Change Healthcare’s systems are down for the seventh straight day after a cyber threat actor gained access to its network last week. Parent company UnitedHealth Group said most U.S. pharmacies have set up electronic workarounds to mitigate the impact.
UnitedHealth discovered that a “suspected nation-state-associated” threat actor breached part of Change Healthcare’s information technology network on Wednesday, according to a filing with the U.S. Securities and Exchange Commission on Thursday. UnitedHealth isolated and disconnected the impacted systems “immediately upon detection” of the threat, the filing said.
Change Healthcare offers tools for payment and revenue cycle management, and its system outages have disrupted operations in pharmacies and health systems across the country. UnitedHealth said late Monday night that more than 90% of the nation’s pharmacies have set up modified electronic claims processing workarounds, while the rest have established offline processing systems.
The disruption has not impacted provider cash flows yet since payments are typically issued one to two weeks after processing, UnitedHealth said Monday.
UnitedHealth is the biggest health-care company in the U.S. by market cap, and it owns the health-care provider Optum, which services more than 100 million patients in the U.S., according to its website. Change Healthcare merged with Optum in 2022.
In a series of updates posted since Wednesday, Change Healthcare said it has a “high-level” of confidence that Optum, UnitedHealthcare and UnitedHealth Group’s systems were not affected by the attack. UnitedHealth said that these entities have been working with external partners like Palo Alto Networks and Google Cloud’s Mandiant to assess the breach.
“We appreciate the partnership and hard work of all of our relevant stakeholders to ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal,” UnitedHealth told CNBC in a statement Monday night.
The attack on Change Healthcare comes after 2023 set a grim record for health-related cybercrime. There were 725 large health-care security breaches last year, up from the record 720 the previous year, according to a January report from The HIPAA Journal.
Health data is attractive to bad actors because it can be easily monetized and sold on the dark web to perpetuate other crimes like identity theft and health-care fraud, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
He said there are different kinds of cyberattacks impacting the health-care sector, including data theft and ransomware attacks. In a data theft attack, bad actors sneak into a system and steal data. In a high-impact ransomware attack, the fallout can cause immediate harm to patients’ physical safety.
“They come in and encrypt all the data in networks, so that suddenly, immediately, systems go dark, they become unavailable,” Riggi told CNBC in an interview. This means diagnostic technologies like CT scanners can go offline, and ambulances carrying patients are often diverted, which can delay lifesaving care.
UnitedHealth has not yet disclosed the nature of the attack on Change Healthcare.
“They’re a victim of a foreign-based cyberattack,” Riggi said. “Ultimately, though, this was not an attack just on them, this was an attack on the entire health-care sector.”
Health care is a complex industry with lots of moving pieces and entry points, which means it can be hard for any organization to be 100% secure, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.
Even so, he said there are steps individuals can take to help keep their personal data safe, like keeping their software updated, setting up multifactor authentication and using strong, unique passwords.
“We all have a job to keep ourselves safe online,” Steinhauer told CNBC in an interview.
Riggi said senior health-care leaders need to dedicate real resources to cybersecurity and understand that it presents a risk to “every function” of the organization. In addition to deploying necessary technical defenses, he said health systems need to foster cultures where everyone feels like a part of the cybersecurity team.
But when it comes to preventing cyberattacks, Riggi said offense is just as important as defense.
“This is equivalent to cyber terrorism,” he said. “The government must devote as much priority, attention and resources to going after the bad guys who are conducting these attacks.”
UnitedHealth has not specifically disclosed exactly which Change Healthcare systems have been affected, but the fallout from the cyberattack has caused a ripple of problems across the U.S. health-care system.
CVS Health said some of its business operations were impacted by the interruption in a statement to CNBC on Saturday. The company said it has been unable to process insurance claims in some cases, though it can still fill prescriptions.
There is “no indication” that its systems have been compromised, CVS Health said in the statement.
Walgreens told CNBC that its pharmacy operations and the “vast majority” of its prescriptions have not been impacted by the breach at Change Healthcare, according to a statement Monday. The company said it has procedures to process the “small percentage” of prescriptions that may experience problems.
For consumers like Cary Brazeman, the disruption has been a headache.
Brazeman tried to pick up a prescription at a Vons pharmacy in Palm Springs, California, on Saturday, a day after seeing his dermatologist, but it was a fruitless effort. He was told that the pharmacy hadn’t received the transmission from his doctor, and even if they had, they wouldn’t have been able to run his insurance.
“I’m like, ‘Okay, what am I supposed to do now?’ and they’re like, ‘We don’t know,’” Brazeman told CNBC in an interview.
By Monday, Brazeman said the pharmacy had set up a workaround that helped it communicate with some insurance companies, but not all. He said he plans to revisit his doctor on Tuesday to pick up a paper copy of his prescription for the pharmacy. He hopes they can process his insurance.
Brazeman said he has been so concerned with the logistics of retrieving his medication that he wasn’t worried, until recently, about whether his personal information was exposed in the breach. The immediate problem, he said, is getting medication to the people who need it — especially those who have conditions more serious than his own.
“I’m mobile, so I can make these rounds if necessary, and I can pay cash if necessary, but there’s a lot of people who cannot,” he said.