Change Healthcare provides tools for payment and revenue cycle management, and its outage disrupted operations at pharmacies and health systems across the country. UnitedHealth announced late Monday night that more than 90% of its pharmacies nationwide have set up a modified electronic claims processing workaround, and the remaining pharmacies have set up offline processing systems.
UnitedHealth said Monday that the disruption has not yet impacted providers’ cash flow, as payments typically occur one to two weeks after processing.
UnitedHealth is the largest healthcare company in the United States by market capitalization, and the company owns healthcare provider Optum, which serves more than 100 million patients in the United States. Website. Change Healthcare merges with Optum in 2022.
In a series of updates posted since Wednesday, Change Healthcare said it had a “high level” of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems were not affected by the attack. said. UnitedHealth said the organizations are working with external partners such as Palo Alto Networks and Google Cloud’s Mandiant to assess the breach.
UnitedHealth told CNBC in a statement Monday night that “we are taking steps to ensure that health care providers and pharmacists have effective workarounds to serve patients and to ensure that our systems return to normal.” We thank everyone involved for their partnership and hard work.”
Increase in cyber attacks in the medical field
The attack on Change Healthcare comes after a disastrous record was set for healthcare-related cybercrime in 2023. There were 725 major healthcare security breaches last year, up from a record 720 the year before, according to a January report in The. HIPAA Journal.
Health data can be easily monetized and sold on the dark web to perpetuate other crimes such as identity theft and health care fraud, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. Because of this, he said, it is attractive to bad guys.
He said there are different types of cyberattacks that affect the healthcare sector, such as data theft attacks and ransomware attacks. In a data theft attack, a malicious attacker infiltrates a system and steals data. In a high-impact ransomware attack, the fallout can cause immediate harm to patient physical safety.
“They come in and encrypt all the data in the network, so all of a sudden, instantly, the system goes dark and becomes unavailable,” Riggi said in an interview with CNBC. This means diagnostic technology such as CT scanners can go offline, ambulances transporting patients are often diverted, and life-saving care can be delayed.
UnitedHealth has not yet disclosed the nature of the attack on Change Healthcare.
“They are victims of foreign-based cyberattacks,” Rigi said. “But at the end of the day, this was not just an attack on them, it was an attack on the entire health sector.”
Cliff Steinhauer, Director of Information Security and Engagement at the National Cybersecurity Alliance, said the healthcare industry is a complex industry with many variables and entry points, so ensuring 100% security is critical for any organization. says it can be difficult.
Still, he said there are steps individuals can take to keep their personal data safe, including keeping software up to date, setting up multi-factor authentication and using strong, unique passwords.
“We all have a job to do to keep ourselves safe online,” Steinhauer said in an interview with CNBC.
Riggi said senior healthcare leaders need to commit real resources to cybersecurity and understand that it poses risks to “every function” of the organization. In addition to deploying the necessary technical defenses, he said, health systems need to foster a culture where everyone feels part of the cybersecurity team.
But when it comes to preventing cyberattacks, Rigi says offense is just as important as defense.
“This is tantamount to cyberterrorism,” he said. “Governments must devote their utmost priority, attention and resources to pursuing the bad actors behind these attacks.”
Impact of Change Healthcare Breach
Although UnitedHealth did not say specifically which Change Healthcare systems were affected, the fallout from the cyberattack is causing a ripple of problems throughout the U.S. health care system.
CVS Health said in a statement to CNBC on Saturday that some business operations were affected by the disruption. The company said it can write prescriptions but may not be able to process insurance claims in some cases.
CVS Health said in a statement that there is “no indication” that its systems were compromised.
In a statement Monday, Walgreens told CNBC that the “vast majority” of its pharmacy operations and prescriptions were not affected by the Change Healthcare breach. The company said it has procedures in place to handle the “small percentage” of prescriptions that may have problems.
For consumers like Cary Blazeman, the confusion is a headache.
On Saturday, the day after seeing a dermatologist, Blaisman tried in vain to pick up a prescription at Vons Pharmacy in Palm Springs. He was told that the pharmacy did not receive the information from the doctor, and even if it did, it would not be covered by insurance.
“It’s like, ‘Okay, what do we do now?'” And they’re like, “We don’t know,” Breisman said in an interview with CNBC.
By Monday, the pharmacy had set up workarounds to help contact some insurance companies, Breisman said, but not all. He said he plans to see his doctor again on Tuesday and pick up a paper copy of his prescription at the pharmacy. He hopes they can handle his insurance.
Blaisman said he was very concerned about the logistics of recovering the medicines and, until recently, had not worried about whether a breach would expose personal information. The immediate problem, he said, is getting medicine to people who need it, especially those with more severe symptoms than himself.
“I’m mobile, so I can patrol if I need to, and I can pay in cash if I need to, but there are a lot of people who can’t do that,” he said.
