A cyberattack against UnitedHealth-owned technology company Change Healthcare has shut down its systems for more than a week, hamstringing providers and disrupting pharmacy and other key operations.
Change, which was acquired by insurer UnitedHealth Group’s Optum division in 2022, first reported the network outage on Feb. 21, then later said the problem was a “cybersecurity issue” from an outside threat.
On Thursday, the technology company confirmed the ransomware group AlphV, also known as Blackcat, had claimed responsibility for the attack.
Change offers a range of services to the healthcare sector, including payment and billing, prescription processing and data analytics. The technology firm processes 15 billion healthcare transactions annually and touches one in every three patient records, according to a letter from the American Hospital Association.
“They're employed by a variety of groups, health systems, health plans and vendors. And as a result, the impacts of the cyberattack have been incredibly significant and far-reaching,” Emily Dowsett, associate director of public affairs at the Medical Group Management Association, told Healthcare Dive.
The MGMA sent a letter on Wednesday to HHS Secretary Xavier Becerra, urging the agency to use its authority to support physician practices and ensure patients can access care.
“It is imperative that all Change Healthcare operations be safely reestablished as quickly as possible,” Anders Gilberg, senior vice president of government affairs at the MGMA, wrote in the letter.
A wide range of provider impacts
Healthcare Dive contacted 10 health systems impacted by the outage that reported problems ranging from disrupted revenue management services to delayed prescription-filling processes.
None of the systems said they had received a definitive timeline from UnitedHealth regarding a restoration of services.
“Patient care is our top priority and we have multiple workarounds to ensure people have access to the medications and the care they need,” a UnitedHealth spokesperson said in a statement.
Providers said workarounds are indeed available as UnitedHealth described, but implementing the downtime procedures has come with headaches.
A spokesperson for Louisville, Kentucky-based Baptist Health said the “biggest issue” for Baptist in the days following the attack have been service delays, as pharmacies work through the backlog of claims filed during the outage.
Some medical groups have been unable to receive and finalize payments from insurers and patients, which can be a considerable financial challenge for smaller organizations, MGMA’s Dowsett said.
Administrators at Minneapolis-based Allina Health said downtime procedures have left “a large gap” in the health system’s ability to bill for most hospital services.
“Fortunately, there are manual workarounds to help our patients with their insurance coverage and authorizations,” an Allina Health spokesperson told Healthcare Dive on Wednesday. “However, it is much more difficult to implement workarounds to properly and efficiently get claims submitted to insurance companies.”
Other practices have struggled to check insurance eligibility — compromising their ability to see new patients — or submit prior authorization requests. Allina, Winston-Salem, North Carolina-based Novant Health and the Cleveland Clinic are among the nation’s leading health systems that confirmed insurance processing delays related to the Change outage.
In some cases, pharmacists have been forced to “estimate” the potential copay for a prescription due to a lack of available insurance information, according to a spokesperson for the Cleveland Clinic. At other pharmacies, patients may be charged full price to receive their prescriptions, according to Dowsett.
The potentially high cost of medications is scaring some patients and prompting them to contact their providers, Dowsett said.
“This is pulling people from other work, what they would otherwise be doing, from clinical care,” Dowsett said.
Cyber risks on the rise in healthcare
The attack comes as experts and regulators have been sounding the alarm about cyber threats against the healthcare sector.
Over the past five years, the HHS’ Office for Civil Rights tracked a 256% increase in large data breaches involving hacking and a 264% jump in ransomware, a type of malware that denies users access to their data until a ransom is paid.
AlphV has recently targeted the healthcare industry, according to a bulletin released Tuesday by the HHS, the FBI and the Cybersecurity and Infrastructure Security Agency.
Since the middle of December, healthcare has been the most common victim of the prolific ransomware group, the agencies said. An AlphV administrator called on affiliates to launch cyberattacks against hospitals after law enforcement infiltrated and shut down the group’s infrastructure.
Amid a rise in threats, healthcare organizations need to prepare for cyberattacks, Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, or Health-ISAC, told Healthcare Dive. They should have contingency plans in place in case a cyberattack takes down a vendor’s needed services for days or even weeks.
The center released recommendations this week, advising companies that they don’t need to sever network connections from all UnitedHealth entities to protect themselves from potential infection. UnitedHealth has reported that its investigation has found “no indication” that Optum, UnitedHealthcare and UnitedHealth systems have been affected.
But even disconnecting from affected Change networks can be a challenge because of the complexity of network configuration changes, Weiss added. In addition, some organizations have also raised concerns about other applications as well, like emails from affected domains or document sharing through the Microsoft 365 Office suite.
“There's a little bit of a wake-up call that we’re getting as one of the outcomes from this incident,” Weiss said. “It is demonstrating how complex and interconnected the healthcare ecosystem is in the U.S. and maybe even globally.”