Fraud Management & Cybercrime , Government , Healthcare
Change Healthcare Outage Hits Military Pharmacies Worldwide
ConnectWise Denies Speculation That Hack Involved the ScreenConnect Flaw ExploitPharmacies at U.S. military hospitals and clinics worldwide are among the entities affected by the cyberattack on Optum's Change Healthcare this week, which has forced the IT services company to take many of its applications offline.
See Also: How Overreliance on EDR is Failing Healthcare Providers
Tricare, a healthcare program for uniformed service members, retirees and their families, in an alert posted on its website Thursday said that the cyberattack on Change Healthcare - "the nation's largest commercial prescription processor" - has affected all military medical facilities.
Change Healthcare disconnected its IT systems on Wednesday "to protect patient information," and the incident is affecting all military pharmacies worldwide and some retail pharmacies nationally, Tricare said.
"Military clinics and hospitals will provide outpatient prescriptions through a manual procedure until this issue is resolved," Tricare said. "Military pharmacies will give priority to urgent prescriptions followed by routine prescriptions. Each military hospital and clinic will continue to offer pharmacy operations based on their local manning and resources."
Optum, which is a subsidiary of UnitedHealth Group, acquired Change Healthcare in October 2022 for $7.8 billion. It has been posting periodic status updates about the incident since it was detected early Wednesday morning.
On Thursday, UnitedHealth Group submitted a report about the hack to the U.S. Securities and Exchange Commission, saying the incident involved "a suspected nation-state associated cybersecurity threat actor" who had gained access to some Change Healthcare IT systems.
In a status update posted Friday, Optum said it has "a high-level of confidence" that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by the Change Healthcare incident.
"We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online," Optum said.
"We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day."
Some experts are reportedly speculating that the Change Healthcare incident might have involved exploits of vulnerabilities in the ConnectWise ScreenConnect application.
But ConnectWise in a statement to Information Security Media Group said no link has been established between the Change Healthcare hack and any potential exploit of ScreenConnect flaws.*
"At this time, we cannot confirm that there is a connection between the Change Healthcare incident and the ScreenConnect vulnerability," the company said. "Our initial review indicates that Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs. We remain committed to sharing information related to the ScreenConnect vulnerability and collaborating with the cybersecurity community and welcome additional information from the cybersecurity researchers following this situation."
Last month, the Department of Health and Human Services issued an alert warning about attacks on healthcare sector firms that use ConnectWise's remote access tool ScreenConnect (see: Feds Warn Healthcare Sector of ScreenConnect Threats).
The alert said hackers had compromised a locally hosted version of the tool used by a large national pharmacy supply chain and managed services provider in 2023. Although HHS did not name the pharmacy supply chain and management services provider hit by the ScreenConnect hack, its alert referred to a report concerning ScreenConnect that security firm Huntress had issued last November.
Optum did not immediately respond to Information Security Media Group's request for additional details about the Change Healthcare incident.
Some legal experts have begun to warn their healthcare sector clients of potential breaches and other issues that might result from the Change Healthcare attack or other related incidents that could affect patients.
Law firm BakerHostetler issued an alert on Friday saying it is closely monitoring "imminent cybersecurity threats" to healthcare revenue cycle management personnel and vendors.
"Hundreds of healthcare providers throughout the country utilize Change Healthcare for eligibility clearance and revenue cycle management, and this incident has disrupted the availability of some of its services," the law firm said.
"In addition to service disruptions, which may have financial implications for organizations, this incident could have HIPAA breach notification implications for healthcare providers," the law firm said.
Depending on the services healthcare providers receive from the company, Change Healthcare may act as a clearinghouse or a business associate of the healthcare entities, BakerHostetler said.
"In both capacities, CHC collects a large amount of protected health information as part of the services it provides. If that data was accessed or acquired as a result of this incident, there could be a very large patient notification, and that notice responsibility may fall on healthcare systems and providers if CHC is acting as a business associate," the firm said.
In addition to the Change Healthcare incident, BakerHostetler said it is working "with a number of healthcare organizations that have experienced email phishing and other incidents targeting their healthcare revenue cycle workforce and vendors."
BakerHostetler did not immediately respond to ISMG's request for additional comment.
*Updated Feb. 24, 2024, UTC 15:27 to reflect ConnectWise's statement to ISMG.