A cyberattack on a unit affiliated with UnitedHealthcare, the nation’s largest insurer, has disrupted prescription drug orders at thousands of pharmacies for nearly a week.
The break-in at the Change Healthcare unit, a division of United’s Optum, was discovered last Wednesday. The attack appeared to have been carried out by a foreign country, according to two senior federal law enforcement officials, who expressed alarm about the scope of the disruption on Monday.
UnitedHealth Group, the conglomerate, said in a federal filing that it had been forced to disconnect part of Change Healthcare’s vast digital network from its customers and, as of Monday, had not been able to restore all of those services.
Change handles about 15 billion transactions a year, representing up to one in three American patient records and involving not only prescriptions but also dental, clinical and other medical needs. The company was acquired by UnitedHealth Group for $13 billion in 2022.
This latest attack underscores the vulnerability of healthcare data, especially patients’ personal information, including their private medical records. Hundreds of violations Hospitals, health plans and doctors’ offices are being investigated, according to federal records.
In this case, unrest has been widespread, including among US military personnel overseas. Change acts as a digital intermediary to help pharmacies verify a patient’s insurance coverage for their prescriptions, and some reports indicate that people have been forced to pay cash.
Last week, after UnitedHealth found what it described as “a suspected nation-state-associated cybersecurity threat actor” targeting Change, the company shut down several services, including those that allowed pharmacies to quickly verify what a patient owes for a medication. Some hospitals and physician groups that rely on Change to bill and receive payments may also be affected.
Large pharmacy chains like Walgreens say the effects have been limited, but many smaller companies say they rely on Change when handling a prescription for someone with insurance.
“For the last week, there has been uncertainty about whether we can serve patients,” said Dared Price, who operates seven pharmacies in Kansas. While patients can pay cash if the medication is affordable, she says some of her clients have been unable to get more expensive flu or Covid treatments because their insurance status is unclear.
“It’s a debacle,” he said.
Tricare, which covers the U.S. military, said its pharmacies in the United States and abroad are being forced to fill prescriptions manually. He continued to warn people this week about possible delays in getting medications.
Details about the attack, including whether personal patient information was stolen, are limited. Change has been making regular short updates to its website. On Monday, the company reiterated that the affected services would likely be unavailable for at least one more day. He also stressed that he had a “high level of confidence” that other parts of United’s business were not the target of the attack.
But there’s no doubt that United, whose expanding businesses span nearly every aspect of health care, became a particularly rich target.
“If you’re going to steal logs, you want to go after as many logs as you can get,” said Fred Langston, product manager at Critical Insight, a cybersecurity company. “You’re literally hitting the jackpot.”
The attacker’s motives are not yet known, Langston said. It may involve ransomware, allowing the culprits to demand some type of ransom. The intent may also have been to disrupt the health care system by making it more difficult to fill prescriptions or bill for health care in a timely manner.
“There is a concentration of mission-critical services across the industry, which represents a concentration of risk,” said John Riggi, national cybersecurity and risk advisor for the American Hospital Association. He has been advising hospitals to be careful when connecting with Change or affiliated companies.
The industry has seen an increasing number of these types of attacks, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a nonprofit group.
According to federal officials, large healthcare data breaches have nearly doubled between 2018 and 2022, including an increase in the number of ransomware. Patients have had to go to different centers, causing delays in care, according to a report recent report.
Under federal law, patients must eventually be notified if their information is subject to any type of breach, Steinhauer said. People will be alerted even if their information does not appear to be publicly available.
“It’s worse if we discover that there is information for sale on the dark web,” he said.
Glenn Zorzal and Helen Cooper contributed reporting from Washington.