Change Healthcare cyberattack cripples healthcare providers: What to know

A cyberattack against Change Healthcare, a massive healthcare technology company, has crippled healthcare providers across the U.S., leaving them unable to process claims, bill patients and check insurance coverage for care. 

Industry leaders are calling it "the most serious incident of its kind leveled against a U.S. health care organization," so severe it could force smaller doctor’s offices to close their doors if it’s not resolved soon. 

Owned by UnitedHealth Group, Change Healthcare manages health care technology pipelines, processing 14-15 billion transactions a year and touching one in every three patient records. According to the American Hospital Association, the company handles crucial transactions that directly affect patient care, "including clinical decision support, eligibility verifications and pharmacy operations."

Blackcat, the world’s second largest ransomware group, has claimed responsibility for the attack. 

Here’s what to know about the Change Healthcare cyberattack and how it’s impacting healthcare providers nationwide. 

Change Healthcare cyberattack

On Feb. 21, the company discovered a "suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems," according to a filing with the U.S. Securities and Exchange Commission

Change Healthcare immediately disconnected from all other connecting systems – i.e. the pharmacies, doctor’s offices and hospitals that use the technology – to protect them from further attack. Nine days later, as of March 1, the systems have not been restored. 

RELATED: MGM Resorts estimates $100M loss from cyberattack that led to data breach

"We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online," Change Healthcare said in a statement on its website. 

The company didn't respond to a question from The Associated Press about whether it paid or negotiated a ransom.

Change Healthcare cyberattack fallout

Although pharmacies and other providers felt the impacts immediately, the widespread fallout has been slower to materialize. In addition to issues with processing claims, billing patients and checking insurance coverage for care, the attack also could affect the ability to pay workers and buy critical supplies. 

One of the most immediate impacts is that people are seeing delays in getting prescriptions, according to the AHA. Change Healthcare said most affected pharmacies are using workarounds like writing things down. CVS and Walgreens did not respond to FOX TV Stations' request for comment. 

RELATED: CVS pharmacy upending the way it prices prescription drugs

In a statement on its website, Change Healthcare said there are "multiple workarounds to ensure people have access to the medications and the care they need," but providers say those workarounds are labor-intensive and manual, taking much longer to process. 

"For some hospitals who are exclusive to Change, many haven’t been able to submit a claim in over a week now," Colleen Kincaid, an American Hospital association spokesperson, told FOX TV Stations. "When a hospital or health system cannot process claims that has a significant impact on their ability to finance their operation."

Kincaid said roughly 82% of hospitals receive payments daily and rely on those payments to make payroll and buy medicines and other supplies. 

RELATED: Network of Chicago's Lurie Children's Hospital accessed by 'criminal threat actor'

"Many hospitals – especially those that are financially struggling – cannot easily pivot to other mechanisms or resources to pay their care teams and keep services going," she said. "When you take down a system that is responsible for submitting these claims it can have dire consequences."

Cybersecurity experts say ransomware attacks have increased substantially in recent years, especially in the health care sector. This one comes on the heels of an attack last month on a children’s hospital in Chicago, which had to take phone, email and medical records systems offline.

What is ALPHV/Noberus/Blackcat? 

Blackcat, also known as Noberus or ALPHV, is a ransomware group that uses a ransomware-as-a-service model. That means developers are responsible for creating and updating ransomware and for maintaining the illicit internet infrastructure, while affiliates are responsible for identifying and attacking high-value victim institutions with the ransomware, according to the U.S. Justice Department. After a victim pays, developers and affiliates share the ransom.

In December, the DOJ wrote that "over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims."

According to the DOJ, Blackcat actors have compromised computer networks in the United States and worldwide. 

An FBI spokesperson in Tennessee said he could not confirm or deny whether the FBI is investigating this attack, but Change Healthcare has said it is working with law enforcement and third-party consultants in its efforts to get everyone back online. 

"An attack from any hacker like this is especially dangerous in a health care setting because shutting down medical technology in hospitals and health systems can result in very serious disruption and delay to health care delivery, ultimately risking patient access and safety – which is why these cyberattacks should be considered threat to life crimes," the AHA’s Kincaid said. 

 "I can’t stress enough that the full impact of this is likely to take weeks or months to reveal itself as we learn more each day, but even after the ransomware/tech aspect of it is resolved, there will be residual impact in terms of health care providers having to catch up on everything that has been delayed," she continued. 

The Associated Press contributed to this report.