CBS News
Hacking at UnitedHealth unit cripples a swath of the U.S. health system: What to know
Early in the morning of Feb. 21, Change Healthcare, a company unknown to most Americans that plays a huge role in the U.S. health system, issued a brief statement saying some of its applications were “currently unavailable.”
By the afternoon, the company described the situation as a “cybersecurity” problem.
Since then, it has rapidly blossomed into a crisis.
The company, recently purchased by insurance giant UnitedHealth Group, reportedly suffered a cyberattack. The impact is wide and expected to grow. Change Healthcare’s business is maintaining health care’s pipelines — payments, requests for insurers to authorize care, and much more. Those pipes handle a big load: Change says on its website, “Our cloud-based network supports 14 billion clinical, financial, and operational transactions annually.”
Initial media reports have focused on the impact on pharmacies, but techies say that’s understating the issue. The American Hospital Association says many of its members aren’t getting paid and that doctors can’t check whether patients have coverage for care.
But even that’s just a slice of the emergency: CommonWell, an institution that helps health providers share medical records, information critical to care, also relies on Change technology. The system contained records on 208 million individuals as of July 2023. Courtney Baker, CommonWell marketing manager, said the network “has been disabled out of an abundance of caution.”
“It’s small ripple pools that will get bigger and bigger over time, if it doesn’t get solved,” Saad Chaudhry, chief digital and information officer at Luminis Health, a hospital system in Maryland, told KFF Health News.
Here’s what to know about the hack.
Who did it?
Media reports are fingering ALPHV, a notorious ransomware group also known as Blackcat, which has become the target of numerous law enforcement agencies worldwide. While UnitedHealth Group has said it is a “suspected nation-state associated” attack, some outside analysts dispute the linkage. The gang has previously been blamed for hacking casino companies MGM and Caesars, among many other targets.
The Department of Justice alleged in December, before the Change hack, that the group’s victims had already paid it hundreds of millions of dollars in ransoms.
Is this a new problem?
Absolutely not. A study published in JAMA Health Forum in December 2022 found that the annual number of ransomware attacks against hospitals and other providers doubled from 2016 to 2021.
“It’s more of the same, man,” said Aaron Miri, the chief digital and information officer at Baptist Health in Jacksonville, Florida.
Because the assaults disable the target’s computer systems, providers have to shift to paper, slowing them down and making them vulnerable to missing information.
Further, a study published in May 2023 in JAMA Network Open examining the effects of an attack on a health system found that waiting times, median length of stay, and incidents of patients leaving against medical advice all increased — at neighboring emergency departments. The results, the authors wrote, mean cyberattacks “should be considered a regional disaster.”
Attacks have devastated rural hospitals, Miri said. And wherever health care providers are hit, patient safety issues follow.
What does it mean for patients?
Year after year, more Americans’ health data is breached. That exposes people to identity theft and medical error.
Care can also suffer. For example, a 2017 attack, dubbed “NotPetya,” forced a rural West Virginia hospital to reboot its operations and hit pharma company Merck so hard it wasn’t able to fulfill production targets for an HPV vaccine.
Because of the Change Healthcare attack, some patients may be routed to new pharmacies less affected by billing problems. Patients’ bills may also be delayed, industry executives said. At some point, many patients are likely to receive notices their data was breached. Depending on the exact data that has been pilfered, those patients may be at risk for identity theft, Chaudhry said. Companies often offer free credit monitoring services in those situations.
“Patients are dying because of this,” Miri said. Indeed, an October preprint from researchers at the University of Minnesota found a nearly 21% increase in mortality for patients in a ransomware-stricken hospital.
How Did It Happen?
The Health Information Sharing and Analysis Center, an industry coordinating group that disseminates intel on attacks, has told its members that flaws in an application called ConnectWise ScreenConnect are to blame. Exact details couldn’t be confirmed.
It’s a tool tech support teams use to remotely troubleshoot computer problems, and the attack is “apparently fairly trivial to execute,” H-ISAC warned members. The group said it expects additional victims and advised its members to update their technology. When the attack first hit, the AHA recommended its members disconnect from systems both at Change and its corporate parent, UnitedHealth’s Optum unit. That would affect services ranging from claims approvals to reference tools.
Millions of Americans see physicians and other practitioners employed by UnitedHealth and are covered by the company’s insurance plans.
UnitedHealth has said only Change’s systems are affected and that it’s safe for hospitals to use other digital services provided by UnitedHealth and Optum, which include claims filing and processing systems.
But not many chief information officers “are jumping to reconnect,” Chaudhry said. “It’s an uneasy feeling.”
Miri says Baptist is using the conglomerate’s technology and that he trusts UnitedHealth’s word that it’s safe.
Where’s the Federal Government?
Neither executive was sanguine about the future of cybersecurity in health care. “It’s going to get worse,” Chaudhry said.
“It’s a shame the feds aren’t helping more,” Miri said. “You’d think if our nuclear infrastructure were under attack the feds would respond with more gusto.”
While the departments of Justice and State have targeted the ALPHV group, the government has stayed behind the scenes more in the aftermath of this attack. Chaudhry said the FBI and the Department of Health and Human Services have been attending calls organized by the AHA to brief members about the situation.
Miri said rural hospitals in particular could use more funding for security and that agencies like the Food and Drug Administration should have mandatory standards for cybersecurity.
There’s some recognition among officials that improvements need to be made.
“This latest attack is just more evidence that the status quo isn’t working and we have to take steps to shore up cybersecurity in the health industry,” said Sen. Mark Warner (D-Va.), the chair of the Senate Select Committee on Intelligence and a longtime advocate for stronger cybersecurity, in a statement to KFF Health News.
KFF Health News (formerly known as Kaiser Health News, or KHN) is a national newsroom that produces in-depth journalism about health issues. Together with Policy Analysis and Polling, KHN is one of the three major operating programs at KFF (Kaiser Family Foundation). KFF is an endowed nonprofit organization providing information on health issues to the nation.
Watch CBS News
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
CBS News
Sen. Duckworth says Trump defense secretary pick is “flat-out wrong” about women in combat roles
Democratic Sen. Tammy Duckworth said Sunday that Pete Hegseth, President-elect Donald Trump’s pick for defense secretary is “flat-out wrong” in his view that women should not serve in the military in combat roles.
“Our military could not go to war without the women who wear this uniform,” Duckworth said on “Face the Nation with Margaret Brennan.” “And frankly, America’s daughters are just as capable of defending liberty and freedom as her sons.”
Trump tapped Hegseth, a former Fox News host and Army veteran who served in Iraq and Afghanistan as his pick to head the Defense Department earlier this month. The 44-year-old has drawn criticism for his stance on women in combat roles, along with his level of experience.
Duckworth, who in 2004 deployed to Iraq as a Blackhawk helicopter pilot and sustained severe injuries when her helicopter was hit by an RPG, outlined that women who serve in combat roles have met the same standards as men, passing rigorous testing. She said Hegseth’s position “just shows his lack of understanding of where our military is,” while arguing that he’s “inordinately unqualified for the position.”
CBS News
“Our military could not go to war without the 220,000-plus women who serve in uniform,” Duckworth said. She added that having women in the military “does make us more effective, does make us more lethal.”
Hegseth has also drawn scrutiny amid recently unearthed details about an investigation into an alleged sexual assault in 2017. Hegseth denies the allegation and characterized the incident as a consensual encounter. The Monterey County district attorney’s office declined to file charges as none were “supported by proof beyond a reasonable doubt.” His lawyer has acknowledged that Hegseth paid a confidential financial settlement to the woman out of concern that the allegation would jeopardize his employment.
Duckworth, an Illinois Democrat who serves on the Armed Services and Foreign Relations Committees, said it’s “really troubling” that Trump would nominate someone who “has admitted that he’s paid off a victim who has claimed rape allegations against him.”
“This is not the kind of person you want to lead the Department of Defense,” she added.
The comments come after Trump announced a slew of picks for top posts in his administration in recent days. Meanwhile, one pick — former Rep. Matt Gaetz for attorney general — has already withdrawn his name from consideration after he faced intense scrutiny amid a House Ethics Committee investigation and a tenuous path to Senate confirmation.
While Duckworth acknowledged that she’s glad her Senate Republicans “held the line” on Gaetz and also elected Sen. John Thune as leader over a candidate favored by many in Trump’s orbit, she said she’s “deeply concerned” her Republican colleagues will green light Trump’s nominees.
“From what I’m hearing from my Republican colleagues on everything from defense secretary to other posts, it sounds like they are ready to roll over for Mr. Trump,” Duckworth said.
But Duckworth didn’t rule out supporting some of the nominees herself during the Senate confirmation process, pledged to evaluate each candidate based on their ability to do the job, and their willingness to put the needs of the American people before “a retribution campaign for Mr. Trump.”
Meanwhile, a CBS News poll released on Sunday found that 33% of Americans say Hegseth is a “good choice” for defense secretary, including 64% of Trump voters. But 39% of Americans said they hadn’t heard enough yet about the pick. More broadly, Americans generally say they want Trump to appoint people who’ll speak their minds and who have experience in the field or agency they’ll run.
Sen. Rand Paul, a Kentucky Republican who also appeared on “Face the Nation” on Sunday, said he believes that Hegseth can run the massive Defense Department, despite his lack of experience managing a large organization. Though he did not address Hegseth’s comments about women in combat roles, Paul said he believes the “vast majority of people” support leaders who are picked based on merit, citing Hegseth’s criticism of the Pentagon for what he says has been a move away from merit-based hiring and toward hiring based on “racial characteristics.”
Hezbollah fired at least 185 rockets and other projectiles into Israel on Sunday, wounding seven people in the militant group’s heaviest barrage in several days, in response to deadly Israeli strikes in Beirut while negotiators pressed on with cease-fire efforts to halt the war.
Meanwhile, an Israeli strike on a Lebanese army center killed one soldier and wounded 18 others on the southwestern coastal road between Tyre and Naqoura, Lebanon’s military said. Israel’s military expressed regret and said the strike occurred in an area of combat against Hezbollah, adding that its operations are directed solely against the militants. The strike was under review.
Hussein Malla / AP
Israeli strikes have killed over 40 Lebanese troops since the start of the war between Israel and Hezbollah, even as Lebanon’s military has largely kept to the sidelines.
Lebanon’s caretaker prime minister, Najib Mikati, condemned it as an assault on U.S.-led cease-fire efforts, calling it a “direct, bloody message rejecting all efforts and ongoing contacts” to end the war.
“(Israel is) again writing in Lebanese blood a brazen rejection of the solution that is being discussed,” a statement from his office read.
The strike occurred in southwestern Lebanon on the coastal road between Tyre and Naqoura, where there has been heavy fighting between Israel and Hezbollah.
Hezbollah began firing rockets, missiles and drones into Israel after Hamas’ Oct. 7, 2023, attack out of the Gaza Strip ignited the war there. Hezbollah has portrayed the attacks as an act of solidarity with the Palestinians and Hamas. Iran supports both armed groups.
Israel has launched retaliatory airstrikes since the rocket fire began, and in September the low-level conflict erupted into all-out war, as Israel launched waves of airstrikes across large parts of Lebanon and killed Hezbollah’s top leader, Hassan Nasrallah, and several of his top commanders.
Hezbollah fired a total of around 160 rockets and other projectiles into Israel on Sunday, some of which were intercepted, the Israeli military said.
Oded Balilty / AP
Israel’s Magen David Adom rescue service said it was treating two people in the central city of Petah Tikva, a 23-year-old man who was lightly wounded by a blast and a 70-year-old woman suffering from smoke inhalation from a car that caught fire. The first responders said they treated three other people in northern Israel, closer to the border, including a 60-year-old man in serious condition.
It was unclear whether the injuries and damage were caused by the rockets or interceptors.
Israeli airstrikes early Saturday pounded central Beirut, killing at least 20 people and wounding 66, according to Lebanon’s Health Ministry.
Israeli attacks have killed more than 3,500 people in Lebanon, according to Lebanon’s Health Ministry. The fighting has displaced about 1.2 million people, or a quarter of Lebanon’s population.
On the Israeli side, about 90 soldiers and nearly 50 civilians have been killed by bombardments in northern Israel and in battle following Israel’s ground invasion in early October. Around 60,000 Israelis have been displaced from the country’s north.
The Biden administration has spent months trying to broker a cease-fire, and U.S. envoy Amos Hochstein was back in the region last week.
The European Union’s top diplomat called for more pressure on both Israel and Hezbollah to reach a deal, saying one was “pending with a final agreement from the Israeli government.”
Josep Borrell spoke Sunday after meeting with Mikati and Lebanese Parliament Speaker Nabih Berri, a Hezbollah ally who has been mediating with the group.
Borrell said the EU is ready to allocate 200 million euros ($208m) to assist the Lebanese military, which would deploy additional forces to the south.
The emerging agreement would pave the way for the withdrawal of Hezbollah militants and Israeli troops from southern Lebanon below the Litani River in accordance with the U.N. Security Council resolution that ended the 2006 war. Lebanese troops would patrol the area, with the presence of U.N. peacekeepers.
Lebanon’s army reflects the religious diversity of the country and is respected as a national institution, but it does not have the military capability to impose its will on Hezbollah or resist Israel’s invasion.
Sen. Tammy Duckworth says Pete Hegseth is “flat-out wrong” about women in combat roles
Sen. Duckworth says Trump defense secretary pick is “flat-out wrong” about women in combat roles
Israeli strike kills Lebanese soldier as Hezbollah fires at least 185 rockets at Israel
Sen. Tammy Duckworth says Pete Hegseth is “flat-out wrong” about women in combat roles
Sen. Duckworth says Trump defense secretary pick is “flat-out wrong” about women in combat roles