UnitedHealth blames a ‘nation-state’ for a hack disrupting pharmacy orders
A cyberattack against a division of UnitedHealth Group Inc. has caused a nationwide outage of a computer network that’s used to transmit data between healthcare providers and insurance companies, rendering some pharmacies unable to process prescriptions, according to the company and reports from affected organizations.
UnitedHealth found a “suspected nation-state associated cyber security threat actor” had access to subsidiary Change Healthcare’s systems Wednesday, prompting the company to disconnect them from other parties, the company said in a filing Thursday with the Securities and Exchange Commission.
UnitedHealth, the country’s largest health insurer, said in a statement Thursday that the cyberattack and related “network interruption” affected only Change Healthcare and that all its other systems are operational. Change Healthcare is a key intermediary in the $1.5-trillion U.S. health insurance market.
UnitedHealth is working with law enforcement and security experts but can’t say when the service will be restored, according to the filing. The company hasn’t determined that the attack is likely to affect its financial results, it said.
“Change Healthcare is experiencing a cybersecurity issue, and our experts are working to address the matter,” the Minnetonka, Minn.-based company said earlier in a statement on its website. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact.”
As many as 9,000 Americans die each year after receiving the wrong prescription drugs or doses. Pharmacies are fighting a bill to shed light on the problem.
The incident is the latest in a series of attacks where hackers have compromised providers of back-end IT software and services — companies that are often little-known outside of their industries yet play critical roles in the normal functioning of such diverse entities as financial markets and government services — and triggered cascading disruptions across their customer bases.
Last month, for example, a ransomware attack against Tietoevry Oyj, a Finnish information technology company, crippled payroll and other services for government agencies and hospitals, retailers, cinemas and other customers throughout Sweden.
Three days later, a ransomware attack against EquiLend, a financial technology firm in New York whose software processes trillions of dollars of stocks, bonds and derivatives trades each month, knocked some of that company’s services offline, causing trading desks at some of the world’s biggest banks to revert to inputting transactions manually.
The full scale of the disruptions caused by the UnitedHealth attack isn’t yet known; the company declined to provide further details. But some affected organizations have disclosed information online.
“We’re aware that some pharmacies are experiencing systems issues due to a nationwide outage from the largest prescription processor in North America,” BlueCross BlueShield of Montana said in a statement posted to its website. “Some pharmacies cannot confirm insurance coverage, which could delay filling or refilling your medications.”
Every year, millions of Californians leave the pharmacy with the wrong drugs or dosages. Don’t let it happen to you.
The statement continued, “If you choose not to delay filling your prescription, you have the option to pay for the medication out-of-pocket and submit the receipt with the reimbursement form. You may also try to fill the prescription at another pharmacy.”
The size of Change Healthcare’s operations is massive.
The company operates the largest medical electronic data interchange clearinghouse in the country, a network that acts as a middleman shuttling claims information back and forth between insurance companies and doctor’s offices, hospitals and other healthcare providers seeking payment for their services, according to public filings.
When Change Healthcare went public in 2019, the Nashville-based company’s S-1 filing included key details about the business, including that its customers include “the vast majority of U.S. payers and providers” and “approximately 2,200 government and commercial payer connections, 900,000 physicians, 118,000 dentists, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.”
A lawsuit three years later by the U.S. Department of Justice opposing the company’s $7.8-billion acquisition by UnitedHealth on the grounds that it would give the insurance giant visibility into and control over rival insurers’ proprietary data, described Change Health as a linchpin of the U.S. healthcare system. It also stated that “over 50% of U.S. medical claims pass through (or touch) Change’s EDI clearinghouse, making it a vital link between providers and insurers.” The Justice Department lost its antitrust challenge, and the deal closed in October 2022.
On Thursday, a representative of the American Hospital Assn., an organization that also opposed the acquisition, published an alert to the group’s roughly 5,000 member hospitals and other healthcare providers advising them to disconnect their systems from Change Healthcare, which is part of UnitedHealth’s Optum information technology division.
“Due to the sector-wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health-care technologies and clinical authorizations provided by Optum across the health care sector,” John Riggi, a former FBI cyber official and now the hospital group’s national advisor for cybersecurity and risk, posted on his LinkedIn page. “Based upon below statements from Optum, that they became aware of an ‘outside threat’ and disconnected ‘in the interest of protecting our partners and patients,’ we are recommending that all health-care organizations should also consider disconnection from Optum as well, until independently deemed safe to reconnect to Optum.”
The two biggest U.S. pharmacy chains said they both were experiencing limited disruptions.
In a statement, CVS said it is continuing to fill prescriptions “but in certain cases we are not able to process insurance claims, which our business continuity plan is addressing to ensure patients continue to have access to their prescriptions.”
Walgreens Boots Alliance said the “vast majority” of prescriptions it fills were not affected, but that “for the small percentage that may be affected, we have procedures in place so that we can continue to process and fill these prescriptions with minimal delay or interruption.”
