A cyberattack on a unit affiliated with UnitedHealthcare, the nation’s largest insurer, has disrupted prescription drug orders at thousands of pharmacies for nearly a week.
The attack on the unit, Change Healthcare, a division of United’s Optum, was discovered last Wednesday. The attack appears to have been carried out by a foreign country, according to two senior federal law enforcement officials, who expressed concern about the scope of the disturbance on Monday.
UnitedHealth Group, the conglomerate, said in federal filing that it had been forced to disconnect part of Change Healthcare’s vast digital network from its customers and, as of Monday, was unable to restore all of those services.
Change handles approximately 15 billion transactions annually, representing up to one in three patient records in the US and involving not only prescriptions, but dental, clinical and other medical needs. The company was acquired by UnitedHealth Group for $13 billion in 2022.
This latest attack highlights the vulnerability of healthcare data, especially patients’ personal information, including their private medical records. Hundreds of violations Hospitals, health plans and doctor’s offices are being investigated, according to federal records.
In this case, the turmoil was widespread, including for the US military overseas. Change acts as a digital intermediary to help pharmacies verify a patient’s insurance coverage for their prescriptions, and some reports suggest people have been forced to pay in cash.
Last week, after UnitedHealth discovered what it described as a “suspected nation-state-related cybersecurity threat actor” targeting Change, the company shut down several services, including those that allowed pharmacies to quickly check what a patient owes for a medicine. Some hospitals and physician groups that rely on the Billing Change to get paid may also be affected.
Big drugstore chains like Walgreens say the results have been limited, but many smaller outfits say they rely on Change every time they handle a prescription for someone safely.
“For the last week, it’s been up to us whether we can take care of patients or not,” said Dared Price, who operates seven pharmacies in Kansas. While patients can pay cash if the drug is cheap, he says some of his clients have been unable to get more expensive flu or Covid treatments because their insurance status is unclear.
“It’s a disaster,” he said.
Tricare, which covers the US military, said its pharmacies in the United States and abroad are being forced to fill prescriptions by hand. He continued to warn people this week about possible delays in receiving medication.
Details about the attack, including whether personal patient information was stolen, are limited. Change makes short periodic updates to its website. On Monday, the company reiterated that the affected services will likely be unavailable for at least another day. He also stressed that he had a “high level of confidence” that other parts of United’s operations were not targeted in the attack.
But there’s no doubt that United, whose large businesses touch nearly every aspect of health care, made for an especially rich target.
“If you’re going to go after drive theft, you want to go after the biggest drive pot you can find,” said Fred Langston, the chief product officer for Critical Insight, a cybersecurity firm. “You literally hit the jackpot.”
The attacker’s motive is not yet known, Mr. Langston said. It may include ransomware, allowing the perpetrators to demand some sort of ransom. The intent may also have been to throw the health care system into disarray, making it harder to fill prescriptions or bill for care in a timely manner.
“You have a concentration of critical services for the entire sector, which represents a concentration of risk,” said John Riggi, the national advisor for cybersecurity and risk for the American Hospital Association. It advises hospitals to be cautious about linking to Change or affiliated businesses.
The industry has seen an increasing number of such attacks, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a nonprofit group.
According to federal officials, major healthcare data breaches have nearly doubled from 2018 to 2022, including an increase in the number involving ransomware. Patients had to go to different facilities, as a result of which treatment was delayed, according to a recent report.
Under federal law, patients must ultimately be notified if their information is the subject of some kind of breach, Mr. Steinhauer said. People will be notified even if their information does not appear to have been made publicly available.
“It’s worse if we find out that the information is being sold on the dark web,” he said.
Glenn Thrush and Helen Cooper contributed reporting from Washington.