The Change/Optum Health cyberattack exposed patient medical records, is delaying prescriptions and impacts every hospital in the United States
"Disconnect to Stop the Spread" emergency plans are failing to stop ongoing Threat-to-Life cyber crimes at country's largest private healthcare companies
Change Healthcare said Feb. 26 that it expects the cybersecurity incident that has disrupted its payment and pharmacy processing operations to last at least through the day.
The Optum subsidiary has been dealing with the issue since Feb. 21, reporting that it disconnected its systems so its partners, which include thousands of hospitals, didn't have to. The company said it suspects a nation-state was behind the attack.
"It's a mess, and I believe it's our Colonial Pipeline moment in healthcare," Carter Groome, CEO of healthcare consultant First Health Advisory, told The Wall Street Journal. That 2021 cyberattack, the largest to hit the U.S. oil industry, left thousands of gas stations without fuel for days.
Cybersecurity experts worry the Change Healthcare hack could have a similarly broad impact because of the massive amounts of patient data the company is responsible for. Some hospitals and retail pharmacies have had to process prescriptions manually, causing delays.
An Optum spokesperson told Becker's it counts cybersecurity firm Mandiant, a Google subsidiary, among its key external partners addressing the incident.
The American Hospital Association continues to advise health systems to disconnect from Change Healthcare and Optum. Danville, Pa.-based Geisinger, Helena, Mont.-based St. Peter's Health and Buffalo, N.Y.-based Roswell Park Comprehensive Cancer Center are among those that already have. AHA President and CEO Rick Pollack said Feb. 23 these types of attacks are "threat-to-life crimes."
"This incident has nothing to do with Optum having shoddy services," Toby Gouker, chief security officer at First Health Advisory, told SC Magazine. "In fact, they discovered the anomaly quickly and did exactly what they were supposed to do according to their clearly practiced playbook: Disconnect to stop the spread."
He told the news outlet the incident appears to be a result of hackers exploiting vulnerabilities in the ConnectWise ScreenConnect remote IT platform then infecting Change's systems with LockBit malware. ConnectWise, however, did not confirm the report.
"My understanding is Change/Optum touches almost every hospital in the United States in one way or another," John Riggi, the AHA's national advisor for cybersecurity and risk, told Chief Healthcare Executive. "So really, this is an attack on the entire sector."
Moody's has said it could be a negative credit event for Optum parent UnitedHealth Group.