the staff of the Ridgewood blog
Ridgewood NJ, in the early hours of February 21, Change Healthcare, a company largely unfamiliar to the general public but pivotal in the U.S. healthcare system, issued a concise statement noting that some of its applications were currently inaccessible.
By later that afternoon, the situation had evolved into a cybersecurity issue, according to the company’s subsequent update.
Since then, the incident has rapidly escalated into a crisis.
The company, recently acquired by insurance behemoth UnitedHealth Group, reportedly fell victim to a cyberattack. The repercussions are extensive and anticipated to worsen. Change Healthcare’s primary function involves managing healthcare’s crucial pipelines—processing payments, submitting requests to insurers for care authorization, and more. These pipelines handle a substantial volume, with Change noting on its website that its cloud-based network facilitates 14 billion clinical, financial, and operational transactions annually.
Initial media coverage has spotlighted the impact on pharmacies, although experts suggest this only scratches the surface. The American Hospital Association reports that many of its members are experiencing delayed payments, while healthcare providers are unable to verify patients’ coverage for treatment.
Yet, this represents just a fraction of the unfolding crisis. CommonWell, an organization facilitating the sharing of medical records among healthcare providers—an essential component of patient care—also relies on Change’s technology. As of July 2023, the system contained records for 208 million individuals. Courtney Baker, CommonWell’s marketing manager, disclosed that the network has been disabled as a precautionary measure.
“It’s like small ripples in a pond that will inevitably grow larger over time if left unresolved,” remarked Saad Chaudhry, Chief Digital and Information Officer at Luminis Health, a hospital system based in Maryland.
Key points about the cyberattack:
Media outlets are pointing fingers at ALPHV, a notorious ransomware group also known as Blackcat, which has garnered attention from law enforcement agencies worldwide. While UnitedHealth Group has labeled it a “suspected nation-state associated” attack, some external analysts contest this assertion. The group has previously been implicated in hacking incidents involving prominent companies such as MGM and Caesars.
In December, prior to the Change hack, the Department of Justice accused the group’s victims of having paid hundreds of millions of dollars in ransom.