‘Return What You Stole and Be a Man With Dignity’ | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Doctors are liquidating their savings accounts to make payroll. Pharmacies can’t sell patients a five-day supply of Paxlovid for less than $1,400. A cybersecurity consultancy estimates that hospitals, clinics, and physician practices are bleeding some $100 million per day; physicians say that number understates the shortfall, possibly by an order of magnitude. And pretty much every other medical professional we know agrees the crisis is more disastrous for the health care industry than COVID-19.

It is Day 21 of the ransomware outage at Change Healthcare, a once-unknown repository of American health care data owned by the Minnesota health care colossus UnitedHealth, whose blackout has crippled large swaths of the health care system with no end or recourse in sight. (The Biden administration has vowed to send emergency assistance to some victims of the meltdown, but independent physicians and clinics have not been explicitly addressed by any of the vague promises HHS has made about the situation.)

Ransomware attacks are a literal everyday occurrence. Last year, health care systems alone reported 371 disruptions caused by hacker gangs bearing stolen data. But outages stretching past a fortnight are relatively unprecedented. The Colonial Pipeline stoppage inflicted by an earlier iteration of the ransomware gang that attacked Change lasted all of five days. On Day 6 of Change-ageddon, a poster on a pharmacy subreddit wondered what was taking so long.

“They are waiting for a prior authorization before paying it,” a user replied. “Should be any day now.”

A few days later, the Brooklyn psychiatrist Owen Muir expanded the joke into an extended transcript of a satirical “all-hands town hall” in which ALPHV, the Russia-based ransomware group that had taken credit for breaching Change, explains to angry stakeholders why the operation is taking so long: After days of “having to say representative, over and over again,” they finally learned they needed to submit their ransom request via fax machine, at which point they learned that they needed to wait 14 days for a peer review with one of UnitedHealth’s in-house hackers, to “determine if our ransom request is … How do they put it? Oh, reasonable and customary.”

“It turns out their whole business is structured around ‘ransom requests,’ except it’s not for the data, it’s for human health,” the “hacker” observes.

More from Maureen Tkacik

But life imitates satire, and this week we learned that on Day 10 of the outage, someone presumably associated with UnitedHealth finally made a $22 million payment to a Bitcoin wallet associated with ALPHV. (Just for comparison’s sake, the Colonial Pipeline CEO testified that he waited all of one day after learning about the ransomware attack to pay off the attackers, after which it took another four days to get the gasoline back up and pumping again.) Perhaps related to the protracted timeline, Day 14 brought news of another complication, via a poster called “notchy” who identified itself on a cybercrime forum as an “affiliate plus who has been work [sic] with ALPHV for long time” and who had executed the breach of the Change databases using ALPHV’s malware.

Typically, cybersecurity expert Allan Liska says, “Ransomware as a Service” franchisors like ALPHV extract a 20 percent commission on the proceeds of their affiliates’ hacks. This time, however, that didn’t happen. Instead, according to notchy, the ALPHV team suspended its account, emptied the wallet, took all the money, and emailed the affiliate explaining that “the feds” had shut down the project, an assertion about which notchy scoffed, “No one is idiot here to believe.”

“Return what you have stole and be a man with dignity,” notchy added.

But there was no answer. ALPHV, like the unfathomably large organization on the receiving end of notchy’s ransom demand, had gone dark. Its website displaying an FBI banner declaring it had been seized by the federal government turned out to be a screenshot, and its Away message on the Tox platform offered a cryptic line in Russian that translates to “Everything is off, we decide.”

On Day 17, United emerged from its self-imposed exile to issue a press release announcing that it would begin to restore its infrastructure for processing medical claims starting the week of March 18, or Day 27 of the outage.

“We are committed to providing relief for people affected by this malicious attack on the US health system,” UnitedHealth CEO Andrew Witty said in the release.

UNITEDHEALTH, THE NATION’S FIFTH-LARGEST COMPANY, and ALPHV certainly share the spirit of maximizing their percentages of every transaction. When UnitedHealth originally filed for an initial public stock offering in 1984, most physicians did not know what it was, and were shocked to learn a for-profit company was plotting to extract a 17 percent commission off the topline revenues of the upstart health maintenance organization they had founded a decade earlier. They tried to stage a mutiny, but UnitedHealth was already too powerful to break, and its laser-like focus on extracting larger cuts from patients and doctors enabled it to easily swallow growth-minded rivals in the 1980s and 1990s.

But as public outcry toward HMO care-rationing grew during the Clinton administration, a new executive poached from the notoriously creative accounting firm Arthur Andersen envisioned a pivot for United that transcended the HMO. His name was Stephen Hemsley, and he called his vision Ingenix.

Ingenix did a lot of things. One unit oversaw clinical trials for hundreds of developing drugs, another published research on health trends; it even chartered its own bank, then called Exante, to administer tax-advantaged health savings accounts to policyholders on high-deductible plans. But it was mostly a monster of medical data, managed on behalf of hospitals and clinics and physician practices. It offered every service one could imagine feeding its insatiable thirst for market intelligence: medical billing and collections, physician credentialing, fraud and abuse detection, etc.

In 2009, physicians in New York discovered that one of Ingenix’s most widely used offerings, a database that was supposed to purvey usual and customary charges for medical treatments, was spitting out estimates far below the cost of providing care, in large part because the inputs used to determine those estimates had been systematically “scrubbed.” Fifteen years ago this month, Hemsley was hauled before the Senate to explain himself, but he didn’t give away the company’s biggest secret.

The ransomware outage at Change Healthcare has crippled large swaths of the health care system with no end or recourse in sight.

“He was building a hedge against a single-payer health system,” says Eric Vanderhoef, then the CEO of UnitedHealth’s Midwest division, of Hemsley, who still chairs the UnitedHealth board. “Because the government cannot run health care, they don’t have the expertise and they definitely don’t have the platforms or the systems. So if all of a sudden we wake up and wave a magic wand and say we are going to a single-payer system, the government would have to find some entities to administer said single-payer system, and that was going to be Ingenix. Because all of the information generated by health plans was consolidated in Ingenix.”

Ingenix ended up divesting two databases and changing its name to Optum in the aftermath of the scandal. But while the Obama administration resisted so much as a sneeze toward single-payer insurance, it did introduce a number of rules and provisions that cemented Optum’s place at the center of UnitedHealth’s growth strategy. The medical loss ratio required health insurers to spend 85 percent of their premium revenues on patient care, but smart insurers knew how to work within that. “The trick for [UnitedHealth] is that their insurance side has a fixed profit margin, and the only way you make more money on a fixed profit margin is to make the revenues go up,” explains Muir, the psychiatrist who authored the satirical town hall transcript. “So they have a fiduciary duty to their shareholders to make health care costs go up, and Optum is how they make that happen, because Optum can theoretically have a 90 percent margin.”

If you think of Optum as a collection of UnitedHealth schemes to extract an ever-larger cut of Americans’ collective medical ransom demands, Washington health care policy has been its chief co-conspirator, from the 2003 legislation that appointed pharmacy benefit managers (like Optum Rx) to be the gatekeepers of prescription drug prices and created tax-protected health savings accounts, to the 2009 stimulus bill that plowed $35 billion into incentive payments hospitals and physicians could collect for adopting electronic health records, to, of course, Obamacare, which created a sprawling data surveillance edifice dubbed “value-based care” (VBC) around which both Optum and its future subsidiary Change Healthcare built much of their business.

Much like the HMO before it, the idea behind VBC, and the “accountable care organizations” (ACOs) appointed to administer it, was that America’s ever-mushrooming health care costs—total medical expenditure, or “TME” in ACO parlance—could be contained by incentivizing clinicians and health care systems to constantly badger their patients about taking their medications and getting their regular shots and screenings and scrutinizing their charts and medical records for other preventative steps they might have missed. The premise was itself a bit shaky, but the idea was heavily reliant on the sort of analytics and software solutions health care behemoths like UnitedHealth excelled at developing and selling.

Change, whose core offering during the Bush administration was physician practice management software, sold its clients on embracing the VBC revolution. “The U.S. healthcare system is undergoing massive changes at an unprecedented rate. Our mission is to help accelerate its transformation to a value-based care system from which everyone benefits,” the company proclaimed in its 2021 annual report. (Seven of the 116 Change software applications that remained completely down as of March 8 pertain specifically to VBC.)

Optum, meanwhile, more often than not picked up the pieces when a medical practice struggled amid the new paradigm, acquiring dozens of practices employing tens of thousands of physicians over the past decade, during which its revenues mushroomed more than sixfold to about $81 billion. (Notably, Optum had been scheming to acquire Change for “the better part of a decade” by the time it agreed to do the deal, according to internal company documents cited in the Justice Department’s 2022 proposed findings of fact on the merger.)

Physicians invariably describe the value-based revolution as a soul-destroying neoliberal hellscape of never-ending busywork, punctuated by boilerplate five-minute patient visits that mostly had the effect of driving a generation of primary care physicians into early retirement. “It really detracts from the care to spend 50 percent of your time digging into patients’ charts or retraining your staff to click this box instead of that box or mastering the hierarchical coding categories just to make your patients look sicker than they are or ‘correct’ supposed ‘gaps in care’ that almost always turn out to be arbitrary reporting errors,” says Candice McElroy, a family physician based in Maine who recently quit an ACO to open a solo practice. “For every $150 they billed Medicare for my medical care, we needed to spend $100 on nonclinical efforts to make the clinic look better on paper.”

Companies like Change and Optum thrived in this new era. They sold tons of software and services, and when physicians practices or hospitals buckled under the burden of all the new quality metrics and data analysis hoops they were required to jump through, that too was an opportunity. One physician who asked for anonymity because he works for Optum says his last two practices were driven into the ground by the “unsustainable” costs of buying and maintaining VBC software and systems. “Looking back, the advent of value-based care was really the writing on the wall for primary care practices,” he told the Prospect. “The medical records and tracking systems you need to invest in, the data you need to be constantly monitoring … you need really deep pockets, and that’s for a very uncertain return.”

Even physicians like McElroy hoping to break out of their ACO “prisons” and spend more time actually talking to their patients can be satisfied Optum customers. McElroy chose an electronic health records vendor whose clearinghouse is powered by Change, meaning her practice has been financially immobilized by the ransomware attack. Fortunately, about half her patients pay her a monthly cash subscription fee in exchange for unlimited access, in a growing business model known as “direct primary care.” For the other half, she’s been manually filling out claims forms with their individual insurers, a process that will take dozens of hours to complete and dozens more to reconcile with the books she keeps on her electronic health records.

UNTIL FEBRUARY 21—“THAT DAY THAT WILL LIVE IN INFAMY,” she mused during an interview on Day 15 of the outage—Christine Meyer was the rare independent physician who has truly thrived amid the VBC revolution. Her suburban Philadelphia practice boasts 80 employees across three locations, and annual revenue exceeds $6 million. She’s a regular in Philadelphia magazine and on local news shows.

But unbeknownst to Meyer, her practice management software was integrated into numerous databases and cloud storage value-based analytics tools powered by Change Healthcare, and when the system shut down, her revenue evaporated overnight. Like McElroy, the solo practitioner in Maine, Meyer’s local software vendor has thus far proven unable to export her raw medical claim files to a different clearinghouse system. Unlike McElroy, who has roughly 200 fee-for-service patients, Meyer’s practice has 20,000, rendering virtually impossible the task of manually re-entering their patient information.

For many physicians, there have been work-arounds. Carlene MacMillan, a psychiatrist and chief medical officer of a small electronic health records software vendor called Osmind, says she was able to export most of her company’s commercially insured patient data to a competing clearinghouse called Claim.MD, a small New Mexico firm whose website currently teases, “Looking to ‘change’ your clearinghouse?” For Medicare patients, however, MacMillan was out of luck. Explanations for this weirdness were not readily apparent, but pharmacist and antitrust advocate Ben Jolley, who spent much of the last week of February helping fellow independent pharmacists navigate the Change outage, says much of the dysfunction likely springs from the ancient software architecture of medical claims files codified by the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA.

But Claim.MD founder Rob Stuart says United’s exclusivity agreements with certain insurers have been the biggest obstacle to helping desperate physicians come online again. “This situation does really emphasize the need for payers to have clearinghouse redundancy,” Stuart told the Prospect, adding that his company’s biggest challenge prior to the outage was “the consumer expectation that using the 800-pound gorilla is guaranteed to be somehow more reliable”—an expectation he anticipates “a lot of facilities will be reconsidering” now.

Whatever the underlying explanation, Meyer says, she has a $175,000 payroll bill coming due this week, and no revenue with which to fund it. Last week, Optum Financial offered affected customers emergency zero-interest loans to make it through the outage, and an offer came back for two loans totaling $3,300—“a complete joke,” she said. Other providers have been offered insultingly low loans for as little as $10.

“I don’t want to suggest anything nefarious, but it’s hard not to notice, they’re out there trying to gobble up medical practices and I’m in a position where I’m desperate,” Meyer said. “I take so much pride in this world-class team of providers we’ve built, [but] if Optum said I’ll give you $5 million for your practice …” She cut herself off, and concluded: “It’s pretty despicable.”

Indeed, United is almost certainly profiting, albeit modestly, from the ransomware attack. The $22 million ransom is a tax write-off, and experts say the company is now simply exporting all of Change’s data into Optum’s systems, something it intended to do anyway. The process has simply been accelerated by the attack. The tiny loan offers hardly tie up any of Optum’s money, and if they hook providers onto Optum’s regular offering of payday-style loans, all the better.

Most importantly, some substantial percentage of medical claims have simply not been processed since February 21, while some larger percentage of claims have been dramatically slowed down. An amusing skit on the outage by the TikTok celebrity ophthalmologist Will “Dr. Glaucomfleken” Flanary depicts a UnitedHealth cog discussing this “silver lining” of the attack with his apathetic boss:

Cog: Entire hospital systems are unable to process patient billing because of this.

Boss: What was that?

Cog: Hospitals can’t communicate with us! We can’t process claims! Medical practices and physicians can’t get reimbursed by us!

Boss: Ahhhhh, mannn.

Cog: You’re happy about this.

Boss: … Noooo.

Cog: Yes you are.

Boss: OK, maybe a little.

Cog: This will seriously disrupt patient care! People could die from this!

Boss: We’re still collecting premiums though, right?

UnitedHealth pays out a staggering $662 million worth of medical claims every day, and generated $4 billion last year solely from interest income on its massive portfolio of bonds and other securities. Even squirreling away a single day’s worth of medical expenses could yield $5 million in interest income by the end of March, which is part of the reason shareholders have not punished the company’s stock too harshly; shares are only down by about 8 percent since the attack.

And what about legal action? Dr. Glaucomfleken had a response for that too.

Boss: Yeah … but we also own that company.

Cog: What company?

Boss: You know, the … legal one.

Cog: The … federal government?


Click Here For The Original Source.


National Cyber Security