Change Healthcare Cyberattack Is Still Disrupting Pharmacies, Other Providers
A cyberattack that has disrupted Change Healthcare’s computer networks for nearly a week is creating a growing administrative problem for pharmacies and health-care providers around the nation.
Change Healthcare, a division of UnitedHealth Group Inc., processes insurance claims and pharmacy requests for more than 340,000 physicians and 60,000 pharmacies. The hack was discovered on Feb. 21, prompting UnitedHealth to isolate the impacted systems.
UnitedHealth gave no clearer sense on Tuesday when it would be resolved. Until then, essential connections that distribute data and money across the health-care system are severed, leading to growing backlogs of claims and payments.
Members are reporting disruptions in filling prescriptions and hits to their revenue, given that claims are not being paid in many cases, said John Riggi, a former FBI cyber official who is now national adviser for cybersecurity and risk at the American Hospital Association.
“In the long term, both of those could have a significant impact,” he said. “The longer this goes on the more potential impact we would see to patient care because of impacts to prescriptions or revenue.”
UnitedHealth said it’s working with law enforcement and cybersecurity firms Palo Alto Networks Inc. and Alphabet Inc.’s Mandiant. Most pharmacies have changed how they process claims to blunt the impact, the company said in an email late Monday. The company said reports of members not being able to get prescriptions are “minimal” with fewer than 100 instances across its UnitedHealthcare insurance unit and Optum Rx pharmacy plans.
But the disruption from downed systems threatens to worsen the longer the outage persists.
One health insurer saw the number of claims it receives from providers drop by 40% since the Change Healthcare system went down, according to an executive who asked not to be identified discussing private information.
The plan’s ability to send payments to providers or members being reimbursed for care has also been crippled, delaying payments in the tens of millions of dollars, the executive said. Because Change Healthcare handles all the payments, even claims that had been processed before the Change outage or that it received via other networks can’t be paid. The plan is considering whether to begin the difficult process of sending payments manually, the person said.
UnitedHealth has been holding regular calls with clients, and during a call Sunday attributed the attack to the BlackCat hacking group, the person said. The company had previously said it suspected nation-state linked hackers. Blackcat, also known as ALPHV, is one of the more prolific ransomware gangs.
The Department of Veterans Affairs is among the US agencies that have contracts with Change Healthcare. Terrence Hayes, a spokesperson, said all if its pharmacies were operational but the department had disconnected all systems from Change Healthcare.
During the weekend, state Medicaid agencies worked to make sure patients could get prescriptions, said Lindsey Browning, director of Medicaid programming at the National Association of Medicaid Directors. Medicaid is the safety-net health program for low-income Americans and covers about 87 million people as of October 2023.
This included temporary measures like lifting rules that require prior authorizations or permitting emergency medication refills, she said. As states try to cushion the impact on patients, payments to pharmacies and medical providers are being held up.
“The longer the payment flow to providers is disrupted, the more concerning it becomes,” she said. States are beginning to discuss “what levers could be pulled to help stabilize the delivery system if this drags on,” she said.
The most immediate impact of the hack has been on pharmacy services, but delays in payments are beginning to affect hospitals, and safety net clinics, according to Browning.
The deep reach of Change Healthcare’s services throughout the health-care industry means the ripple effects hit broadly, Riggi said.
“Many hospitals have been impacted in a limited way by this attack, but what makes this different is that almost every hospital in the country touches this system. It’s a systemic entity and a mission-critical third party for the whole sector,” Riggi said, noting that some health-care providers have had to resort to manual methods to try to verify insurance coverage.