UnitedHealth Change Healthcare Cyber ​​Attack Outages Continue, Pharmacies Implement Workarounds

Change Healthcare’s systems have been down for a seventh day after a cyber threat actor gained access to its network last week. The parent company UnitedHealth Group said most US pharmacies have established electronic mitigation solutions.

UnitedHealth discovered that a “suspected nation-state-linked threat actor” breached part of Change Healthcare’s information technology network on Wednesday, according to submission with the US Securities and Exchange Commission on Thursday. UnitedHealth isolated and disconnected affected systems “immediately upon discovery” of the threat, the filing said.

Change Healthcare offers payment and revenue cycle management tools, and outages to its system have disrupted operations at pharmacies and health systems across the country. UnitedHealth said late Monday that more than 90 percent of the nation’s pharmacies have set up modified workarounds to process electronic claims, while the rest have set up offline processing systems.

The outage has not yet affected providers’ cash flow, as payments typically occur one to two weeks after processing, UnitedHealth said Monday.

UnitedHealth is the largest U.S. healthcare company by market capitalization and owns healthcare provider Optum, which serves more than 100 million U.S. patients, according to website. Change Healthcare merged with Optum in 2022.

In a series of updates published since Wednesday, Change Healthcare said it has a “high level” of confidence that Optum, UnitedHealthcare and UnitedHealth Group’s systems were not affected by the attack. UnitedHealth said these entities work with external partners such as Palo Alto Networks and Google Cloud’s Mandiant to evaluate the breach.

“We appreciate the partnership and hard work of all of our respective stakeholders to ensure that providers and pharmacists have effective workarounds to serve their patients when systems are restored to normal,” UnitedHealth told CNBC in a statement Monday night .

Growing number of cyberattacks in healthcare

The attack on Change Healthcare comes after 2023 set a grim record for health-related cybercrime. There were 725 major healthcare security breaches last year, up from a record 720 the previous year, according to a January report by The HIPAA Journal.

Health data is attractive to bad actors because it can be easily monetized and sold on the dark web to perpetuate other crimes such as identity theft and health fraud, said John Riggi, national cybersecurity and risk adviser at the American Hospital Association.

He said there are different types of cyber attacks that affect the healthcare sector, including data theft attacks and ransomware attacks. In a data theft attack, bad actors infiltrate the system and steal data. In a high-impact ransomware attack, the effects can cause immediate harm to the physical safety of patients.Â

“They go in and encrypt all the data on the networks, so suddenly, instantly, the systems go dark, they become inaccessible,” Riggi said in an interview with CNBC. This means diagnostic technology such as CT scanners can remain offline and ambulances transporting patients are often diverted, which can delay life-saving assistance.

UnitedHealth has not yet disclosed the nature of the attack against Change Healthcare.

“They are the victim of a foreign cyberattack,” Riggi said. “But at the end of the day, it wasn’t just an attack on them, it was an attack on the entire healthcare sector.”

Healthcare is a complex industry with many moving parts and entry points, which means it can be difficult for any organization to be 100 percent secure, said Cliff Steinhauer, director of information security and engagement at the National Cyber ​​Security Alliance.

However, he said there are steps people can take to keep their personal data safe, such as updating their software, setting up multi-factor authentication and using strong, unique passwords.

“We all have a job to protect ourselves online,” Steinhauer said in an interview with CNBC.

Righi said senior healthcare leaders need to commit real resources to cybersecurity and understand that it poses a risk to “every function” of the organization. In addition to having the necessary technical protections in place, he said health systems need to foster cultures where everyone feels like a part of the cybersecurity team.

But when it comes to preventing cyberattacks, Riggi said the offense is just as important as the defense.

“This is equivalent to cyber terrorism,” he said. “The government should be devoting so much priority, attention and resources to going after the bad guys who carry out these attacks.”

Impact of the Change Healthcare breach

UnitedHealth did not disclose exactly which Change Healthcare systems were affected, but the effects of the cyber attack caused a wave of problems in the US health care system.

CVS Health said some of its business operations were affected by the outage in a statement to CNBC on Saturday. The company said it has been unable to process insurance claims in some cases, although it can still fill prescriptions.

There was “no indication” that its systems had been compromised, CVS Health said in a statement.

Walgreens told CNBC that its pharmacy operations and “the vast majority” of its prescriptions were not affected by the Change Healthcare breach, according to a statement Monday. The company said it has procedures in place to handle the “small percentage” of prescriptions that may have problems

For users like Cary Brazeman, the outage was a headache

Breizman tried to pick up a prescription at a Vons pharmacy in Palm Springs on Saturday, a day after visiting his dermatologist, but efforts were fruitless. He was told that the pharmacy had not received the referral from his doctor and even if they had received it, they would not have been able to get him insurance.

“I was like, ‘OK, what should I do now?’ and they’re like, ‘We don’t know,'” Breizman said in an interview with CNBC

By Monday, Brazeman said the pharmacy had created a solution that helped it communicate with some insurance companies, but not all. He said he plans to visit his doctor again on Tuesday to pick up a paper copy of his prescription for the pharmacy. He hopes they can process his insurance

Breizman said he was so concerned about the logistics of retrieving his drugs that until recently he didn’t worry about whether his personal information was exposed in the breach. The immediate problem, he said, is getting drugs to the people who need them — especially those with illnesses more serious than his.

“I’m mobile, so I can make those rounds if I need to, and I can pay cash if I need to, but there are a lot of people who can’t,” he said.