UnitedHealth's cyberattack should be a 'wake-up call' for healthcare
The US Health and Human Services Department (HHS) announced Tuesday it would help doctors and hospitals find alternate claims processing platforms in order to help reboot the flow of business after a cyberattack on a UnitedHealth Group (UNH) subsidiary crippled operations of a large swath of America's health systems for the past two weeks.
The cyberattack on Feb. 21 paralyzed Change Healthcare, which is used by hospitals, doctors' offices, and pharmacies to process payments and prior authorizations for patient visits and prescriptions.
United provided a lengthy status update Tuesday afternoon, including acknowledging that a well-known Russian-backed ransomware group, BlackCat, was responsible for the attack.
The FBI has known about BlackCat, also known as ALPHV, and was successful in breaching the group at the end of last year, but was not able to shut it down. BlackCat has previously attacked a variety of healthcare entities. It claimed to have obtained up to 6 terabytes of data during the recent attack, and says it received $22 million in bitcoin, a transaction visible on the blockchain, but it is unclear where it came from.
UHG declined to comment on if it paid the ransom.
The latest data shows 90% of claims are flowing uninterrupted for health providers, and pharmacies should be fully back online by Thursday, UHG said in its statement Tuesday.
In addition, the company said, "We’ve made progress in providing workarounds and temporary solutions to bring systems back online in pharmacy, claims and payments."
While smaller systems that heavily relied on Change Healthcare are struggling, larger systems that have multiple vendors or have the financial resources to be able to quickly pivot to another vendor are less impacted.
But there are few that can claim not to be impacted at all.
"This may be the first of its kind, where an outage at the interoperability layer weakens the capacity of the system to function," said Aneesh Chopra, former US chief technology officer and currently co-founder and president of CareJourney, a healthcare analytics company.
"This is a wake-up call on the need for redundancy in systems so we have backup options when a particular vendor goes down," he told Yahoo Finance.
"This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem," HHS said in a statement.
UHG's stock is down more than 7% in the past month, trading at $473 Tuesday, and it has lost about $30 billion in market cap in the past month. The biggest moves down came a few days after the attack, when it became clear the company was not going to immediately be able to resolve the issues.
Third-party risks
Because of the regulations to protect patient information, tech platforms have struggled to allow their software to interact with each other and allow seamless connections for health systems.
But in recent years, newer products have made it easier to achieve interoperability, which is also what makes them more vulnerable to attacks.
United's attack makes sense for that reason, experts told Yahoo Finance, because it choked off a key mechanism in the inner workings of the system. Change allows various different entities in the healthcare system to process claims and payments — take for example CVS (CVS) saying 25% of its claims go through Change. That's very different from previous attacks on single entities like hospitals and insurers, which impact only one end of the equation.
United is also an appealing target because its Optum brand includes Optum Financial, a different vertical at UHG, which runs a number of payment systems.
Optum Financial, previously Optum Bank, includes the company's affordable housing financing, as well as other processing platforms like Solutran — one of the largest payment processors for the federally funded WIC nutrition assistance program in half of US states, as well as tribal nations and territories. The federal benefits program caters to women, infants, and children and was earmarked for $6.3 billion in the 2024 federal budget proposal.
Solutran also has a grocery benefit product that insurers are utilizing in the increasingly competitive Medicare Advantage and health equity space — another avenue for UHG to handle financial transactions in the health space.
Cyberattacks
UHG is far from alone in facing cyberattacks. And despite being a well-resourced company, it faces the same problem that others in the tech and finance sectors face: There is a global shortage of cybersecurity experts.
Data shows that there is a shortage of more than 4 million cybersecurity professionals in the global workforce as of 2023, and that represents a 12.6% jump from the prior year. Compounding the problem, there is a hierarchy of where talent goes.
Finance is the top hiring sector for cyber jobs, with technology and healthcare ranking lower.
Stephen Gillett, CEO of Verily, a subsidiary of Alphabet (GOOG, GOOGL), told Yahoo Finance, that "some of the most extraordinarily capable security teams I have seen are the big banks on Wall Street."
That's not to say that there aren't those who are willing to work in other sectors, but it shrinks the potential talent pool.
It's why cyberattacks are a key focus for HHS, which itself has been a target in recent years. It has noted that ransomware attacks are growing to be the most common form of cyberattacks on health systems.
Over the past five years, there has been a 256% increase in large breaches reported to HHS and a 264% increase in ransomware specifically. The agency said in 2023 large breaches affected 134 million individuals, which was a 141% increase from the prior year.
The attacks happen in all industries, but because healthcare entities are required to report them, they draw criticism for being ill-prepared and under-resourced.
Health leaders say they are doing everything they can and spending millions to protect against attacks.
John Couris, Tampa General Hospital president and CEO, told Yahoo Finance he "totally disagrees" with the criticism.
When attackers targeted TGH, they were unable to encrypt the data and did not reach the electronic health records — one of the most valuable assets a health system holds. And the issue was traced to a third-party vendor, rather than an internal issue at TGH.
"What I took away from it is we need to do a more thorough job at vetting some of our third-party vendors," Couris said.
Anjalee Khemlani is the senior health reporter at Yahoo Finance, covering all things pharma, insurance, care services, digital health, PBMs, and health policy and politics. Follow Anjalee on all social media platforms @AnjKhem.
Daniel Howley contributed to this report. Daniel Howley is the tech editor at Yahoo Finance. He's been covering the tech industry since 2011. You can follow him on Twitter @DanielHowley.
Read the latest financial and business news from Yahoo Finance
