2024-02-26
Change Healthcare/Optum Compromise Still Affecting Pharmacy Billing
Last week, Change Healthcare, part of Optum, detected a compromise in its network. In response, it disabled a number of services. The most prominent effect has been the continuing unavailability of some billing services for pharmacies. Early reports indicate that the incident may have been enabled by last week's ConnectWise ScreenConnect vulnerability, which allowed ALPHV/BlackCat ransomware group to access internal systems.
Editor's Note
The ScreenConnect vulnerabilities, CVE-2024-1709, authentication bypass, CVSS score 10, and CVE-2024-1708, path-traversal flaw, CVSS score 8.4, can be mitigated by updating to version 23.9.8. Monitor the ScreenConnect App_Extensions folder for suspicious .aspx and .ashx files. Note CVE-2024-1709 has been added to the CISA KEV catalog with a due date of 2/29. ConnectWise has also revoked licenses for unpatched servers, which may help reduce the attack vector. In the meantime, Change Healthcare is still working to restore services, they have published a dashboard providing incredible transparency on all their application component status' which should IT staff working to bring services back online. They also provide mechanism for filing a support ticket for issues with services not identified.
Lee Neely
Read more in
Change Healthcare: Update: Some application are experiencing connectivity issues
Reuters: US pharmacy outage triggered by 'Blackcat' ransomware at UnitedHealth unit, sources say
The Register: ALPHV/BlackCat responsible for Change Healthcare cyberattack
SC Magazine: Exclusive: Cyberattack on Change Healthcare was an exploit of the ConnectWise flaw
Dark Reading: ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware