Updated February 27 to include the company’s new statements.
A cyberattack on a unit affiliated with UnitedHealthcare, the nation’s largest insurer, disrupted prescription drug orders at thousands of pharmacies for about a week.
The assault on the Change Healthcare unit, a division of United’s Optum, was discovered last Wednesday. The attack appears to have been carried out by a foreign country, according to two senior federal law enforcement officials, who expressed alarm Monday about the scale of the disruption.
UnitedHealth Group, the conglomerate, said in a federal case that it had been forced to disconnect part of Change Healthcare’s vast digital network from its customers and that, as of Tuesday, it had been unable to restore all of those services. The company provided no timetable for when it might reconnect.
Change handles some 15 billion transactions annually, accounting for as many as one in three American patient records and involving not only prescriptions, but also dental, clinical and other medical needs. The company was acquired by UnitedHealth Group for $13 billion in 2022.
This latest attack highlights the vulnerability of healthcare data, particularly patients’ personal information, including their private medical records. Hundreds of violations at hospitals, health plans and doctors’ offices are under investigation, federal records show.
Federal authorities say they are closely monitoring the situation. “This incident is yet another reminder of the interconnectedness of the nation’s healthcare ecosystem and the urgency of building cybersecurity resilience across the ecosystem,” said Jeff Nesbit, a spokesperson for the U.S. Department of Health and Human Services, which said it was in contact with other federal agencies.
In this case, the disruptions were widespread, including to the U.S. military overseas. Change acts as a digital intermediary to help pharmacies verify a patient’s insurance coverage for their prescriptions, and some reports indicate people have been forced to pay cash.
Last week, after UnitedHealth discovered what it described as “a suspected nation-state cybersecurity threat actor” targeting Change, the company shut down several services, including those enabling pharmacies to quickly check what a patient owes for a medication. Some hospitals and physician groups that rely on Change for billing and getting paid may also be affected.
Large pharmacy chains like Walgreens say the effects have been limited, but many smaller businesses say they rely on Change every time they fill a prescription for an insured person.
“Over the last week, it’s been hit or miss whether we can take care of patients,” said Dared Price, who operates seven pharmacies in Kansas. Even though patients can pay cash if the drugs are inexpensive, he says some of his clients have been unable to get more expensive flu or Covid treatments because their insurance status is unclear .
“It’s a debacle,” he said.
Tricare, which covers the U.S. military, said its pharmacies in the United States and abroad were forced to fill prescriptions manually. He continued to warn people this week of possible delays in obtaining medications.
In a statement released Monday evening, Change said it had “worked closely with our customers to ensure people have access to the medications and care they need.” The company said the vast majority of pharmacies have found ways to continue filling prescriptions, adding Tuesday that claims volume has returned to normal levels.
The company said only a tiny fraction of its own customers have reported problems getting their medications.
Details about the attack, including whether patients’ personal information was stolen, are limited. Change has made periodic brief updates to its website. Monday, the company reiterated that the affected services would likely be unavailable for at least another day. He also stressed that he had a “high level of confidence” that other areas of United’s business were not targeted by the attack.
But there’s no doubt that United, whose sprawling operations touch nearly every aspect of health care, was a particularly rich target.
“If you want to steal records, you need to go after as many records as possible,” said Fred Langston, chief product officer at Critical Insight, a cybersecurity company. “You literally hit the jackpot.”
The attacker’s motives are not yet known, Langston said. It may be ransomware, allowing the culprits to demand some sort of ransom. It may also be that the attempt was to throw the health care system into disarray by making it difficult to fill prescriptions or bill for care in a timely manner.
“You have a concentration of critical services for the entire industry, which represents a concentration of risk,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. He advises hospitals to be careful when connecting to Change or affiliated companies.
The industry has seen a growing number of these types of attacks, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a nonprofit group.
Large healthcare data breaches nearly doubled between 2018 and 2022, including an increase in numbers involving ransomware, according to federal officials. Patients had to travel to different facilities, leading to delays in care, according to a recent report.
Under federal law, patients must eventually be notified if their information is subject to some sort of breach, Steinhauer said. People will be alerted even if their information does not appear to have become public.
“It’s worse if we find out that information is for sale on the dark web,” he said.
Glenn Thrush And Helene Cooper contributed reporting from Washington.