A cyberattack on a unit of UnitedHealthcare, the largest U.S. insurer, disrupted drug prescription orders at thousands of pharmacies for nearly a week.
The attack on a unit at Change Healthcare, a division of United Optum, was discovered last Wednesday. The attack appears to be foreign-sourced, according to two senior federal law enforcement officials who expressed warnings about the level of chaos on Monday.
The corporate giant UnitedHealth Group said in a federal filing that it had to disconnect some of Change Healthcare's vast digital network from customers and was unable to restore all of that service as of Monday.
Change processes approximately 15 billion transactions annually, accounting for one in three U.S. patient records and related to dental, clinical and other healthcare needs, as well as prescriptions. The company was acquired by UnitedHealth Group in 2022 for $13 billion.
This latest attack highlights the vulnerability of medical data, especially patient privacy, including personal medical records. Federal records show hundreds of violations at hospitals, health plans and doctors' offices are being investigated.
In this case, the uproar was widespread, including among U.S. troops overseas. Change acts as a digital intermediary that helps pharmacies verify patients' insurance coverage for prescription drugs, which some reports have suggested has forced people to pay in cash.
Last week, UnitedHealth shut down several services, including one that allows pharmacies to quickly check if patients owe them money for medications, after discovering “suspected nation-state cybersecurity threat actors” targeting Change. Some hospitals and physician groups that use Change for billing may also be affected.
Large pharmacy chains like Walgreens say the effectiveness is limited, but many smaller pharmacies say they rely on Change every time they fill prescriptions for people with insurance.
“For the past week, we’ve been torn about whether we can take care of our patients,” said Dared Price, who runs seven pharmacies in Kansas. Lower drug prices allow patients to pay out-of-pocket, but some customers say they can't get more expensive treatments for the flu or Covid because their insurance status is unclear.
“This is a fiasco,” he said.
Tricare, which caters to the U.S. military, said its pharmacies in the U.S. and abroad are being forced to fill prescriptions manually. This week it continued to warn people that their medication could be delayed.
Details about the attack, including whether personal patient information was stolen, are limited. Change has been making brief, regular updates to its website. On Monday, the company reiterated that affected services would be unavailable for at least a day. He also stressed that he had a “high level of confidence” that no other parts of United’s business were targeted in the attack.
But there is little doubt that United, whose business touches nearly every aspect of health care, has set its sights on being particularly wealthy.
“If you’re going to steal records, you better steal the biggest records you can get,” said Fred Langston, chief product officer at cybersecurity firm Critical Insight. “You’re literally hitting the jackpot.”
The attacker's motive is not yet known, Langston said. Ransomware may be included, allowing the criminal to demand some kind of ransom. The intent may also be to disrupt the health care system by making it more difficult to fill prescriptions or bill for treatment in a timely manner.
“There is a concentration of mission-critical services across the entire sector, which represents a concentration of risk,” said John Riggi, national counsel for cybersecurity and risk at the American Hospital Association. Hospitals have been advised to be cautious about linking to Change or its affiliates.
Cliff Steinhauer, director of information security and engagement at the nonprofit National Cybersecurity Alliance, said the industry is seeing an increase in these types of attacks.
The number of large-scale breaches of healthcare data, including a surge in ransomware-related cases, nearly doubled from 2018 to 2022, according to federal officials. According to recent reports, patients had to be transferred to other facilities, which led to delays in treatment.
Federal law requires that patients eventually be notified if their information is subject to some kind of breach, Steinhauer said. People will receive warnings even if their information does not appear to be publicly available.
“It gets worse when you find out your information is being sold on the dark web,” he said.
glen thrush and Helen Cooper He contributed reporting from Washington.