14
Aug 20

Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack

R1 RCM Inc. [NASDAQ:RCM], one of the nation’s largest medical debt collection companies, has been hit in a ransomware attack.

Formerly known as Accretive Health Inc., Chicago-based R1 RCM brought in revenues of $1.18 billion in 2019. The company has more than 19,000 employees and contracts with at least 750 healthcare organizations nationwide.

R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story.

The “RCM” portion of its name refers to “revenue cycle management,” an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients.

The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data.

It’s unclear when the intruders first breached R1’s networks, but the ransomware was unleashed more than a week ago, right around the time the company was set to release its 2nd quarter financial results for 2020.

R1 RCM declined to discuss the strain of ransomware it is battling or how it was compromised. Sources close to the investigation tell KrebsOnSecurity the malware is known as Defray.

Defray was first spotted in 2017, and its purveyors have a history of specifically targeting companies in the healthcare space. According to Trend Micro, Defray usually is spread via booby-trapped Microsoft Office documents sent via email.

“The phishing emails the authors use are well-crafted,” Trend Micro wrote. For example, in an attack targeting a hospital, the phishing email was made to look like it came from a hospital IT manager, with the malicious files disguised as patient reports.

Email security company Proofpoint says the Defray ransomware is somewhat unusual in that it is typically deployed in small, targeted attacks as opposed to large-scale “spray and pray” email malware campaigns.

“It appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely,” Proofpoint observed.

A recent report (PDF) from Corvus Insurance notes that ransomware attacks on companies in the healthcare industry have slowed in recent months, with some malware groups even dubiously pledging they would refrain from targeting these firms during the COVID-19 pandemic. But Corvus says that trend is likely to reverse in the second half of 2020 as the United States moves cautiously toward reopening.

Corvus found that while services that scan and filter incoming email for malicious threats can catch many ransomware lures, an estimated 75 percent of healthcare companies do not use this technology.

Tags: , , , ,

69 comments

  1. As someone who has to deal with the healthcare system in the US, seeing a bloodsucking medical debt collection corporation be taken down by ransomware is amusing. For the first time ever I am rooting for the hackers. I hope they refuse to pay and I hope the hackers destroy this company.

    • @Steve – while I agree with your loathing of the medical industry in the US it is unfortunately the patients who will be losing their private health information. And I’m sure the corporatists at this company are friends of Donnie and can easily get bail-outs and get-out-of-jail cards for their malfeasance.

      • Was going to say the same. If my data is in there and was compromised I want this company to pay me. Oh wait, I guess it’s just free credit monitoring. Maybe an enterprising lawyer will file a nice class action suit for us regular folk.

      • No need for politics on this site, loser

    • …yes but, we’ll all end paying higher fees for medical procedures because the cost will just get passed on…

      …so in the end we all lose due to someone’s ignorance…

    • These were my first thoughts, too. I just wish the hackers were going for something more permanently destructive so the company couldn’t continue their extortion scheme.
      But then I realized that in the end, it’s always the common people who will pay (with their personal data, money, etc.) when a breach like this one occurs.
      One can just hope that this company gets held accountable for this gross negligence and faces a hefty fine in court for this. (Which I know is wishful thinking but you know, hopes die last).

      • If people paid their bills on time. Company’s like this would not exist. But you done so.

        • Let me just pay this $300,000 bill out of my pocket

        • Excluding purely elective surgeries, There is Zero price information provided, even a rough estimate, prior to incurring the cost. In what other industry does this happen? None! Imagine having to make some other large purchase like a car, which doesn’t include the typical life or death factor, and not knowing how much you just committed to until weeks later. It’s insane.

    • Healthcare Soc Wkr

      Agree with “Real Talk”. Steve– I’ve been a social worker in Healthcare for 25 years. Hospitals need assistance billing governmental payors and insurers correctly so that they recoup revenue compliantly. This insures the patient is also billed correctly. This company provides support to both hospitals and patients. There is no evidence that PHI was compromised here. I don’t think the article represented the company’s broad range of services.

  2. Just received this new notice from US-CERT which may be along the lines of the malware used against R1 RCM:

    https://us-cert.cisa.gov/ncas/alerts/aa20-227a
    Phishing Emails Used to Deploy KONNI Malware
    The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

  3. Just received this email from US-CERT:

    https://us-cert.cisa.gov/ncas/alerts/aa20-227a

    The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

  4. I have to say this article made me smile.

  5. Steve.
    A view that is probably held by many others
    I’m from the UK, so this kind of firm seems even more parasitic to me, although I understand the reason for its existence, and our insurance firms over here do a similiar thing, but more for how much its costing them to pay out, rather than profits for others.
    I wonder about the insurance risk firms like this must be if they don’t employ email scanner etcs, the folk behind this seem to know what their doing, chance of an individual firm detecting a very well done scheme is low, if I insured them, I’d insist they employed others or could prove in house capability, considering the numbers of attacks overall, this industry seems to have either been lucky so far, or they spend lots on good it defence…

  6. Karma!! This provided a great end to a good day. Seeing these bloodsucking parasites taken down is delightful. Champaign time!!

    This is not “medical data.” It is “data” that exists solely to cheat, defraud, overbill and screw medical patients.

    Everyone who has dealt with the byzantine BS of “medical billing” will cheer these “Hackers.” (Never thought I would ever cheer “hackers!”)

    Every victim of these parasites hope they never are able to access any of their “data.”

    • >>>This is not “medical data.”

      ….then how do they bill patients for medical services, if they do not have the patients’ medical data?

      Working in the healthcare IT industry, I’ve dealt with many medical billing customers, each of which gets sent patient data from hospitals to collect on.

      These companies receive, store and process almost 100% of the patients personal medical info. SSNs included.

      There’s not much about your hospital visit that some 3rd party medical billing provider or debt collector like this isnt going to get their hands on.

      Patient medical data (ePHI) was almost certainly involved – stop celebrating so much.

      • How is sharing medical info with non-doctors legal? Don’t we have HIPAA and other protections against that?

        • I think you may be misunderstanding the protections HIPAA provides. “Non-doctors” certainly need access to medical data.

          When my hospital bills my insurance company for a procedure, they can’t just say, “You owe us $10k for medical stuff. HIPAA says we can’t tell you what it was. Just pay.” They obviously have to tell the insurer what procedure they performed, and why that procedure was medically necessary.

          That does mean that the insurer is obliged under HIPAA to protect patient information. I do wonder if there will be any HIPAA consequences to this leak? Probably depends on what protections they had in place.

        • Perhaps some people should read the things they sign in a doctors office. You sign off on having received and accepting the firms “Privacy Practices”, which often require an active opt out for some data sharing. You sign an agreement that the practice may share your data, medical and otherwise, for the purpose of billing and collections. It goes on from there…

        • HIPAA permits covered entities such as health care providers to share medical information (PHI, ePHI) with others for the purposes of treatment, payment and health care operations without the patient having to authorize the disclosure of his/her PHI.

          Additionally, most covered entities rely to some extent on business associates to perform services on their behalf, such as collecting on medical debts, billing patients or defending them in a malpractice lawsuit. Before any PHI can be disclosed to the business associate, a valid Business Associate Agreement must be in place. These BAAs place contractual requirements on the BA and the BA is also subject to enforcement by the Office for Civil Rights.

          It is a common misconception that the patient must authorize every disclosure of PHI.

        • …I suggest next time you read and understand that HIPAA waiver you signed when you went to the doctor or the hospital…

          …you gave them the right to send your data everywhere they want to…

          …it’s your fault, not theirs…

          • Oh sure, and the patient has the ability to say no and wait for the company to come around when their Appendix is about to burst. They sign or they die, not much of a real choice is it?

  7. Oh happy day.

  8. WatchingandWaiting

    No need for politics, loser

  9. Can someone tell me how companies like R1 RCM can even exist with the current privacy laws?
    So you are telling me that these companies have all of my medical information and sell it to anyone who has the money and can use it against me?
    What can be done about it?

    • As someone who works for R1. We dont sale information, we work for providers to make sure their main focus is the patient. We actually dont even have access to SSN’s. We only have the information that is needed to do our jobs, like get the patients insurance to pay on claims so that patients aren’t held responsible for things they don’t owe. At R1 we believe in making sure patient privacy is upheld and they hold their employees to the highest standards. I hope this helps reassure you. And this is coming from a low man todum pole employee who codes and bills

      • Joan, how many insurance companies still use the SSN as their primary patient identifier? (No need to answer – I’ve done enough medical billing and collections to know.)

    • Hey there, we have a complete solution for you, above is our company web, please visit and contact.

      Thank You!

  10. Probably not the best place to ask this but I live in the defense world (mostly) so I don’t know how the commercial sector functions.

    Since OS and systems can be locked down reasonably well (kind of) the most common hack is getting users to click on bad links in emails and open files they shouldn’t.

    Shouldn’t all this stuff get quarantined from the end user and have to be vetted by IT prior to the non-tech person opening it?

    Trusting a non-technical person to be careful with things they don’t understand, or maybe even care about is asking for trouble.
    I realize some places may get tons of attachments but I just don’t see this problem getting solved if you are depending on the end user not to do something stupid.

    I know many of my jobs don’t allow any access to personal email accounts (gmail, whatever) because of this stuff.

    I’m just surprised how many freely allow word documents and other stuff that can be dangerous to be inserted into their networks.

    I mean I don’t think most companies trust employees to download and install any software they want, so why should attachments be any different?

    Back to my 2020 bunker

    • …”oh look, i’ve just won (fill in the blank)…

      …or, “my boss wants me to look at this…

      …etc., etc…

      …there’s an idiot born every minute…

      …you can’t fix stupid…

    • Rich: The problem is often lack of resources in budget-crunched IT departments. If you lock down all the workstations, then you need to be prepared for all the IT Helpdesk tickets that are going to be sent when the Sales department decides to start using an application that requires a browser plug-in or the Accounting department decides to send an Excel document to every employee that contains a macro. Many companies simply refuse to spend the money to have all the web-based business systems they need, nor all the IT staff they really need. Many, MANY businesses are still running on Excel spreadsheets that are emailed from person to person and/or shared from network drives.

    • It does appear excessive trust played a part in this caper.

      I didn’t realize unfettered access to the Internet from production database servers was still a thing.

      It hasn’t been a thing where I’ve worked in decades.

  11. Dick, You know, and patients, who are the victims of these parasites, should know that billing is done via standard codes.

    There is no legitimate reason for these parasites to exist except to the facilitate “upcoding,” “ramping,” a multiplicity of other Qui Tam violations, and “surprise billing” rampant in American medical billing. As a patient – consumer, we should not be caught between the insurance industry and these parasites.

    If there was a legal way to do it, I’d sponsor a “Go Fund Me” etc to pay the hackers to NEVER let these parasites retrieve any information.

    Center, You are generally right. BUT, Patients have a right to refuse to allow sharing. I try to always do that. If a health care provider gives you grief, and many do, immediately “Revoke” any consent in writing.

    Karma, Defined. Mother Nature’s bitter, frustrated, spinster elder sister. And we all know what a female hound mother Nature can be. 😉

    Still a happy day!!!

    • Its actually pretty sad that you think this way. At R1 we actually care about making sure patient information is only used for the purposes on working on patients claims. We dont set the allowed amount from insurances, we dont steal from patients. We don’t over charge or inflate anything. We do everything we can to make sure providers focus on patients while we handling the other aspects to help keep their practices running! I take my job very seriously I have been doing it for 11 years, you should rethink how hard we actually work for the patients…

      • Healthcare Soc Wrkr

        Well said Jane– you should be proud of that work– it is essential to the patient and the hospital’s well-being.

    • richard, which is exactly why I demand a paper copy of the Privacy Practices Dan read it BEFORE I sign that I did exactly that. In that document is all the information I need to deny the practice the ability to spread my data willy-nilly.

    • Healthcare Soc Wrk

      You obviously don’t work in healthcare or understand the complexity of billing based on diagnoses and medical documentation. Protecting the patients and healthcare providers from unfair payor practices is essential. THAT is what this company does– as well as education and providing support staff for hospitals who cannot find essential workers. Before you use the word “parasite”, educate yourself on the system. Several employees have commented here about the hard work they do to ensure that patients are treated properly. This is a HARD time to be in healthcare and companies like this are providing needed support. If you don’t have firsthand knowledge of the system or the company, keep you opinions to yourself.

  12. Who wants to start a GoFundMe for $10,000 more than the ransom on the condition they never disclose the key?

  13. Having worked in a number of IT departments and having worked as a small business IT consultants one of the first things companies want to cut to reduce costs is the IT department. Management seems to think as long as the computers and email are running everything is ok. Nothing could be further from the truth.

    One company I used to work for told the IT director that he needed to cut the IT budget by a million dollars a year. Roughly a quarter of the budget. He complained that they were already below industry standards for IT spending. They replaced him with an outside IT director who did make the cuts. 1/3 of the IT department was let go. The employees left were so busy just keeping everything up and running. This meant that security and patching was largely ignored. In about 2 years they were hit by a massive ransomware attack that put them out of business for 2 weeks costing them a million dollars a day.

  14. This obviously touches on a political hot button. Here is an idea. With all these complaints about the medical system in the US, why don’t you vote for reform? So you get a system like we have in Canada, or they have in Europe.
    And stop spending 30% of every health care dollar on administration, marketing, and dividends from insurance companies, while still not proving healthcare to a large section of the population?

    • We do vote for it. And then it goes nowhere, or we allow the same bad actors who screwed it up in the first place to participate in the design so we wind up getting more of the same — but with a different paint job.

    • @BB: Here in the US, we are unable to vote on individual federal laws/issues directly. We only have the initiative and referendum power at the state level. At the federal level, we vote for representatives who we hope would vote in our favour, but who are not bound to do so.

      Furthermore, the medical/pharma lobby is so powerful and money being so prevalent in politics, if a particular member of Congress votes in favour of universal health care, they lose campaign funding from the medical/pharma sector.

      It would be possible to amend the Constitution to enable initiative and referendum powers to the people, but such a move would require a supermajority vote (67%) in favour by Congress and approval by 38 out of 50 states to become law. I don’t see that ever happening, in my lifetime anyway.

  15. I think Brian should be proud that he has some of the finest readers in the world – the discussions are always very interesting, even if they go off the deep end occasionally; I’m very impressed.

    I wonder just how much damage outing patient data like this could do to the patient? After all, I always understood medical records use codes that only a transcription expert could ever figure out; and in fact is another industry in itself for checking of overcharges to insurance or patient billing. Seems to me no crook would be particularly interested in gleaning such data. Now the EquiFax breach, that one was a blockbuster gold mine for the crooks all over the world! 🙁

  16. We’re seeing a rash of successful ransomware attacks. Garmen got hit and I’m told, payed the ransom ($10M). This will keep happening until everyone in particular wealthy companies, start training all of their employees in the art of spotting phishing emails, bogus websites, not going for click-bait and so on. Anyone from the CEO down to the part timer in the stock room can inflict an attack.

    This isn’t a vulnerability for which software is the solution. This is a human problem that has to be fixed with training. Companies who understand this go so far as to send their payrolls fake phishing emails to see who will take the bait. Those employees are required to take additional training.

    • “This isn’t a vulnerability for which software is the solution. This is a human problem that has to be fixed with training. Companies who understand this go so far as to send their payrolls fake phishing emails to see who will take the bait. Those employees are required to take additional training.”

      I’m retired IT also. Your solution will never work on a long term basis. There will always be staff turnover. There will always be people who don’t “get” the training. Or who “forget” it in the press of a moment. Hackers are ingenious in finding these individuals. It only takes one out of a hundred or a thousand.

      The system architecture has to isolate the networks so that there is NO WAY that a computer using Word, Excel or Email can connect into the the network with the line of business app. on it. Not even the head of IT or the President of the company should be able to override that.

      If you rely on training individuals you’ll get hacked … assuming hackers see a payoff in it.

      • I’m still having trouble envisioning how a production database is exposed in such a way that a user on an endpoint falling for a fishing email link could result in the database being pwned.

        There should be layers of protection between the user endpoint and the database, specifically making it impossible for a macro to run on said endpoint to encrypt the database.

        Sure, the endpoint is liable to be pwned due to a user faux pas, but how do they pwn the database?

        • It’s called “lateral movement”. Basically, if the IT guys can navigate from the hacked box to anything else on the network (like the database server) via hopping from box to box, so can the intruders, since they get the IT guys’ credentials. The attackers typically spend days or weeks in the network between the initial compromise and when the files are stolen and encrypted.

    • retiredguy my wife works for the county where we live the IT department tests them every so often. The last test she got while working from home. She let me know she passed and spotted the fake email. I guess some of the stuff I read and tell her about is rubbing off. I believe these companies need to train there people better education is key.

  17. The golden rule of IT.. DON’T hire IBM.

  18. Great article Brian!

  19. payment was on bitcoins? every transaction is still visible on blockchain btc is not anonoumous

    • …yes, the transaction is public on the ledgers, but the owner is not…

      …in any case, the coins are washed thru multiple wallets and so the actual recipient disappears…

    • …yes and no, the transactions are in the many public ledgers, but not the identity of the payee, and the actual btc is washed through multiple wallets to the eventual payee, and that washing is hard to trace…

  20. “I’m retired IT also. Your solution will never work on a long term basis.”

    I should have written that this isn’t a vulnerability for which software is the sole solution. Obviously you don’t disable and abandon all scans, patrol, puppet, whatever you are using, firewalls, honey pots etc. Yes, training has to be on-going and regular. This is high cost but worth it if your data is impossible to recreate–research data for example. You have to have regular backups. Why not just pay the ransom? A few reasons but mainly no way to tell if the restoration will produce corrupted data ahead of time; also there are some cases where the bad guys take your money and vanish.

  21. R1 primarily works with healthcare providers to provide technology enabled services to help those providers manage a more efficient revenue stream. This means managing reimbursement from insurance companies as well as patients.

    I’d suggest the author of the article fact check the story a bit better.

  22. GOOD! Those medical debt collection places are less reputable than the old style porno shops with the $.025 cent booths in the back.

  23. NAME (REQUIRED)

    I noticed yesterday Carnival Cruises disclosed a ransomware attack that occurred on 8/15/2020.

  24. If anyone knows the hacker group I think I can scrape enough money together to keep the data encrypted. It may take a bit of time and I will need to set up a gofugme as I am about to get riddled in medical debt myself. Being a US citizen is a form of brutal capitalistic encapsulation.

    • …yes and no. HIPAA and HITECH require the covered entity to encrypt the PHI already…

      …the issue is that the past due dudes are not a covered entity…

      …so you’re asking them to do something they are not required to do…

  25. Anyone here that thinks the solution lies in software, IT/security, or job training needs to go into their bathroom and repeatedly slap and splash cold water onto the face they see in the mirror until they realize that this case is just another of the countless examples of why healthcare in the U.S. is systemically flawed. When a consumer’s only choice is to pay or die the fundamental rules of capitalism (outside of the cafeteria, when was the last time anyone saw a cash register in a hospital?) are broken, resulting in an army of insurers, lawyers, and administrators diving into the uncontrolled wellspring of profits. Is universal single-payer healthcare perfect? No, but at least it’s not absurd and unsustainable.
    -Sorry Joan, Jane, Healthcare Soc Wrkr, et al. When the system finally changes, hopefully your unemployment comes with job retraining.

  26. Excellent post. I absolutely appreciate this site.

    Continue the good work!

  27. Makes you wonder how big of a HIPAA violation occurred….