U.S. health tech company Change Healthcare experienced a cyber attack that caused network interruption and service disruption across numerous pharmacies.
Change Healthcare facilitates healthcare payments, handling over 15 billion transactions annually. In 2022, Change Healthcare merged with Optum, a UnitedHealth Group (UHG) subsidiary, in a $7.8 billion deal that gave the latter access to over 80 million patient records.
UHG is the largest healthcare service provider in the world. It employs over 440,000 people and earned $324 billion in revenue in 2022.
The cyber attack affected various systems across healthcare enterprise, pharmacy, medical records, dental, claims, and payment services.
Nation-state actor breached health tech company Change Healthcare
On Feb 22, Change Healthcare said it learned of the cyber attack incident the day before and immediately disconnected its systems to prevent further impact.
“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” said Change Healthcare.
In a Securities and Exchange Commission (SEC) filing, the Nashville, Tennessee-based company said it also retained the services of an external cyber forensics firm and notified relevant authorities and potential victims.
“The Company has retained leading security experts, is working with law enforcement, and notified customers, clients, and certain government agencies,” said Change Healthcare.
The health tech company believes the cyber attack was “specific to Change Healthcare systems” and did not spread to other organizations.
“At this time, we believe the issue is specific to Change Healthcare, and all other systems across UnitedHealth Group are operational,” the health tech company added.
Change Healthcare attributed the cyber attack to a suspected nation-state threat actor whose motive remains undetermined.
State-sponsored hackers usually target healthcare organizations to steal intellectual property for cyber espionage, protected health information (PHI), and personal information (PII) for intelligence gathering. In cyber warfare, they disrupt the healthcare and public health sectors, which are part of the critical infrastructure, to cause harm and panic.
Meanwhile, the health tech company is unaware if the cyber attack would materially impact its financial condition or results of operation. Similarly, the nature of the cyber security incident, including whether ransomware was deployed, PII or PHI was stolen, and the attack vector exploited, remains unknown or undisclosed.
Nevertheless, the health tech company is working to restore impacted systems safely, although it cannot “estimate the duration or extent of the disruption at this time.”
Between Feb 21 and Feb 25, the company said some systems were experiencing connectivity issues, and the disruption was “expected to last at least through the day.”
“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” the health tech company said in a status update.
Change Healthcare cyber attack disrupts numerous pharmacies
Numerous pharmacies were unable to process payments and file insurance claims, preventing them from filling prescriptions.
“Pharmacies across the country are already reporting delays in filling prescriptions and providing services as a result of this attack, marking the real-world dangers to human health cyberattacks can cause,” said Nick Tausek, Lead Security Automation Architect at Swimlane.
The Stanwood, Michigan-based Canadian Lakes Pharmacy posted on social media that a system disruption at one of North America’s “largest prescription processors” prevented it from billing insurance companies for prescriptions. Roughly a day later, the drug dispenser said the billing system had resumed normal operations.
The Naval Hospital at Camp Pendleton also tweeted that an “enterprise-wide issue” prevented it from processing prescription claims, forcing it to handle only emergency and urgent requests.
The cyber attack also impacted CVS, forcing some patients to pay in cash, while Scheurer Health could not process prescriptions through patients’ insurance on Wednesday.
Walgreens said it faced minimal disruptions, with a small percentage of its prescription orders likely to be affected as a result of the cyber attack.
“This incident serves as a stark reminder of the ever-present threats facing the healthcare sector, reinforcing the idea that cybersecurity must be a top priority for all organizations across all verticals, especially those handling sensitive patient data,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “This situation underscores the necessity for transparency in the aftermath of cyber incidents, as well as the ongoing need for investment in cybersecurity defenses, robust processes, and staff security awareness and training to reduce the risk of such attacks.”