Early in 2024, the United States healthcare sector was rocked by a devastating cyberattack on Change Healthcare, a pivotal player in health technology processes nationwide. The attack completely disrupted Change Healthcare's operations and sent shockwaves throughout the healthcare sector, impacting millions of Americans who rely on services powered by the affected providers—particularly pharmacies.
And it all stemmed from just one attack.
Months later, the repercussions still reverberate throughout the industry, highlighting the urgent need for robust cybersecurity measures in healthcare infrastructure. So, where do we go from here?
What Exactly Happened?
On February 21, 2024, Change Healthcare, the technology division of UnitedHealth Group that provides healthcare billing and data systems, fell victim to a malicious cyberattack orchestrated by a ransomware group. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact,” UnitedHealth Group said at the time.
Despite the company’s claims of fast response to mitigate issues, core functionalities like electronic prescribing for pharmacy services were offline into the following day. For a vital healthcare company that handles around 15 billion transactions annually, this was just the start of the problems.
The Continued Fallout
As you might imagine, the system outage affected millions, temporarily blocking access to vital prescriptions. But even after systems were fully restored, many healthcare providers, especially smaller ones, continued to face challenges in submitting claims and receiving payments well into the middle of March. Even giant companies like CVS Health reported issues with processing insurance claims for weeks after the ransomware attack. Plus, the outage's financial toll was staggering, with some estimates suggesting losses of over $100 million per day for healthcare providers as the system issues persisted.
By the time it was all over, ChangeHealth had paid nearly $2 billion in advances to help affected healthcare providers—and that’s aside from the ransom amount that totaled roughly $22 million in Bitcoin. So, yes, for a company with 152 million customers, the ransomware attack was devastating. But it was also catastrophic for the huge number of healthcare entities relying on them for their main transactions and processes.
And, again, it was all from just one single attack.
The Response
It’s not a secret that cyber attacks on healthcare organizations skyrocketed during the onset of the COVID-19 pandemic. But even after the pandemic's peak, attacks have persisted and intensified, now affecting nearly 6 in 10 healthcare organizations. Cyber attacks have become more frequent and sophisticated, targeting sensitive patient data, disrupting critical healthcare services, and jeopardizing patient care.
The Change Healthcare cyberattack is yet another example, but the backlash has been much more urgent and far-reaching than previous notable attacks. The attack on Change Healthcare triggered strong responses from prominent figures like Senate Majority Leader Chuck Schumer and leading medical organizations such as the American Medical Association (AMA) and the American Hospital Association (AHA). Each issued urgent calls to action, emphasizing the breach's massive impact on physicians and healthcare delivery nationwide.
New Government Action
Unsurprisingly, ransomware attacks like the one on Change Healthcare have spurred the Department of Health and Human Services (HHS) to further intensify its evolving cybersecurity guidelines. These new directives stress proactive approaches like risk assessments, employee training, and more robust incident response plans.
HHS now requires faster reporting of ransomware incidents, imposing penalties for non-compliance. Penalties have become more of a focus for the department recently. In a notable case in late 2023, HHS settled its first HIPAA violation linked to ransomware with Doctors’ Management Services. This Massachusetts-based medical management firm faced a $100,000 fine for insufficient security measures and failure to comply with HIPAA regulations. And while that’s definitely a hefty fine, expect it to be small compared to future punishments—HHS has vowed to bolster penalties and enforcement efforts, signaling stricter consequences for compliance violations stemming from ransomware attacks.
Now What?
The cyber attack on Change Healthcare was not the first of 2024, and it definitely won’t be the last. In late April, Canadian pharmacy chain London Drugs was forced to close all 79 locations as a precaution after what they described as a “cybersecurity incident.” Despite the shutdown, the chain assured customers and employees there was no evidence of any compromise to their data. According to a statement, the company “undertook countermeasures to protect its network and data, including retaining leading third-party cybersecurity experts to assist with containment, remediation and to conduct a forensic investigation.” London Drugs’ prompt and proactive response likely averted what could’ve been a much different outcome.
The ransomware attack on Change Healthcare and others in the healthcare sector serves as a wake-up call to the pressing need for improved cybersecurity within the healthcare industry. After all, at this point, cybersecurity isn’t just a technological issue; it’s a matter of your health and safety. It's crucial that healthcare organizations prioritize and invest in cybersecurity defenses to safeguard patient data and critical systems. This includes implementing comprehensive risk management strategies, regular security assessments, and employee training programs to enhance security awareness.
Find out how the Huntress Security Platform can help safeguard patient data, protect critical infrastructure, and ensure the integrity of the healthcare system in the midst of constant threats.
Request a free demo to see for yourself.
Sign Up for Blog Updates
Subscribe today and you’ll be the first to know when new content hits the blog.