Uncle Sam intervenes as Change Healthcare ransomware fiasco creates mayhem

As the crooks behind the attack - probably ALPHV/BlackCat - fake their own demise

The US government has stepped in to help hospitals and other healthcare providers affected by the Change Healthcare ransomware infection, offering more relaxed Medicare rules and urging advanced funding to providers.

Change, a UnitedHealth Group-owned IT services firm, provides software to more than 70,000 American pharmacies and healthcare organizations so they can electronically process insurance claims and fill prescription orders.

Many of Change’s customers have reported disruptions and severe cash flow issues following the February 21 cyber attack.

On Tuesday, the Department of Health and Human Services (HHS) intervened to assist the healthcare industry and ensure that medical facilities can continue to provide patient care.

"Numerous hospitals, doctors, pharmacies and other stakeholders have highlighted potential cash flow concerns to HHS stemming from an inability to submit claims and receive payments," the department explained in a statement. "HHS has heard these concerns and is taking direct action and working to support the important needs of the healthcare community."

This includes allowing Medicare providers to change clearing houses they use for claims processed during the outage via an expedited process.

The Feds are also "encouraging" Medicare Advantage organizations to offer advance funding to providers more severely affected by the cyber attack. These are the private companies – like UnitedHealthcare and Humana – that Medicare pays to cover individuals' benefits.

Additionally, the government "strongly encourages" Medicaid and Children's Health Insurance Program managed-care plans to either relax or remove prior authorization requirements and offer advance funding to providers.

On top of that, Medicare Administrative Contractors are required to accept paper claims from providers while their electronic billing systems remain down.

"This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cyber security resiliency across the ecosystem," HHS noted, and directed medical providers to its December concept paper [PDF] that outlines a cyber security strategy for the sector.

A month later, the Feds issued new voluntary cyber security performance goals for hospitals and other healthcare organizations – which some infosec experts predict probably won't be "voluntary" for very long.

'They're really in the hurt locker'

The government stepping in to assist pharmacies and medical providers "is huge," Padraic O'Reilly, co-founder and chief innovation officer of cyber risk firm CyberSaint, told The Register.

"The smaller practices are really suffering – they're really in the hurt locker," he added. "It's such a supply chain issue, and it really reaches into the entire infrastructure around healthcare payments, which is really quite scary. It's really high risk to have half the transactions running through one provider."

Compared with other critical infrastructure sectors, "healthcare [cyber security] historically tends to lag because they don't always have the mandate from above that other sectors do," O'Reilly explained.

Considering HHS's voluntary goals, plus the Biden administration's focus on improving cyber security – especially across the critical infrastructure sectors – "I wouldn't be surprised at all if HHS, on the heels of this, makes more stringent requirements, tying it to Medicare, Medicaid," he opined. "It's a carrot-and-stick type scenario."

More ALPHV drama

Meanwhile, drama continues to play out in the orbit of ALPHV/BlackCat, the ransomware gang responsible for the attack on Change Healthcare.

After receiving more than $22 million in Bitcoin – in what may or may not have been a ransomware payment – the criminal group reportedly stole the money from its affiliate crew that attacked the healthcare IT provider.

Shortly after, the ALPHV website disappeared, and was replaced by a banner declaring it had been seized by international law enforcement including the FBI and the UK's National Crime Agency (NCA).

This appears to be an exit scam – allowing the crooks to take the money and run, while buying time to regroup and possibly resurface under a different brand now that it's burned some of its affiliates.

The FBI declined to comment, but a National Crime Agency spokesperson told The Register "any recent disruption to ALPHV infrastructure is not a result of NCA activity."

The consensus among threat intel folks on social media seems to be "exit scam," with some noting the shady source code on the new takedown notice.

Infosec analyst and security researcher Dominic Alvieri told The Register it's an exit scam, while self-described “slayer of ransomware” Fabian Wosar called it "a poor attempt by ALPHV/BlackCat to hide their exit scam. Don't fall for it." ®

More about


Send us news

Other stories you might like