3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management

Groups Warn Health Sector of Change Healthcare Cyber Fallout

Some Researchers Confident ConnectWise ScreenConnect Flaw Was Exploited in Attack
Groups Warn Health Sector of Change Healthcare Cyber Fallout
The Health-ISAC issued an advisory urging healthcare sector entities to closely monitor potential impact from the recent attack on Change Healthcare. (Image: H-ISAC)

Industry groups, including the Health Information Sharing and Analysis Center and the American Hospital Association, are urging their members to take precautions in the wake of a cyberattack last week on Change Healthcare, a unit of Optum.

See Also: Take Inventory of Your Medical Device Security Risks

The advisories come as some security researchers, including those at threat intelligence firm RedSense, in recent days have blamed the Change Healthcare incident on an apparent exploitation of the CVE-2024-1708 and CVE-2024-1709 vulnerabilities in ConnectWise's remote access tool ScreenConnect.

On Tuesday, RedSense said evidence suggested that ransomware group AlphV - also known as BlackCat - was behind the attack, and Databreaches.net reported that the gang had claimed credit.*

ConnectWise on Monday reiterated a statement it had provided to Information Security Media Group over the weekend, disputing a link between the Change Healthcare incident and the ScreenConnect vulnerabilities.

"At this time, we cannot confirm any direct connection between the vulnerability with ScreenConnect and the incident reported by Change Healthcare," ConnectWise said.

"Our initial review indicates that Change Healthcare is not a direct customer of ConnectWise, and we have not received any reports from our managed service provider partners indicating that Change Healthcare is their customer either," ConnectWise said.

On Monday, ConnectWise told ISMG: "We want to emphasize that we take these matters seriously and are committed to sharing relevant information regarding the ScreenConnect vulnerability. We are actively collaborating with the community and government entities such as CISA to effectively address this situation."

Despite ConnectWise's assertion, RedSense contends otherwise.

"Every SIGINT indicator that we have leads us to believe that it was a ConnectWise ScreenConnect vulnerability exploitation," Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense, told ISMG on Monday.

"I know ConnectWise denies this; however, it's natural to disagree on initial accesses when full information on the incident is limited," he said. Even if Change Healthcare is not a direct customer of ConnectWise, "it is possible via third-party networks there are customers. ConnectWise ScreenConnect is a large framework," he said.

Industry Alerts

Over the weekend, the AHA - in an updated advisory about the Change Healthcare attack - recommended that healthcare sector entities heed previous ScreenConnect alerts by federal authorities, including one issued by CISA last week warning that the authentication bypass vulnerability in ScreenConnect is being "actively" exploited.

The Health-ISAC in an advisory on Monday recommended that the healthcare sector stay vigilant in light of security research reports claiming that Change Healthcare is potentially among the victims of recently exploited ConnectWise ScreenConnect vulnerabilities.

"As the incident is still under investigation, it is not possible to confirm the attack details," Health-ISAC said. "Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute."

Health-ISAC already has received reports of widespread exploitation of the ScreenConnect vulnerabilities, its chief security officer, Errol Weiss, told ISMG on Monday. "We're urging all organizations, regardless of what sector they are in, that if they are using ScreenConnect, they should immediately follow the ConnectWise advisory."

Health-ISAC in its alert advised organizations using ConnectWise ScreenConnect in their environments to closely monitor a list of indicators of compromise and recommendations.

For example, Health-ISAC said atomic IOCs, traffic to/from these - as well as others - could indicate compromise:

  • 155.133.5.15
  • 155.133.5.14
  • 118.69.65.60
  • 118.69.65.61
  • 207.148.120.105
  • 192.210.232.93
  • 159.203.191.1

Widespread Disruption

On Monday, Optum said in a status update that the outage is still affecting 117 Change Healthcare applications or components.

Meanwhile, the Change Healthcare incident is causing an assortment of disruptions throughout the healthcare ecosystem, including military clinic and hospital pharmacies and retail pharmacies.

That includes some CVS pharmacies and other units. "We are aware that Change Healthcare is experiencing a network interruption that is impacting certain CVS Health business operations, as well as the operations of other companies nationally," CVS told ISMG in a statement on Monday.

Some CVS pharmacies are among the many healthcare sector entities experiencing disruptions related to Change Healthcare's cyber outage. (Image: CVS)

"There is no indication that CVS Health's systems have been compromised. We're committed to ensuring access to care as we navigate through this interruption. We have business continuity plans in place to minimize disruption of service and apologize for any inconvenience our customers and members may experience," CVS said.

"We're continuing to fill prescriptions but in certain cases we are not able to process insurance claims, which our business continuity plan is addressing to ensure patients continue to have access to their medications."

Some Rite Aid pharmacy stores have also been affected by the Change Healthcare incident.

"Only a small percentage of Rite Aid claims were impacted by the outage. We successfully processed many of those claims through another billing mechanism without interrupting patient care," a Rite Aid spokeswoman told ISMG on Monday.

The AHA in its updated advisory over the weekend said it recognizes that "hospitals and health systems may be experiencing challenges with obtaining care authorizations for their patients, as well as delays in payment."

The AHA said it was in communication with the U.S. Department of Health and Human Services, including the Centers for Medicare & Medicaid Services, "about options to support patients' timely access to care and provide temporary financial support to providers."

Health-ISAC's Weiss told ISMG that after Change Healthcare had acknowledged last week that the company was dealing with a cybersecurity issue and had isolated its systems to prevent further impact, some healthcare sector entities overreacted to the news.

"Unfortunately, in the days that followed, believing they were protecting their networks, some hospitals severed all their network connections with UnitedHealth Group - which includes Change Healthcare and Optum," he said.

"That just added to the problems, as hospitals then experienced even more disruptions - loss of prior procedure authorizations, electronic prescriptions, and more. We hoped to clear up the confusion today with some clearer guidance on maintaining network connection with Optum and conducted a more thorough business risk analysis."

HHS in an updated email bulletin on Monday referred the healthcare sector to H-ISAC's advice about the Change Healthcare incident, as well as the possibility that ScreenConnect exploits had been involved.

In an alert last Thursday, HHS said it is working closely with Optum to assess the cyber incident and its impact on patient care (see: Change Healthcare Cyber Outage Disrupts Firms Nationwide).

Optum, which is a subsidiary of UnitedHealth Group, acquired Change Healthcare in October 2022 for $7.8 billion. It has been posting periodic status updates about the incident since it was detected early on Feb. 21.

Optum said that upon discovering the "outside threat," it immediately disconnected Change Healthcare's systems to prevent further impact. "This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue," Optum said.

"We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect," Optum said.

Each of Optum's status updates since last Wednesday have said the disruption "is expected to last at least through the day."

Optum did not immediately respond to ISMG's request for additional details about the incident.

UnitedHealth Group, in a filing to the U.S. Securities and Exchange Commission late in the day Thursday, said the incident involves "a suspected nation-state associated cyber security threat actor" who gained access to some of the Change Healthcare IT systems.

*Update: Feb. 27, 2024 UTC 13:36 to reflect BlackCat's suspected involvement in Change Healthcare attack.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.