Dive Brief:
- UnitedHealth suspects a “nation-state” is behind the cyberattack on its revenue cycle management subsidiary Change Healthcare, the healthcare conglomerate said in a filing with the Securities and Exchange Commission on Thursday.
- Change reported disruptions to its applications on Wednesday before taking its systems offline, citing an “outside threat.” The company handles 15 billion payment transactions each year, and is one of the largest commercial prescription processors in the U.S.
- Pharmacies and other providers nationwide — including military facilities — have reported struggles processing prescriptions as a result of the outage. On Thursday, the American Hospital Association urged hospitals to disconnect from Optum, the UnitedHealth division that includes Change, and check their systems following the attack.
Dive Insight:
Hackers associated with nation-states are to blame for some of the most disruptive cyberattacks in the U.S., including in the healthcare industry.
A series of cyberattacks starting in 2014 against health insurer Anthem, now called Elevance, led to the largest U.S. health data breach in history, exposing the information of almost 79 million people. A cyber group affiliated with China was behind the attack, according to the U.S. government.
Nation-state adversaries including China, Russia, North Korea and Iran pose an “elevated threat” to national security, according to the Cybersecurity and Infrastructure Security Agency.
Attacks from nation-states are aimed at prolonged network intrusion, allowing for espionage, data theft and system disruption, according to CISA.
As geopolitical unrest increases, including from Russia’s invasion of Ukraine and the Israel-Hamas war, so does the threat of cyberattacks in an industry where operational downtime can cause steep financial losses and contribute to worsening patient health, experts say.
UnitedHealth did not identify the country it believes is behind Change attack. When asked for more information, a spokesperson for the company shared Change’s original statement from Wednesday.
It’s hard to determine which nation-state could be behind the attack without knowing more, according to Deron Grzetich, head of cybersecurity at consultancy West Monroe. But the perpetrator likely wasn’t North Korea, which uses ransomware in most of its attacks to gather funds for the country, Grzetich said in an interview.
The cyberattack is isolated to Change, and UnitedHealth’s other operations are unaffected, according to the company.
Change, one of UnitedHealth’s numerous subsidiaries, is one of the largest health technology companies in the U.S., providing payment, clinical and patient engagement services for health insurers, providers and pharmacies.
One in three patient records in the U.S. are “touched by our clinical connectivity solutions,” according to Change’s website.
The company provides technology services for more than 67,000 pharmacies. After Change took down its systems, many pharmacies have been unable to verify patients’ insurance coverage, determine copayment amounts or perform other operations necessary to process prescriptions.
Military healthcare program Tricare says on its website that military clinics and hospitals will be providing prescriptions manually until the cyberattack is resolved.
Other pharmacies that have said they’re having difficulty or are unable to process prescriptions include Scheurer Health in Michigan; 22nd Medical Group in Kansas; and Knight’s Pharmacy in Kentucky.
“Due to the sector wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health care technologies and clinical authorizations provided by Optum across the health care sector,” the AHA said in a Thursday notice to its members.
UnitedHealth is working to restore systems and resume normal operations “as soon as possible, but cannot estimate the duration or extent of the disruption at this time,” the SEC filing says.
As of Friday morning, many of Change’s log-in systems were still down.
West Monroe’s Grzetich said it’s interesting that a nation-state is behind the attack, given an unclear motivation for wanting to disrupt U.S. pharmacy functions. The country could be after data to help its intelligence operations, he said.
Change, which UnitedHealth acquired for $13 billion in 2022, is the latest victim of cybercriminals targeting the healthcare sector.
Cyberattacks against healthcare organizations have been mounting, with recent high-profile attacks against Lurie Children’s Hospital in Chicago and Ardent Health Services, a multistate hospital operator. Experts say healthcare organizations may be more vulnerable to cyberattacks than organizations in other industries, due to decades of underfunding of cybersecurity protocols.