMISE

Today’s Health-ISAC bulletin cites information published by cyber intelligence firm RedSense, saying that Change Healthcare, along with other organizations, fell victim to exploitation of the recently announced ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709). As the incident is still under investigation, it is not possible to confirm the attack details.

Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute. If your organization has ConnectWise ScreenConnect in your environment, please review the following indicators and recommendations contained below in red from the Health-ISAC bulletin:

Atomic IOCs, traffic to/from these could indicate compromise-

155.133.5[.]15

155.133.5[.]14

118.69.65[.]60

118.69.65[.]61

207.148.120[.]105

192.210.232[.]93

159.203.191[].1

Additional IOCs, these could indicate compromise as well

presence of User.xml in the Windows ScreenConnect path (this file generally equates to an owned server, recommend to isolate endpoint, inspect this file and look for RCE)

Examine this file on the server hosting connectwise/screen connect: C:\Program Files (x86)\ScreenConnect\App_Data\User.xml

Evaluate the “” field along with the “” field. If a user was recently created, review their field. If the role is ‘admin’ related, you probably have been compromised.

The attack chain bypasses 2-factor authentication via brute force before executing local commands. The threat actors initially create an account called ‘cloudadmin’. The ‘cloudadmin’ account then creates a ‘test@2021’ user. The ‘test@2021’ user pings google.com. Next, the threat actors attempt to establish a connection over HTTPS to transfer[.]sh, a web-based file-sharing service, most likely using the command line.

Additional Background
On February 19, 2024, ConnectWise alerted users of a remote code execution (RCE) flaw that can be leveraged to bypass authentication in ScreenConnect servers. The CVEs associated with these actively exploited vulnerabilities are CVE-2024-1708 (CVSS 8.4) and CVE-2024-1709 (CVSS 10.0). Still, ConnectWise has advised its customers to patch their ScreenConnect servers immediately against the critical vulnerability to prevent RCE attacks.

The critical vulnerability patched in the ConnectWise ScreenConnect remote desktop software has been observed being exploited in the wild. ScreenConnect is a popular remote desktop software with both on-premise and in-cloud deployments. The exploited flaw allows attackers to bypass authentication and gain remote code execution on systems.

These Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) have been pushed into the H-ISAC AMBER MEMBERS collection on the Health-ISAC Indicator Threat Sharing (HITS) automated systems for STIX and TAXII subscribers.

Mitigation Practices: Security researchers recommend that all organizations running any affected version immediately update the software. According to ConnectWise, due to the likelihood of these devices being exploited in attacks, it is strongly advised that you update your devices as soon as possible.

PAST AHA ADVISORIES AND ACTIONS TO KEEP MEMBERS INFORMED

The AHA has kept members informed throughout this incident.

On Feb. 22, we issued an initial Cybersecurity Advisory to alert hospitals and health systems to the attack and recommended steps hospitals and health systems could take.

On Feb. 23, we hosted a call with leaders from the Department of Health and Human Services, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation to provide the latest information on the incident and answer questions.

On Feb. 24, we issued an updated Cybersecurity Advisory with additional details about the incident, recommendations for hospitals to consider, and actions the AHA is undertaking.

On Feb. 25, we issued a new Cybersecurity Advisory with additional information about the indicators of compromise to assist network defenders with conducting an indicator sweep within their environment to determine whether their network has been compromised.

NEXT STEPS
The AHA will continue to keep you updated on this situation. Please send any technical, financial and/or clinical impact or related technical threat intelligence on a confidential basis to John Riggi, AHA’s national advisor for cybersecurity and risk, at jriggi@aha.org. The AHA maintains close contact with the FBI, HHS and CISA and will share cyber threat intelligence with them without attribution to your organization, unless you specify permission to be identified. If you have identified any of these indicators of compromise on your network, or are experiencing a ransomware attack, contact your local FBI field office or FBI 24/7 Cyber Watch at 855-292-3937 and describe any delay or disruption to care delivery.

FURTHER QUESTIONS
If you have further questions, please contact Riggi at jriggi@aha.org. For the latest cyber threat intelligence and resources, visit www.aha.org/cybersecurity.

__________

AHA Cybersecurity Advisory
February 24, 2024

AHA continues to recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from applications specified by Change Healthcare that remain unavailable due to this cyberattack, as identified on the Change Healthcare application status page. In our Feb. 22 Cybersecurity Advisory we also recommended that organizations which use Change Healthcare impacted services prepare related downtime procedures and contingency plans should those services remain unavailable for an extended period. As of this date, Change Healthcare has not provided a specific timeframe for which recovery of the impacted applications is expected.

In addition, open-source statements and press reports have identified exploitation of the ConnectWise vulnerability as a factor in this cyberattack. The U.S. government had previously recommended that all organizations immediately patch this vulnerability.

The AHA remains in direct contact with Change Healthcare and requested clarification on its confidence level of nonimpacted systems’ security. As of Feb. 23 at 2:40 p.m. ET, Change Healthcare began including the following statement in their regular updates, “We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this Issue.”

We are encouraged by this public statement. However, the AHA recommends that each health care organization continue to monitor and independently evaluate information provided by Change Healthcare to inform its own risk-based decisions regarding nonimpacted systems. When considering connectivity to nonimpacted Change Healthcare systems, each health care organization should weigh connection or reconnection against possible business and clinical disruptions caused by severing the connection to nonimpacted Change Healthcare systems.

In addition, we recognize that the hospitals and health systems may be experiencing challenges with obtaining care authorizations for their patients, as well as delays in payment. We are in communication with the Department of Health and Human Services, including the Centers for Medicare & Medicaid Services, about options to support patients’ timely access to care and provide temporary financial support to providers. We also are having these discussions with Optum. We will provide more information as it becomes available.

The AHA will continue to keep you updated on this situation. Please send any technical, financial and/or clinical impact or related technical threat intelligence on a confidential basis to John Riggi, AHA’s national advisor for cybersecurity and risk, at jriggi@aha.org. The AHA maintains close contact with the FBI, Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency and will share cyber threat intelligence with them without attribution to your organization, unless you specify permission to be identified, or contact your local FBI field office.

FURTHER QUESTIONS
If you have further questions, please contact Riggi at jriggi@aha.org. For the latest cyber threat intelligence and resources, visit www.aha.org/cybersecurity.