Mega US healthcare payments network restores system 9 months after ransomware attack

Still reeling from its February ransomware attack, Change Healthcare confirms its clearinghouse services are back up and running, almost exactly nine months since the digital disruption began.

In an ordinary year, the healthcare organization handles 15 billion transactions – the most of any clearinghouse in the US. It looks after payments and transactions between and among healthcare providers, hospitals, practitioners, and patients throughout the US healthcare system. Its February ransomware attack by ALPHV/Blackcat led to a financial impact on a whopping 94 percent of hospitals the following month, according to the American Hospital Association (AHA).

The restoration of this service, confirmed via an update to its website status page, marks a key milestone in Change Healthcare's overall recovery from the attack, which is largely but not yet entirely complete. 

I'm blown away by the fact that they weren't using multi-factor authentication. I'm blown away that the networks weren't segmented...

The vast majority of its functions are back online and were all at least partially restored within just two months. The only business functions yet to achieve full restoration status are Clinical Exchange (e-health record information exchange), MedRX (pharmacy claims management), and its Payer Print Communication Multi-Channel Distribution System (payment document printing).

However, providers will be feeling the huge financial impact of the incident for much longer.

Providers reported financial difficulties almost immediately after Change Healthcare was floored by ALPHV. By early March, more than a third of them said more than half of their revenue was impacted by payment disruptions and nearly 60 percent of all hospitals reported a revenue shortfall of $1 million or more per day.

UnitedHealth-owned Optum launched its Temporary Funding Assistance Program on March 1 to support providers as they battled cashflow issues. In the same update that broke the news about the restoration of its clearinghouse services, Change Healthcare, which is also owned by UnitedHealth, said that as of October 15, $3.2 billion of funds loaned had been repaid. 

The total amount of money loaned out to providers on an interest-free basis is thought to be more than $6 billion. That's on top of the $872 million Change Healthcare spent on remediating the attack just at the end of March, costs that have since risen to well above $2 billion (inclusive of tax), per UnitedHealth's most recent earnings report [PDF].

The Register contacted Change Healthcare for a statement but it didn't immediately respond.

Around 100 million people were affected by Change Healthcare's mega-breach, per recent statistics from the Department of Health and Human Services (HHS). Factoring in the AHA's belief that the company processes around one in three US citizens' medical claims and the country's population of around 337 million, it means that nearly a third of the country was affected, and the vast majority of Change Healthcare patients were compromised.

The degree to which people's data was compromised varies, but full names, email addresses, banking data, claims records, and more were stolen.

Naturally, UnitedHealth CEO Andrew Witty was summoned to Congress soon after things went down to explain exactly how this weapons-grade stuffup was allowed to occur.

He explained to lawmakers that the ALPHV affiliate used stolen credentials to log into a Citrix portal that, you guessed it, didn't have multi-factor authentication (MFA) enabled.

Witty was grilled on the company's decision to pay the extortionists, a move that had previously been rumored based on blockchain analyses of known ALPHV wallets. He confirmed to senators that UnitedHealth indeed paid $22 million to the attackers.

He admitted he was the individual who authorized the payment, saying it "was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."

• Change Healthcare finally spills the tea on what medical data was stolen by cyber-crew
• Uncle Sam ends financial support to orgs hurt by Change Healthcare attack
• Change Healthcare's ransomware attack costs edge toward $1B so far
• Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Experts speaking to The Register following the CEO's testimony said the security failings exploited by the cybercriminals were tantamount to "egregious negligence."

"I'm blown away by the fact that they weren't using multi-factor authentication," said Tom Kellermann, SVP of cyber strategy at Contrast Security. "I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised. I think it's egregious negligence, frankly."