VA still dealing with fallout from Change Healthcare ransomware attack

The Department of Veterans Affairs isn’t done dealing with a February ransomware attack that had sweeping effects across public and private health care systems across the country, and at least some aspects of its operations will be affected until as late as next February, the department said Tuesday.

VA officials emphasized there were no known impacts to patient safety linked to the attack on Change Healthcare, a large data exchange provider. But like many other health systems, the Veterans Health Administration was forced to sever many of its feeds that transmit billing, prescription and other data to and from third-party providers and other vendors.

The last of those interconnections wasn’t fully restored until last month, and in several cases, the downtime created long backlogs, said Ian Komorowski, VHA’s executive director for strategic investment management.

“We have some providers that contract directly with VA. They were not able to submit [invoices] electronically for about five to 11 weeks, depending on the type of provider,” he told reporters Tuesday. “We have restored that connection. We’ve processed about 91% of those claims, and we will have full services and full payment operations for those providers back to normal by February.”

Many other data feeds affected

Other types of backlogs will likely be cleared sooner.

For example, VHA’s instance of a Change Healthcare system called Connect RX, which the department uses to process and collect payments from third-party insurance companies, was offline from late February until May 1, causing a backlog of about 1 million prescription claims. VA expects to clear that backlog by August, but it will take until October for the department to receive all of the still-outstanding payments.

Meanwhile, VA’s own payments to the two large administrators that manage its care in the community programs were also disrupted. But VA Secretary Denis McDonough said individual providers in those programs weren’t impacted.

“The biggest amount of community care referrals are through our network providers. Those two administrators, who generally split up the five regions that we have, were able to make payments to providers throughout,” he said. “So [the payment backlog] isn’t to the community providers, that’s actually to make the third party administrators whole.”

No known breaches of VA patient data

Last week, Change Healthcare began notifying hospitals, insurers and other institutional customers whose data was stolen in the attack, and said it would start notifying individual patients in July.

VA officials said that so far, the company has not been able to tell the department precisely what kinds of data may have been exposed.

“But we have been informed that we are not currently an ‘attributed entity,’ which means they cannot correlate the data that was extracted to anything specific to VA. So the knowledge of what data was exfiltrated is that it doesn’t fully correlate to VA,” Komorowski said.

And although the root cause of the cyber incident involved a vendor’s systems and not VA’s own, McDonough said the Change Healthcare episode served as something of a wake-up call, prompting the department to take new steps to shore up its own defensive posture.

“We’re being more vigilant about training, including very regular training of our personnel. I can cop to the fact that I failed a phishing test last week, so shame on me,” he said. “But the constant, very regular, unannounced training challenges for each of us are really important. We’ve been really vigilant about multifactor authentication at VA. This looks like a very elaborate attack, and it just underscores the fact that not only is this a very complex and high risk environment, but there are a lot of very highly-capable nefarious actors in the space. So we’ve got to be using all the tools available to us.”

Indeed, just last week, the Department of Health and Human Services issued a bulletin that warns about a new ransomware-as-a-service organization, likely based in Russia, that has been specifically targeting the health care sector. According to HHS, the “Qilin” operation has claimed responsibility for 60 successful ransomware attacks this year alone.

“We have lots of data that talks about threats to the health sector, because when they get hit by ransomware, they pay,” said Lynette Sherrill, VA’s chief information security officer. “So every time we see an attack on the health sector, we get the indicators of compromise from those attacks through our interagency partnerships, we bring them into our environment, we scan our entire enterprise for that same vulnerability, and we eliminate it within a couple of weeks. That’s no small feat, but my team is excellent at what they do, and they really have taken on that continuous learning culture from every single incident.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.