Valued PLEXIS Client:

 

Many of you have been and continue to be affected by the Change Healthcare cyber-attack. We understand how stressful and disruptive this is for many of your organizations. We are working with our hosting solution partner – True North, and together we have been monitoring the situation closely as it pertains to impacts to our True North hosted environments and managed customers.

We are collectively continuing to monitor the incident analysis closely and will further patch and protect our systems and our customers systems as needed.

What we know today:

1. Entry Point– The current information shared is that this attack leveraged a remote monitoring/support tool called ScreenConnect. The attack leveraged common Phishing techniques to gain and elevate privileges into Change Healthcare.  True North does not use ScreenConnect to support and monitor our customers. We leverage a self-hosted support tool called Nable in our SOC 2 certified Cloud.
2. Remediation– Many of you are currently being impacted by the severing of access to Change Healthcare and Optum networks. This is a common practice during a Cyber incident to limit downstream impacts on customers whereas the breached party does not know the severity or breadth of systems impacted. Some of you have moved to paper claim receipt and payment processing. If you receive communication from Change Healthcare regarding other specific steps and require PLEXIS and/or True North assistance, please submit a ticket to PLEXIS Client Support as assistance is needed.
3. Ongoing Event– We understand this is ongoing. We are continuing to monitor for additional intelligence that would impact any filters, network security configurations, and/or changes we need to make related to the attack. These are normal procedures that our Cloud teams perform daily. While these attack methods are not new, the scale and scope of the impact is the largest our industry has seen. We will implement any protective measures as needed.

PLEXIS/True North recommendations:

1. Breach notifications– Some of you have received an impacted patient list. We expect this list to impact millions of records often shared by many practices. Our current advice is to hold tight until further information is released on any notifications given the size and breadth of the records impacted. We would suggest you contact your Cyberinsurance carrier if you have received notice of records impacted. If you would like to have a conversation regarding your specific communications from Change Healthcare, please reach out to our Client Support team to help facilitate a conversation.
2. Phishing Awareness– Given this attack has followed common social engineering and Phishing attack methods we would encourage a message sent to ALL EMPLOYEES on the importance of being diligent on opening emails that look suspicious. Especially messages from Change Healthcare, United Health, and Optum. The attackers may spoof messages to further perpetrate the attack.
3. SOC/MDR– True North leverages Crowdstrike to monitor and protect our systems. Most of you are leveraging our tools monitored centrally as part of your service. If you are not and are interested in more advanced monitoring please reach out for a discussion around those options.
4. Dark Web Scanning– Given the size of this attack and the uncertainty around impacts to Change Healthcare and Optum partners True North is going to leverage its Dark Web Scanning tools AT NO COST to you to do a one-time scan of your domain to inspect if any usernames or passwords have been impacted during this attack. Given that the attackers like to have the domains, we want to verify and report to you anything we find that has been divulged on the dark web post attack.

If any new information that would impact how we protect your systems or data materializes, we will send communication to inform any actions we are taking or any actions that we would suggest you take.

 

Best and safest regards,

Sean R. Garrett

Chief Operating Officer

 

###