Zoomer Hackers Shut Down the Biggest Extortion Ring of All

Linda Witzal runs a small independent pharmacy that caters exclusively to about 1,200 residents of New Jersey senior living facilities. Virtually all the revenue she takes in comes, ultimately, from the government. In a simpler time, she billed New Jersey Medicaid directly for most of her patients. “When I started in this business, I was 28 years old, and New Jersey was actually very easy to get on the phone back then,” Witzal, now in her early sixties, recalls.

Three and a half decades later, there’s a whole legalized extortion ring that small pharmacies like Witzal’s need to pay off to access Medicare and Medicaid funds, a symptom of the middleman creep in the pharmaceutical transaction chain. Standing between pharmacies and reimbursement checks for the drugs they dispense include the administrators of managed care programs, the tyrannical triumvirate of dominant pharmacy benefit managers that represent about 85 percent of all health plans, and Change Healthcare, the electronic data clearinghouse—or “switch,” as pharmacists call them—she uses to access the computer ecosystems of these middlemen. Until last week, Witzal viewed Change as one of the least-bad gatekeepers in the pharmacy business, though that was starting to change in the aftermath of its 2022 acquisition by UnitedHealth Group, the $372 billion Minnesota health care leviathan, which axed hundreds of tech and call center employees immediately after closing the deal. “It was getting harder and harder to get someone on the phone,” she says.

Then just over a week ago, Change abruptly shut down for Witzal and 67,000 other pharmacies it services. The company, it turned out, had been attacked by an extortion ring of its own, a hacker UnitedHealth initially identified in a Securities and Exchange Commission filing as a “suspected nation-state-associated cyber security threat actor” but has since emerged as the ransomware gang BlackCat/ALPHV, whose affiliates cybersecurity experts have previously described as native English speakers from predominantly “Western countries” between the ages of 17 and 22.

More from Maureen Tkacik

Ransomware gangs, which brought in a record $1.1 billion in 2023, have besieged the U.S. health care system in recent years. Four of last year’s ten most disruptive ransomware hacks attacked health care providers, and affiliates of BlackCat/ALPHV alone took credit for attacks on at least three hospital systems and an electronic health records provider last year. Last summer, the private equity–gutted Prospect Medical chain of safety-net hospitals descended into chaos at the hands of a ransomware gang, and was forced to divert patients from some hospitals for weeks.

But the sheer size of the data cache held by Change puts this breach in a different class. The company, which is believed to process at least half of all the health insurance claims filed in the entire country, is the agglomeration of dozens of smaller data providers, stitched together through the years.

“It’s an order of magnitude worse than anything I’ve ever seen,” says Luke Slindee, a Minnesota pharmacy consultant who has worked for United in the past. “Change has, over a long time period, become the IT vendor of an ungodly amount of things. The reason everyone is talking about pharmacies is because that’s one of the few places in health care where stuff actually happens in real time, but I guarantee you there are entire medical offices and clinics that are not able to do anything either … Everything about this is a disaster.”

THE ROOTS OF CHANGE TRACE BACK TO A COMPANY called Healthcare Data Interchange Corp., a unit of the giant insurer Aetna. In 1997, Healthcare Data Interchange was acquired by a Nashville payment processing company called Envoy, which was in turn acquired in 2000 by the dot-com startup Healtheon/WebMD, which scooped up dozens of smaller firms using its high-flying stock price during the first dot-com boom while promising to bring health care into the “cyberspace era.” After ten WebMD executives were indicted in an accounting fraud and kickback scheme, the company changed its name to Emdeon and reinvented itself as a low-key consolidator of just about every kind of software or information technology vendor in the business. It sold out to the private equity firm Blackstone in 2011, which moved the conglomerate to Nashville and renamed it “Change” after buying another firm with that name in 2014, by which point Emdeon had absorbed at least 24 separate companies.

Change owns bill collectors, consultancies, IT outsourcing firms, a bare-bones pharmacy benefit manager (PBM) that administers co-pay assistance programs and processes Medicaid claims in 11 states, auditing and verification systems, and practice managers. “The healthcare system, and how payers and providers transact, would not work without Change,” the company boasted in one prescient presentation referenced in the DOJ’s failed 2022 antitrust lawsuit to block the company’s acquisition by UnitedHealth. And sure enough, the Change ransomware outage has upended operations for untold numbers of health care providers.

PBM abuse has galvanized independent pharmacists into perhaps the single most emphatically anti-monopoly small-business lobby in America, and they have seized on the outage as a belated vindication for the Change/UnitedHealth lawsuit, which the media portrayed at the time as a quixotic power grab. (It died at the hands of a preposterous ruling by federal judge Carl Nichols that essentially amounted to “But they promise they won’t do anything bad.”) Revisiting the 199-page proposed findings of fact the agency produced in that case, I wonder how the DOJ might tweak its argument with the benefit of hindsight. Like most defenses of anti-competitive mergers, UnitedHealth’s response focused heavily on highlighting the “efficiencies” it would bring to Change’s operations. The DOJ, by contrast, built its case around the harms United might inflict upon its competitors using Change’s arsenal of data, and swatted away the “efficiencies” argument like the mosquito it was.

But anyone who lives in the world knows that what corporate lawyers call “efficiency” is in reality almost always the direct antithesis of the word. Debilitating—and, duh, inefficient!—ransomware attacks almost always occur after layoffs, outsourcing, and budget cuts that invariably give short shrift to luxuries like data protection and cybersecurity.

PBM abuse has galvanized independent pharmacists into perhaps the single most emphatically anti-monopoly small-business lobby in America.

Just consider the targets of some of the most disruptive ransomware attacks of recent years. Colonial Pipeline had paid out dividends in excess of its profits to owners like Koch Industries for years leading up to the hack that caused a nationwide run on gas stations. Prospect Medical paid out $658 million in dividends to private equity owners while shirking its ambulance gas bills in the years before its crippling August ransomware attack. The casino conglomerate Caesars and the hospital chain Ardent Health Services were both strip-mined by confederations of private equity firms and real estate investment trusts in the years before their ransomware attacks last fall. The enterprise software company Citrix was taken private in a mind-bending buyout deal so overleveraged the company could not afford to make its first interest payment even after laying off 1,000 workers, just a year before a ransomware gang developed a customized hack called “CitrixBleed,” targeting customers from Comcast to a major mortgage servicer.

Change was strapped for cash when UnitedHealth acquired it, because its owners had been raiding its balance sheet for years. When it went public in 2019, $450 million of its $3 billion in annual revenue was being siphoned off into interest expenses on its massive debt load and pseudo-dividends to its owners, which were called “tax receivable agreements.” UnitedHealth cut still deeper, according to pharmacists and online reports. In October, a trade publication collected ten separate reports of widespread, high-level layoffs at Change’s new parent company Optum, and message boards like Reddit and TheLayoff are full of online accounts suggesting United deliberately conducts rolling, mass layoffs “in secret.”

On Monday, The Examiner News of New York’s Hudson Valley broke the news that the DOJ had been conducting a broader investigation into UnitedHealth since last October, in a story that also mentioned that the company had just last week laid off 119 employees from a medical practice it had acquired in 2022. Companies with more than 100 employees are required by law to warn them 60 days in advance of layoffs affecting more than 50 people at a given site, but according to a layoff tracking site, UnitedHealth hasn’t filed such a notice since 2010.

Which brings me to another unappreciated problem with monopolies: They act like they are above the law because they are. UnitedHealth is so big and dominant that traditional antitrust concepts are insufficient to describe the harms that result from making it even bigger. After United purchased the senior care utilization management software NaviHealth in 2020, for instance, there is no evidence it used the company’s data to spy on NaviHealth client competitors like Humana. What we do know, thanks to an appalling investigation by STAT News, is that United immediately tweaked NaviHealth’s algorithm to force case managers to systematically discharge postoperative Medicare Advantage patients from rehabilitation facilities well before they were ready to go home. United was far more interested in using NaviHealth as a pretext for denying care to sick patients than it was in exploiting its data. This was not new behavior for the health care colossus. In 2008, then-New York Attorney General Andrew Cuomo sued the company after discovering that its claims database Ingenix, which evolved from a company called Medicode, Inc., it acquired a decade earlier, was actually little more than an elaborate scheme to defraud providers by spitting out lowball “reasonable and customary” estimates for medical services provided. (Far from hoarding this fake information for its own purposes, United sold Ingenix’s fraudulent data to Aetna, Cigna, Wellpoint, and others.)

It stands to reason that UnitedHealth likely acquired Change with the intention of using its “services” in similarly pretextual fashion, to systematically screw patients and providers with a patina of plausible deniability. Surely the ongoing antitrust investigation can incorporate this analysis and use it to break United’s power.

But the ransomware gang got to the job first, which has left many pharmacists pondering how the system might work if somehow they could dispose of all the profiteering middlemen. “It was on this day in History, where Change Healthcare went offline and every Indy in the United States turned a profit,” joked the California retailer behind the “Angry Pharmacist” podcast and blog.

UNITED CLAIMS THAT 90 PERCENT OF ITS PHARMACY CUSTOMERS have established “workarounds,” enabling them to process claims without its clearinghouse services. For most transactions, the workaround has simply involved rerouting claims through Change’s primary competitor, Relay, which is owned by the drug distribution goliath McKesson (which also, oddly enough, co-owned Change with Blackstone between 2016 and 2020).

But for transactions involving insurers or providers that outsource claims processing to Change, the “workarounds” have been more challenging. Physicians who use Change to process their e-prescriptions have had to revert to paper prescriptions, and states like Colorado that require doctors to e-prescribe controlled substances have temporarily relaxed those requirements. Eleven state Medicaid programs and several Medicare Part B contractors use Change to process claims, and for some the only workaround so far has involved giving patients their drugs and praying the system comes back online soon.

So far, Witzal has used the “honor system” to dole out just over $1,000 worth of medication, mostly vaccines administered through Medicare Part B. “If this happened in September, when I’m doing hundreds of thousands of dollars worth of flu and RSV vaccines, I don’t know what I would even do, I would literally be finished,” she said.

In Utah, one of the states whose Medicaid program uses Change, the week has been oddly liberating, says Benjamin Jolley, a compounding pharmacist and self-described “anti-monopoly crusader” in the state. After working through the weekend to reach out to tens of thousands of patients with unfilled prescriptions in the system, the state decided to simply put together a simple four-question Google form for pharmacies to file requests for reimbursement until the system is back up and running. “[It’s] janky and hacky, but it does the job,” said Jolley, who has filled $1,500 in Medicaid prescriptions since the outage started and filed for reimbursement yesterday. “Presumably if anyone asks for an abnormally high figure they’ll look at their history and give them a call.”

But the mere fact that a state government decided to reimburse pharmacists using a Google form is a powerful reminder that even massive health care bureaucracies can emancipate themselves from the tyranny of health care middlemen if they want to, says upstate New York community pharmacist Steve Moore, who has spent the past several years slowly but successfully lobbying his own state Medicaid authorities to banish the dominant PBMs they once contracted to manage their pharmacy benefits.

Until last year, he says, PBMs alone extracted such an enormous cut of drug costs that he grossed just 50 cents dispensing medication to a Medicaid patient. Now he makes a few dollars on most sales, and the state still expects to save more than $700 million this year that the PBMs had previously been extracting in fees and spread pricing.

It wasn’t easy to get the state to forswear PBMs: Industry advocates promised “massive confusion” and also “Armageddon” and successfully postponed the switch by two years. “They literally had a ‘die-in’ at the state capitol,” Moore laughs, referencing a group of astroturf activists organized by an HIV/AIDS nonprofit who protested the state’s insourcing of its Medicaid drug program by lying down on the floor of the statehouse the week before the change went into effect, supposedly concerned the change would threaten safety-net hospitals and community clinics. (A long story but … it didn’t.)

Now that the pharmacy benefit racket has produced a doomsday scenario all by itself, independent pharmacists hope the Change outage will spur health care bureaucrats in other states to ponder similar reforms. Witzal, for her part, still pines for the days when you could get the government on the phone when a nursing home resident needed a drug. “They had some really capable people working in the Medicaid system back then and when you had a problem they would pick up the phone and help you,” she remembers. “It was nothing like today.”