Chinese Hackers Target U.S. Healthcare Payment Processors in Pre-Holiday Campaign, Officials Say

The Intrusions

ASH MERIDIAN, a Chinese state-sponsored cyber espionage group, has compromised at least 14 U.S. healthcare payment processing systems since early December, according to two incident responders at a Fortune 500 firm who have tracked the activity. The intrusions were first detected on Dec. 19 during a routine hunt at a Texas-based hospital network, the responders said. The campaign has since spread to payment processors in Florida, California, and Ohio, with the most recent confirmed breach occurring on Dec. 22 at a revenue-cycle firm in Cleveland.

The attackers appear to have begun reconnaissance no later than Dec. 9, when a suspicious login to a virtual private network portal was recorded at a large health system in Houston, one responder said. The group has targeted organizations that handle claims for Medicare Advantage plans, commercial insurers, and state Medicaid programs, the second responder said. A federal cybersecurity contractor familiar with the investigation said the activity is concentrated on organizations that process electronic remittance advice and eligibility verification transactions.

Tactics and Scope

The attackers are gaining initial access through compromised credentials on remote access portals and then pivoting into billing and claims systems, a CISO briefed on the investigation said. The group is exfiltrating payment routing data, patient eligibility records, and contract fee schedules rather than encrypting systems, the CISO said. A federal cybersecurity contractor familiar with the matter said the stolen data could be used to redirect reimbursement payments or to build detailed profiles of insurers and providers. The contractor estimated that roughly $230 million in delayed or flagged claims has already accumulated across affected systems.

The activity appears aimed at payment intermediaries rather than electronic health record systems, the CISO said. In at least three cases, the attackers accessed modules that process electronic remittance advice, which carries banking details used to deposit insurance payments, the federal contractor said. The CISO said the group is operating with a low malware footprint and appears to be timing data exfiltration for overnight hours to avoid detection by smaller security teams working holiday shifts.

Defensive Ask

Cybersecurity teams at hospitals, revenue-cycle firms, and clearinghouses should immediately disable unused remote access accounts, enforce phishing-resistant multi-factor authentication, and review SAML and OAuth integrations for signs of tampering, the incident responders said. They also recommended segmenting payment networks from clinical systems, revoking stale service-account credentials, and monitoring for unusual outbound data transfers during overnight and holiday hours. The CISO said organizations should verify that any vendor with access to claims systems has applied the same controls before the end of the year.

The responders said ASH MERIDIAN has historically relied on valid credentials and trusted third-party access rather than novel malware, making detection difficult for organizations that do not closely audit remote sessions. They urged finance and IT leaders to coordinate reviews of recent changes to payment routing instructions and to validate any requests to update banking information with a second out-of-band confirmation. Healthcare entities that have not completed a recent access review were advised to treat the week between Christmas and New Year's as a high-risk window.

Government Response

CISA and HHS are preparing a joint Healthcare Sector Cybersecurity Coordination Directive, expected to be released by Dec. 27, according to the federal cybersecurity contractor. The directive will require hospitals and payment processors that accept Medicare claims to report any suspected remote-access compromise within 72 hours. A senior HHS official said the agencies will hold a briefing on Dec. 30 at 2:00 p.m. in the Hubert H. Humphrey Building in Washington. The FBI has opened a parallel investigation at its Pittsburgh field office, the contractor said.

The directive will also require affected entities to preserve remote-access logs for 90 days and to provide CISA with a point of contact for incident reporting within 24 hours of publication, the senior HHS official said. A CISA spokesperson declined to comment on the investigation but confirmed the agency is coordinating with HHS on holiday-season threat monitoring. The White House is expected to receive a classified summary of the campaign by Dec. 26, the federal contractor said. HHS has also scheduled a call with hospital association representatives for Dec. 28 to discuss supplemental security measures for Medicare payment systems, according to the senior HHS official.

What to Watch

Watch for the CISA alert, possible victim notifications, and whether the group shifts to pharmacies or state Medicaid systems. The incident responders said ASH MERIDIAN has a history of pausing activity between Dec. 25 and Jan. 2 before resuming with new infrastructure. They said defenders should expect renewed targeting around Jan. 5, when payment processors return to full staffing after the New Year holiday. Security firms said organizations should also monitor for newly registered domains mimicking major clearinghouses, a tactic ASH MERIDIAN has used in previous holiday campaigns. The CISO said any organization that discovers unexpected changes to claims processing or payment routing should report the activity to CISA through its 24-hour operations center and to the FBI's Internet Crime Complaint Center.