With Sophie Gardner

Driving The Day

YOU’VE BEEN HACKED. NOW WHAT? Health care companies are retaining help — often from Silicon Valley — to manage ransomware attacks.

The debilitating breaches at Change Healthcare, owned by UnitedHealth Group, in February and Ascension last month come as the Cybersecurity and Infrastructure Security Agency warns of a specific ransomware service targeting health care organizations — and have led cybersecurity experts to advise the sector on reducing risk.

UnitedHealth Group and Ascension hired cybersecurity firms — Mandiant, a subsidiary of Google; Palo Alto Networks’ Unit 42; and CYPFER — after the breaches. The ransomware experts declined to comment on their roles in negotiating for the companies. But Pulse spoke with ransom negotiators and cybersecurity experts about what happens when they’re called in to negotiate on behalf of a health care company.

Establishing the harm: Kurtis Minder, co-founder of GroupSense, a ransomware negotiator service that’s worked with pharmaceutical companies, said he starts by helping hacking victims understand the total cost of the breach — including human or patient harm.

The companies, he said, have to consider whether they should temporarily go offline to curb the financial or reputational impact.

Scott Bailey, a partner at N1 Discovery, which provides cybersecurity services and has negotiated ransomware attacks at health care systems in Michigan, said negotiators must then determine how much data has been stolen. Otherwise, they’re relying on the bad actors to tell them what they have.

Pay the ransom, or not? Paying the ransom is usually the only way to secure stolen information and restore access to encrypted systems, according to Minder and Bailey. Ransomware negotiators communicate with bad actors to hammer out how much they’re willing to pay.

“The data they stole is so highly sensitive and confidential that you’re willing to pay the ransom in hope that they’ll give it back and not destroy it or publish it,” Bailey said.

UnitedHealth Group CEO Andrew Witty told Congress earlier this month that the company paid a $22 million ransom to protect stolen patient data.

“Even the organizations that have great backup strategies end up having to pay because the restoration process would take so much time,” Minder said. “It is so complicated, and when you're talking about patient well-being, that puts an additional pressure on it. They can’t wait to see if their backup strategy is going to work.”

Federal help? While federal officials have gotten involved in the attacks on Ascension and Change Healthcare, Minder and Bailey said they’re limited to investigating what happened. “It’s not their job” to get companies back to operations, Bailey said.

Hospitals want federal officials to do more to tackle bad actors and have pushed back against HHS mandates, including establishing minimum cybersecurity standards for hospitals.

“Right now, a lot of these organizations have two options: They stop operating and, in health care, someone might die, or they pay the ransom,” Minder said.

WELCOME TO FRIDAY PULSE. The Department of Justice yesterday proposed reclassifying marijuana to a less restrictive category following an HHS recommendation. Send your tips, scoops and feedback to [email protected] and [email protected] and follow along @ChelseaCirruzzo and @_BenLeonard_.

In Congress

HEALTH FUNDING SLASH: Health appropriation bills in fiscal 2025 might be subject to “significant cuts” partly due to congressional limits, according to House Appropriations Committee Chair Tom Cole (R-Okla.).

On Thursday, Cole outlined the interim subcommittee allocations, which are the caps on spending for each appropriation bill. Nondefense programs are being cut by 6 percent, according to Cole, with health, labor, education, financial services and state foreign operations seeing the most significant cuts at 10 to 11 percent. Veterans Affairs, which includes veterans’ medical benefits, will be fully funded.

These amounts could change with the president’s budget requests and offsets by the Congressional Budget Office.

The interim funding for labor and health services is $184.5 billion. Funding for agricultural programs, which includes the Food and Drug Administration, is $25.8 billion.

HHS requested $130.7 billion in discretionary funding and $1.7 trillion in mandatory funding in its fiscal 2025 budget request.

Abortion

ABORTION AMENDMENT CERTIFIED FOR SD BALLOT — A proposal to amend South Dakota’s constitution to protect abortion access has received enough valid signatures to qualify for the November ballot, state election officials said Thursday.

The measure’s certification comes after a push by anti-abortion organizers in recent days to get people who signed the petition to formally withdraw their support. By Thursday, only 19 removal requests out of 54,281 submitted signatures had been filed with the secretary of state’s office.

“Today, the fight begins,” campaign chair Rick Weiland said in a statement. “We hope there can be a civil discussion about deeply held moral beliefs leading to a reasoned decision balancing the rights of us all.”

The proposal doesn’t have support from national abortion-rights groups, who’ve criticized the measure for not going far enough to restore access to the procedure. But its passage would restore access in a state where abortion has been illegal in almost all circumstances for nearly two years.

The measure takes a Roe-like approach to abortion by barring South Dakota from restricting abortion in the first trimester of pregnancy but allowing the state to regulate it “in ways that are reasonably related to the physical health of the pregnant woman” in the second trimester. It also allows the state to regulate or ban abortion after the fetus is viable, at around 24 weeks of pregnancy, unless it’s needed to save a mother’s life.

Anti-abortion advocates have promised to challenge the measure’s certification in the next 30 days.

Telehealth

TELEHEALTH MOVES FORWARD — A bill to extend eased telehealth rules in the Medicare program advanced out of the House Energy and Commerce Health Subcommittee yesterday, Ben reports.

The legislation is largely in line with a bill that the House Ways and Means Committee advanced unanimously last week. The telehealth rules, which were rolled back during the height of the pandemic, expire at year’s end, along with hospital-at-home waivers. Like the W&M bill, the E&C bill would extend those waivers for five years and use pharmacy benefit manager reform as a pay-for.

The two bills also have similar provisions to reduce fraud related to lab tests and durable medical equipment.

The differences: Unlike the W&M bill, the E&C bill would establish payment parity for federally qualified health centers and rural health clinics for in-person and virtual care. How much to pay for virtual care versus in-person care, including in those settings, will be a key question going forward.

Another difference between the two bills is that the E&C bill has a required modifier for billing for telehealth offered via a “telehealth virtual platform” and nonphysician providers.

Public Health

REINING IN THE MEASLES OUTBREAKS — Six of the eight measles outbreaks reported to the CDC this year have ended, according to a CDC spokesperson, Sophie reports.

And an outbreak at a migrant shelter in Chicago — which resulted in 57 cases — has also petered out.

The outbreak was contained after a massive vaccination effort by the Chicago Department of Public Health across the shelter, according to a new CDC report. In March, CDPH verified vaccine records for 784 residents and vaccinated 882 residents.

The CDC also came to the state to aid the response.

Why it matters: The threat of measles outbreaks has loomed over the CDC as vaccination skepticism soared after the height of the Covid-19 pandemic. Migrant shelters pose a particular risk as many residents might not be vaccinated or have records of vaccination. But the report shows that a large-scale vaccination campaign after the first positive case can work to stamp out the outbreak.

Even so: New measles cases are still popping up around the country, and they're up significantly in 2024. As of May 9, there have been 132 cases, the highest number in the U.S. since 2019. Measles cases are on the rise globally also.

AROUND THE AGENCIES

MOTION FOR STAY — The Florida attorney general and others have asked a Florida judge to issue a preliminary stay on an HHS rule to strengthen nondiscrimination protections for LGBTQ+ patients in health care services.

Background: Florida and some medical groups sued the Biden administration last week over the rule, which clarified that provision 1557 of the Affordable Care Act forbids providers from discriminating against patients based on their gender identity or sexuality. Florida has argued that the rule violates state law barring gender-affirming care for minors and forces providers to give this care.

The motion, filed late Wednesday, said that “plaintiffs are likely to succeed on the merits, will suffer imminent and irreparable injury absent temporary relief, and the balance of harms favors Plaintiffs.” The plaintiffs want the judge in the case to pause the rule from taking effect until the case is over.

Names in the News

Sophia Nilanont is joining the American Heart Association next week as global advocacy portfolio lead. She was previously at CVS Health.

John O’Brien is joining Manatt, Phelps & Phillips’ health care industry group as national adviser. He was previously with HHS and CMS.

WHAT WE'RE READING

The New York Times reports on the CDC warning of a resurgence in mpox.

Modern Healthcare reports on a California plan to redo its Medicaid program that leans heavily on nonprofit service providers.