CLEVELAND — On Feb. 21, the Russia-based ransomware group BlackCat/ALPHV hacked into Change Healthcare, which processes one out of three health care claims in the U.S.
The hack crippled the ability for claims, prescriptions, and payrolls to be processed by thousands of hospitals, doctor offices, and pharmacies across the country, including Ohio. It took two weeks before owner UnitedHealth Group was able to get the prescription services back up and running.
In a statement, UnitedHealth Group said:
"We are working aggressively on the restoration of our systems and services. Assuming we continue at our current rate of progress, we expect our key system functionality to be restored and available on the following timelines:
"Pharmacy services: Electronic prescribing is now fully functional with claim submission and payment transmission also available as of today. We have taken action to make sure patients can access their medicines in the meantime, including Optum Rx pharmacies sending members their medications based on the date needed.
"Payments platform: Electronic payment functionality will be available for connection beginning March 15.
"Medical claims: We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week.
"While we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established — in particular, using our new iEDI claim submission system in the interest of system redundancy given the current environment."
What's not known is if the hack took personal patient data. However, on Wednesday, the U.S. Department of Health and Human Service's Office for Civil Rights said that because of the "unprecedented magnitude" of the attack, it will examine whether Change Healthcare followed laws protecting patient privacy. The office enforces federal rules that establish privacy and security requirements for patient health information.
Also, companies are beginning to file federal lawsuits against UnitedHealth Group, claiming the company is responsible for not following security protocols. Meanwhile, there are steps you can take to protect yourself.
"If you're 60 or older, know that you're being targeted every single day," cybersecurity expert Rich Ullom says.
Ullom is the former president and current member of Infragard, a partnership with the FBI and the private sector for the protection of critical U.S. infrastructure and national security. He says too often, many of us put ourselves at risk all the time.
For example, when was the last time you changed your passwords, especially those on your medical chart information?
"You can hack a five-character password in about two minutes with the right piece of gear," Ullom told 3News, explaining that's why you can't make it easy to guess. "Use a good-size pass phrase — not just a word, but make sure there's numbers and special characters."
But that's just the beginning: Ullom says to always use two-factor authorization, and to shred any important documents containing your social security number, date of birth, and any medical information, including bills.
If you receive notice you were part of a data breach and are offered protection, sign up for it immediately. Also, check your credit reports monthly and your credit card and bank statements weekly.
One more thing: Question any phone call that asks for any personal information. If it's legitimate, they likely already have the info.
"Basically what I'm saying here is don't trust, but it's OK to hang up on a scammer," Ullom said. "In fact, it’s the right thing to do."