A cyberattack on a UnitedHealth unit disrupts prescription drug orders
A cyberattack on a department affiliated with UnitedHealthcare, the nation’s largest insurer, has disrupted prescription orders at thousands of pharmacies for nearly a week.
The attack on the Change Healthcare unit, a division of United’s Optum, was discovered last Wednesday. The attack appeared to come from a foreign country, according to two senior federal law enforcement officials, who expressed concern Monday about the extent of the disruption.
This is what the conglomerate UnitedHealth Group says in a federal file that it had been forced to disconnect part of Change Healthcare’s vast digital network from its customers, and had not been able to restore all these services as of Monday.
Change processes approximately 15 billion transactions per year, representing as many as one in three patient records in the US. This includes not only prescriptions, but also dental, clinical and other medical needs. The company was acquired by UnitedHealth Group for $13 billion in 2022.
This latest attack highlights the vulnerability of healthcare data, especially patients’ personal information, including their personal medical records. Hundreds of breaches Health plans and doctors’ offices are being investigated in hospitals, according to federal data.
In this case, the disruption was widespread, including for the U.S. military abroad. Change acts as a digital intermediary to help pharmacies verify a patient’s insurance coverage for their prescriptions, and some reports indicate people are being forced to pay in cash.
Last week, after UnitedHealth discovered what it described as “a suspected nation-state associated cybersecurity threat actor” targeting Change, the company shut down several services, including those that allow pharmacies to quickly check what a patient owes for a drug. Some hospitals and physician groups that rely on Change for billing may also be affected.
Major drugstore chains like Walgreens say the effects have been limited, but many smaller drugstores say they rely on Change when filling a prescription for someone with insurance.
“This past week it was questionable whether we could care for patients,” said Dared Price, who operates seven pharmacies in Kansas. While patients can pay cash if the drugs are cheap, he says some of his clients have not been able to get more expensive treatments for flu or Covid because their insurance status is unclear.
“It’s a debacle,” he said.
Tricare, which covers the U.S. military, said its pharmacies in the United States and abroad are being forced to fill prescriptions manually. She continued to warn people this week about possible delays in obtaining medicines.
Details about the attack, including whether any personal patient information was stolen, are limited. Change has made short periodic updates to its website. On Monday, the company reiterated that the services concerned are likely to be unavailable for at least another day. It also stressed that it had a “high level of confidence” that other parts of United’s businesses were not targeted in the attack.
But there is little doubt that United, whose sprawling operations span nearly every aspect of health care, was a particularly wealthy target.
“If you’re going to be looking to steal records, you want to grab the biggest pot of records you can get,” says Fred Langston, chief product officer of Critical Insight, a cybersecurity company. “You literally hit the jackpot.”
The attacker’s motives are not yet known, Mr Langston said. It may be ransomware, allowing the perpetrators to demand a ransom. The intent may also have been to confuse the health care system by making it more difficult to fill prescriptions or bill for care in a timely manner.
“You have a concentration of mission-critical services for the entire industry, which represents a concentration of risk,” said John Riggi, the American Hospital Association’s national advisor on cybersecurity and risk. It advises hospitals to be careful when joining Change or affiliated companies.
The industry has seen an increasing number of these types of attacks, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a nonprofit organization.
Major healthcare data breaches nearly doubled between 2018 and 2022, including a spike in cases involving ransomware, according to federal officials. Patients had to go to different facilities, resulting in delays in care, according to a recent report.
Federal law ultimately requires patients to be notified if their information is the subject of some kind of breach, Mr. Steinhauer said. People are alerted even if their information does not appear to have become publicly available.
“It’s even worse when we find out that information is for sale on the dark web,” he said.
Glenn Thrush And Helene Kuiper contributed reporting from Washington.