www.corvusinsurance.com Open in urlscan Pro
199.60.103.227  Public Scan

Form analysis
1 forms found in the DOM

/hs-search-results

<form data-hs-do-not-collect="true" action="/hs-search-results">
  <input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Search" style="height: 97px;">
  <input type="hidden" name="type" value="SITE_PAGE">
  <input type="hidden" name="type" value="BLOG_POST">
  <input type="hidden" name="type" value="LISTING_PAGE">
</form>

Text Content

Cookie Policy
This website uses cookies to ensure you get the best experience on our website.
Learn more
Allow CookiesDismiss Cookie Preferences


Submit a Claim
 * Insurance
   * Smart Cyber Insurance®
   * Smart Tech E+O®
     Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year
 * The Corvus Solution
   * Cyber Underwriting
   * Corvus Signal™ Risk Prevention
   * Claims Management
     Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year
 * Broker Hub
   * Broker Resources
   * London Markets
   * Corvus Germany
   * Distribution Partnerships
     Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year
 * Resources
   * Cyber Resources
   * Blog
   * Threat Updates
   * Knowledge Nest
     Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year
 * Company
   * About Us
   * Careers
   * Pressroom
     Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year

Contact Us
Contact Us


Contact Us
Contact Us


CHANGE HEALTHCARE HACK: EVERYTHING YOU NEED TO KNOW

Lauren Winchester • April 1, 2024

On February 21st, an unnatural disaster hit healthcare providers across the
nation. The fallout: hospitals that couldn’t file claims, healthcare practices
unable to pay their staff, and individuals paying out of pocket for
prescriptions.

Change Healthcare (CHC), a healthcare technology and business management vendor,
was down as a result of a ransomware attack. UnitedHealth Group, which acquired
Change Healthcare in 2022, announced they discovered that threat actors gained
access to CHC’s environment and quickly disconnected impacted systems to stop
the spread. 

But CHC handles one in every three patient records in the United States. With it
offline, healthcare providers were left scrambling.


WHAT WE KNOW (SO FAR) ABOUT THE CHANGE HEALTHCARE HACK:

Medical claims processing, pharmacy operations, and practice management slowed
or stopped for thousands of hospitals, medical groups, and pharmacies.  

The event prompted an investigation by the Department of Health and Human
Services (HHS), which the HHS Office for Civil Rights cited as “unprecedented
magnitude.” Later, a cohort of leaders from HHS, the White House, and health
insurance companies discussed how to respond and recover.

To mitigate the fallout of the attack, Change Healthcare initiated a temporary
funding program, and the Centers for Medicare and Medicaid Services (CMS)
introduced flexibilities to provide relief for providers. 


CHANGE HEALTHCARE'S RESPONSE TIMELINE:

 * FEBRUARY 21: CHANGE HEALTHCARE DISCOVERS INCIDENT; UNITEDHEALTH GROUP FILES
   8-K WITH SEC

 * FEBRUARY 26: AMERICAN HOSPITAL ASSOCIATION WRITES A PUBLIC LETTER TO HHS
   WARNING OF WIDESPREAD IMPACT

 * FEBRUARY 28: ALPHV/BLACKCAT CLAIMS RESPONSIBILITY FOR THE ATTACK 

 * MARCH 7: CHANGE HEALTHCARE RESTORES 99% OF THEIR PHARMACY NETWORK SERVICES

 * MARCH 15: CHC'S ELECTRONIC PAYMENTS PLATFORM IS RESTORED 

 * MARCH 18: ASSURANCE, THEIR MEDICAL CLAIMS PREPARATION SOFTWARE, IS BACK
   ONLINE 

 * NOW: PHASED RECONNECTION AND TESTING CONTINUES IN AN EFFORT TO BRING CLAIMS
   PROCESSING BACK TO COMPLETE FUNCTIONALITY 


THE CULPRIT BEHIND THE ATTACK

The attack was perpetrated by the notorious ransomware gang ALPHV/BlackCat, who
the FBI has cited as the second most prolific ransomware-as-a-service variant in
the world. In December, the FBI disrupted the gang’s efforts by seizing several
websites operated by the group and offering a decryption tool to their victims. 

Unfortunately, that didn’t seem to deter them or their affiliate from targeting
one of the largest medical claims payment processors in the United States.
ALPHV/BlackCat allegedly stole four terabytes of data — and an affiliate hacker
claims they accessed data from numerous other healthcare firms partnered with
CHC as well. 

While Change Healthcare has not confirmed that it paid a ransom, security
researchers spotted a publicly visible $22 million transaction on Bitcoin’s
blockchain to an address connected to ALPHV/BlackCat. 

📹  EXPERTS DISCUSS THE FALLOUT OF THE CHANGE HEALTHCARE HACK: WATCH OUR WEBINAR

 


WHAT THIS MEANS FOR HEALTHCARE 

he Office of Civil Rights issued a “Dear Colleague” letter stating that their
investigation's primary focus is on United HealthGroup and whether a breach of
private health information occurred. Impacted healthcare providers are a
secondary concern for their investigation, but they included the following
reminder: 

“We are reminding entities that have partnered with Change Healthcare and UHG of
their regulatory obligations and responsibilities, including ensuring that
business associate agreements are in place and that timely breach notification
to HHS and affected individuals occurs.”

WHILE WAITING TO HEAR UPDATES FROM CHC REGARDING THE SCOPE OF IMPACTED DATA,
DOWNSTREAM HEALTHCARE PROVIDERS SHOULD DO THE FOLLOWING:

 1. REVIEW VENDOR CONTRACTS ASSOCIATED WITH CHANGE HEALTHCARE AND UNDERSTAND
    WHAT SERVICES THEY ARE ON THE HOOK FOR (AND IF ANY HAVE EVOLVED, CONSIDERING
    THE MANY ACQUISITIONS AND MERGERS) AND KNOW THEIR RIGHTS AS CUSTOMERS. 

 2. UNDERSTAND WHAT INFORMATION THEY HAVE SHARED WITH CHANGE HEALTHCARE
    HISTORICALLY. 

 3. FOLLOW UPDATES FROM CHANGE HEALTHCARE CLOSELY AS FINDINGS UNFOLD AND
    PARTICIPATE IN CALLS WITH CHC’S CHIEF INFORMATION SECURITY OFFICER TO SHOW
    DUE DILIGENCE. 

TIME FOR SYSTEMIC OVERHAUL 

In December 2023, HHS released a concept paper outlining the Department’s
cybersecurity strategy for the industry; this builds on the National
Cybersecurity Strategy outlined by President Biden and introduces new
healthcare-specific cybersecurity goals to increase accountability within the
sector.

This incident serves as a real-life (worst-case scenario) reminder: The
healthcare ecosystem is deeply interconnected. To prevent future catastrophic
events, the entire industry needs to address an overreliance on a handful of
vendors and meet the government’s cybersecurity standards. But sweeping systemic
changes won’t happen overnight. 

So, yes, operations are slowly returning to normal. But will “normal” be enough
for the healthcare industry in the future?

DATA PRIVACY CONCERNS 

It’s too early to understand the full scope of losses related to the attack.
UnitedHealth has not revealed much on the topic of exposed patient data, but
they have just begun the massive undertaking of parsing through what information
may have been accessed by threat actors. 

There’s also no guarantee that ALPHV/BlackCat deleted any of the exfiltrated
data, even if UnitedHealth paid the ransom. And to make matters worse, the
affiliate behind the attack claims they still have a copy (and were never paid
by ALPHV/BlackCat). 

In short, we have no idea what or how much data ALPHV/BlackCat accessed, which
means millions of patients’ sensitive health information could be compromised.
Plus, the sheer scale of the breach requires a thoughtful approach to
notification. Think of how many healthcare providers the average patient sees a
year (dentist, pharmacist, primary care) and the confusion (or panic!) if they
get a separate notification from each. 

UHG stated that, “where permitted,” it will handle the notification process for
customers whose data was impacted. Depending on the services healthcare
providers receive from CHC, CHC may act as a clearinghouse (in and of itself a
HIPAA-covered entity) or a business associate of the healthcare entities. The
terms of companies’ master agreements and business associate agreements with CHC
entities will determine whether UHG will handle the notification process on
behalf of the entities.


KEY TAKEAWAYS FOR ORGANIZATIONS:

 

THIRD-PARTY RISK MANAGEMENT 

In a letter to Congress, The American Hospital Association called the Change
Healthcare Hack “the most significant cyberattack on the U.S. healthcare system
in American history.” 

While the scale is unprecedented (most vendors aren’t involved in a third of the
business transactions in their industry), it provides an example of the impact
third parties have on business resilience. Or rather, how quickly any
organization can suffer if a critical vendor is offline. 

Third-party risk management helps organizations assess and identify risks
associated with third-party vendors so there’s a plan in place before a critical
partner is breached. Read more about securing vendors here.

BUSINESSES CONTINUITY AND DISASTER RECOVERY PLANS 

The actions an organization takes in the first 48 hours of a business disruption
dictate the speed and effectiveness of resuming business operations. To make
effective and quick mobilization possible, they need a business continuity and
disaster recovery (BCDR) strategy.

This doesn’t just address their own systems, but also their dependency on
vendors. By organizing a BCDR, it may force conversations between business
partners and IT to address critical vendors, if any, and contingency plans if
they were to go offline. Learn more here.

REVISIT VENDOR CONTRACTS AND BUSINESS ASSOCIATE AGREEMENTS (BAA)

Try to avoid letting vendor contracts or BAAs go untouched for too long
(especially with the frequency of mergers and acquisitions). As part of an
organization’s third-party risk management, they should regularly make sure
contracts are up-to-date, negotiate favorable terms (if possible), and note any
provisions related to a cyber attack.

 

Watch the webinar

 


RECOMMENDED BLOGS FOR YOU

Cyber and Healthcare: Treating the Rise of Ransomware
"They Found Hundreds of Trackers": How Healthcare is Responding to New
Guidelines for Pixel Tech
Ransomware Groups Want to Exploit Your File Transfer Software: Here’s What You
Need to Know
In the Binoculars: Barrett Heacock, Chief Financial Officer
Keeping up with Cybercriminals: The Future of Online Threats


RECENT ARTICLES

CHANGE HEALTHCARE HACK: EVERYTHING YOU NEED TO KNOW


Change Healthcare experienced a ransomware attack with unprecedented fallout.
What happened, and what have we learned?

WOMEN IN CYBER: ADVICE FROM THE FIELD


In honor of Women’s History Month, we connected with women making significant
contributions to cyber to collect career advice, lessons from the field, and...

LAW ENFORCEMENT CAN HELP IN A CYBER CRISIS — BUT PREVENTION IS EVEN BETTER


Law enforcement is thwarting threat actors on the dark web. But what can
organizations do to lay a strong security foundation (with or without the
FBI's...



Corvus Insurance® is a wholly owned subsidiary of The Travelers Companies, Inc.

©2024 Corvus Insurance Holdings Inc., Corvus Insurance Agency, LLC CA Lic No.
0M20816, Corvus Agency Limited, Corvus Underwriting GmbH. Nothing on this
website constitutes an indictment, offer, or contract of insurance. Material on
this website is intended for licensed insurance agent or producer use. This is
not intended for business owner or insured use. Please disregard this
communication if you are not a licensed agent or producer.

Corvus Headquarters:
100 Summer St.
Boston, MA 02110

Telephone Number:
(857) 259-3995

Insurance

Smart Cyber Insurance®

Smart Tech E+O®

Corvus Signal™

Cyber Underwriting

Claims Management

London Markets

Deutschland und Österreich 

Distribution Partnerships

Company

About Us

Careers

Pressroom

Privacy Policy

Legal Documentation

 

 

Contact Us

Resources

Blog

Broker Hub

Cyber Resources

Threat Updates

Knowledge Nest

 

 

Broker Sign In