Physician Practices Bear the Cost of the Change Healthcare Ransomware Attack

John M. Burke, MD

Hematologist and Medical Oncologist

Rocky Mountain Cancer Centers

Associate Chair

US Oncology Hematology Research Program

Aurora, CO

February 21, 2024, seemed like any other Wednesday, but during the day, word spread around the office that the software program athenaOne, which we use to schedule patients, was not working. This was not the first time that athenaOne had malfunctioned, but this time it went down and stayed down. Eventually, the explanation became clear: Change Healthcare, a subsidiary of Optum and owned by UnitedHealth Group, announced that its network had been the victim of a cyberattack.

The company’s technology also processes insurance claims, including billions of prescriptions annually. Clearly, a disruption to the Change Healthcare systems could be catastrophic to the entire US health care system.

A group known as either “ALPHV” or “BlackCat” orchestrated the cyberattack. BlackCat reportedly functions as a “ransomware-as-a-service” organization, meaning that its leadership develops ransomware, which affiliates of BlackCat deploy to attack a company. Any subsequent ransom payments are divided between the BlackCat leadership and the affiliates. UnitedHealth Group is believed to have paid a $22 million ransom to BlackCat, although the company has not confirmed this. In addition to paying the ransom, in April, UnitedHealth Group announced that the cyberattack had cost it $872 million, with the projected total cost for the year ranging between $1.35 billion and $1.6 billion.

Recently, a new hacker group called RansomHub said it had 4 terabytes of data from Change Healthcare and demanded another ransom payment. On April 16, 2024, RansomHub delivered on its threat and posted patient health and other confidential information, including contracts between Change Healthcare and its clients, on its dark website.

After about 6 weeks, our practice was able to return closer to business as usual, and the scheduling software is now functional. However, during the crisis, our staff had to create work-arounds to schedule patients and after systems were restored, we had to catch up on unbilled charges. The damage to physician practices may be extensive. A survey by the American Medical Association found that 80% of physicians reported lost revenue because of the event. I know my practice counts itself in that category, and we are still working to estimate the damage done.