It’s the hack attack many Americans still don’t know about, but for healthcare companies, especially those owned by Black people and other minoritized groups, it was staggering.
For more than a month, Change Healthcare and its parent company, multinational health insurer UnitedHealth Group, have been laboring to clean up a massive data breach. International cybercriminals ALPHV/BlackCat claimed UnitedHealth Group paid $22 million to recover access to data and systems encrypted by ransomware. The thieves claimed to have stolen six terabytes of information and threatened to release it to international scammers.
A cryptocurrency trading firm partially corroborated the $22 million payment last month, but the ransom may not have been clean or successful. Cybersecurity firm Crowdstrike suggests the criminal recipients partnering with Blackcat pocketed the $22 million without sending it to the original hackers. Hipaajournal reports the Minnesota Hospital Association and the Minnesota Attorney General have issued warnings that scammers now appear to be targeting patients affected by the ransomware attack. So far, there’s no telling if international creeps are using contact information crooks sold to the highest bidder or if the new scammers are simply taking advantage of desperate customers.
"I didn’t even know that I worked with Change Healthcare."
It's an ugly mess made worse by the fact that UnitedHealth Group first reacted to the hack by shutting down its nationwide system. This halted electronic payments and medical claims processing. Many patients and their doctors didn’t even realize they were part of UnitedHealth Group’s web until the checkbook suddenly went dark.
Courtney Harring, founder and managing member of Atlanta Telehealth LLC, said she was unaware of her connection to Change Healthcare until the February attack prevented payouts to doctors on the company’s platform. Her business, which provides therapy to U.S. veterans, is a government contractor and generally receives referrals directly from the Department of Veterans Affairs or TriWest Healthcare Alliance. She said the company’s name never came up in the paperwork from her end.
"I didn’t even know that I worked with Change Healthcare. I’m contracted with Tri West Healthcare Alliance, but Tri West Healthcare Alliance is contracted with Change Healthcare,” Harring told BGX. “Our pay process is like a circuit. You turn the light on when you submit your claim. It goes through the coil to turn the light on, and you get paid. But the system broke between the light coming on and the light switch, so nothing could move. The light was never on, and we didn’t get paid.
Harring claims neither TriWest Healthcare Alliance nor Change Healthcare alerted her to the situation, even while it was happening. She had to Google the news and verify the existence of the hack for her employees before they would believe her.
“I had to literally prove to my people that this is what happened,” Harring said. “I only found out on the news. Sure, it’s on (Change Healthcare’s) website now, but … we weren’t paid for three weeks.”
Three weeks without revenue is a problem for the most profitable businesses. For small contractors like Atlanta Telehealth, which has its own contractors to pay, it could be a death sentence. Change Healthcare handles "14 billion clinical, financial, and operational transactions annually," according to its website. That’s potentially a lot of death sentences, and minority-owned companies like Harring’s are particularly vulnerable.
“Medical practices don’t have a very large margin. They eventually turned it back on, and we’re getting reimbursed, but it’s only a little every day. They owe me $30,000. Today, for example, I got $2,000, but that’s not even my payroll. My payroll is about $20,000, and my savings isn’t going to cover the loss.”
It will take roughly a month for Harring to financially recover, but she remains leery of her future in a world where big companies invite more shark attacks by paying off sharks.
In the immediate aftermath of the attack, the federal government encouraged vendors to switch away from Change, but this isn’t easy. It’s not even an easy option for giant hospitals moving massive amounts of data and transactions, much less small businesses focused on staying open and paying bills. Plus, United Healthcare’s claims processing tool is difficult to surrender. It’s widely accepted, manageable and an easy sell for organizations like Harring’s own TriWest Healthcare Alliance. Up until very recently, it was the go-to tool, owned by the go-to company.
Harring considers herself one of the lucky ones. Her employees and contract workers were understanding and in a place to tolerate the revenue halt, but problems remain. In addition to the money hole, patient information was still lost to international thieves who could have sold account numbers, social security numbers, birth dates, addresses, and complete names for the highest bid. In addition to making her patients easy targets for scam calls, this is precisely the kind of information a thief needs to open a credit card in your name.
It doesn’t help that United Healthcare remains stingy with information on the attack and that current federal rules allow them to remain so.
“I want to know how they’re making sure this doesn’t happen again. What are your measures? What are you doing about the next attack and what type of data was stolen,” Harring said. “United never answered any of my questions. You cannot get them on the phone. ‘Due to high call volume …’ is always the message. They did a great job of keeping this out of the news for two weeks.”
Comentarios