Change Healthcare said Feb. 26 that it expects the cybersecurity incident that has disrupted its payment and pharmacy processing operations to last at least through the day.
The Optum subsidiary has been dealing with the issue since Feb. 21, reporting that it disconnected its systems so its partners, which include thousands of hospitals, didn't have to. The company said it suspects a nation-state was behind the attack.
"It's a mess, and I believe it's our Colonial Pipeline moment in healthcare," Carter Groome, CEO of healthcare consultant First Health Advisory, told The Wall Street Journal. That 2021 cyberattack, the largest to hit the U.S. oil industry, left thousands of gas stations without fuel for days.
Cybersecurity experts worry the Change Healthcare hack could have a similarly broad impact because of the massive amounts of patient data the company is responsible for. Some hospitals and retail pharmacies have had to process prescriptions manually, causing delays.
An Optum spokesperson told Becker's that cybersecurity firm Mandiant, a Google subsidiary, is helping address the incident.
The American Hospital Association continues to advise health systems to disconnect from Change Healthcare applications affected by the cyberattack. Danville, Pa.-based Geisinger, Dallas-based Baylor Scott & White Health, Helena, Mont.-based St. Peter's Health and Buffalo, N.Y.-based Roswell Park Comprehensive Cancer Center are among those that already have. AHA President and CEO Rick Pollack said Feb. 23 these types of attacks are "threat-to-life crimes."
"My understanding is Change/Optum touches almost every hospital in the United States in one way or another," John Riggi, the AHA's national advisor for cybersecurity and risk, told Chief Healthcare Executive. "So really, this is an attack on the entire sector."
Moody's has said it could be a negative credit event for Optum parent UnitedHealth Group.
"This incident has nothing to do with Optum having shoddy services," Toby Gouker, chief security officer at First Health Advisory, told SC Magazine. "In fact, they discovered the anomaly quickly and did exactly what they were supposed to do according to their clearly practiced playbook: Disconnect to stop the spread."
He told the news outlet the incident appears to be a result of hackers exploiting vulnerabilities in the ConnectWise ScreenConnect remote IT platform then infecting Change's systems with LockBit malware.
"At this time, we cannot confirm any direct connection between the vulnerability with ScreenConnect and the incident reported by Change Healthcare," a ConnectWise spokesperson emailed Becker's. "Our initial review indicates that Change Healthcare is not a direct customer of ConnectWise, and we have not received any reports from our managed service provider partners indicating that Change Healthcare is their customer either."