UnitedHealth stated on Monday that the disruption has not yet impacted provider cash flows, as payments are usually processed one to two weeks after they are issued.
Change Healthcare’s systems have been down for the seventh consecutive day after a cyber threat actor accessed its network last week. UnitedHealth Group, the parent company, reported that most U.S. pharmacies have implemented electronic workarounds to mitigate the impact.
According to a filing with the U.S. Securities and Exchange Commission on Thursday, UnitedHealth identified a “suspected nation-state-associated” threat actor that breached part of Change Healthcare’s IT network on Wednesday. The company isolated and disconnected the affected systems “immediately upon detection” of the threat.
Change Healthcare provides tools for payment and revenue cycle management, and its system outages have disrupted operations in pharmacies and health systems nationwide. UnitedHealth announced late Monday that more than 90% of the country’s pharmacies have implemented modified electronic claims processing workarounds, while the remainder have set up offline processing systems.
The disruption has not yet affected provider cash flows, as payments are typically processed one to two weeks after issuance, UnitedHealth said on Monday.
As the largest health-care company in the U.S. by market cap, UnitedHealth owns Optum, which serves over 100 million patients in the U.S., according to its website. Change Healthcare merged with Optum in 2022.
In updates posted since Wednesday, Change Healthcare has expressed “high-level” confidence that the attack did not affect Optum, UnitedHealthcare, or UnitedHealth Group’s systems. UnitedHealth stated that these entities are working with external partners, including Palo Alto Networks and Google Cloud’s Mandiant, to evaluate the breach.
“We value the collaboration and dedication of all our stakeholders to ensure that providers and pharmacists have effective workarounds in place while systems are being restored,” UnitedHealth said in a statement to CNBC on Monday night.
The attack on Change Healthcare comes in a year that has already set a troubling record for health-related cybercrime. According to a January report from The HIPAA Journal, there were 725 significant health care security breaches in 2023, surpassing the previous year’s record of 720.
Health data is a prime target for criminals due to its potential for easy monetization and sale on the dark web, which can facilitate other crimes such as identity theft and health care fraud, explained John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
Riggi noted that the health care sector faces various types of cyberattacks, including data theft and ransomware. In data theft attacks, hackers infiltrate systems to steal information, while ransomware attacks can cause immediate harm by encrypting all network data, rendering systems unusable. This disruption can lead to outages of diagnostic equipment like CT scanners and cause delays in emergency care as ambulances are often rerouted.
UnitedHealth has not yet detailed the specifics of the attack on Change Healthcare.
“This isn’t just an attack on them; it’s an attack on the entire health care sector,” Riggi said.
Given the complexity of the health care industry with numerous entry points, achieving 100% security can be challenging, noted Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.
However, individuals can take measures to protect their personal data, such as keeping software updated, enabling multifactor authentication, and using strong, unique passwords.
“We all have a role in keeping ourselves safe online,” Steinhauer told CNBC in an interview.
Riggi emphasized that senior health care leaders must allocate substantial resources to cybersecurity and recognize that it impacts “every function” of the organization. Along with implementing essential technical defenses, he suggested that health systems should cultivate a culture where every employee feels integral to the cybersecurity efforts.
However, Riggi pointed out that offense is just as crucial as defense in preventing cyberattacks.
“This is akin to cyber terrorism,” he said. “The government needs to prioritize and focus its resources on targeting the perpetrators of these attacks.”
While UnitedHealth has not detailed which specific Change Healthcare systems have been affected, the repercussions of the cyberattack have created widespread issues across the U.S. health care system.
CVS Health reported to CNBC on Saturday that some of its business operations have been disrupted by the attack. The company has faced difficulties processing insurance claims in certain cases, although it can still fill prescriptions. CVS Health stated that there is “no indication” that its systems have been compromised.
Walgreens informed CNBC that its pharmacy operations and the “vast majority” of its prescriptions have not been affected by the Change Healthcare breach. The company has procedures in place to handle the “small percentage” of prescriptions that might encounter issues.
For consumers like Cary Brazeman, the disruption has been frustrating.
Brazeman attempted to pick up a prescription at a Vons pharmacy in Palm Springs, California, on Saturday, a day after visiting his dermatologist, but was unsuccessful. He was informed that the pharmacy had not received the prescription from his doctor, and even if they had, they wouldn’t have been able to process his insurance.
“I’m like, ‘Okay, what am I supposed to do now?’ and they’re like, ‘We don’t know,’” Brazeman told CNBC.
By Monday, Brazeman noted that the pharmacy had implemented a workaround to communicate with some insurance companies, but not all. He plans to revisit his doctor on Tuesday to obtain a paper prescription to take to the pharmacy and hopes they can process his insurance.
Brazeman mentioned that, while initially focused on the logistics of obtaining his medication, he has recently become concerned about whether his personal information was compromised. His primary concern remains ensuring that medication reaches those who need it, particularly individuals with more serious conditions.
“I’m mobile, so I can make these rounds if necessary, and I can pay cash if needed, but many people cannot,” he said.
