Pharmacies warned of long waits for customers and U.S. military clinics worldwide have been affected after a cyberattack against one of the country’s largest prescription processors rolled into a third day of downtime.
Health industry experts said that a cyberattack against Change Healthcare, part of insurer UnitedHealth Group’s Optum business, could have severe and lasting consequences should outages continue past the weekend.
“It’s a mess, and I believe it’s our Colonial Pipeline moment in healthcare,” said Carter Groome, chief executive of healthcare-focused consulting firm First Health Advisory, referring to a 2021 cyberattack that forced the major fuel artery for the U.S. East Coast to shut down for six days, causing long lines at gas stations.
Change Healthcare was merged with Optum, a healthcare provider, in 2022 by UnitedHealth. Change Healthcare provides prescription processing services through Optum, which supplies technology services for more than 67,000 pharmacies and care to 129 million individual customers.
Parent company UnitedHealth said Thursday in a regulatory filing with the U.S. Securities and Exchange Commission that it identified a cyberattack affecting systems at Change Healthcare on Wednesday. The company suspects a nation-state was behind the attack, the filing said.
UnitedHealth hasn’t provided any further information about the nature of the attack and Change Healthcare has posted the same status update repeatedly on its website since Wednesday afternoon. The company said it took steps to disconnect its systems after identifying the attack, and that it can’t estimate how long the disruption will last. Change Healthcare said more than 100 of its systems are affected.
A spokesperson for UnitedHealth provided the same information after a request for comment.
The American Hospital Association urged healthcare facilities Wednesday to disconnect from Optum and to check their systems for security vulnerabilities.
“We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said.
The association also urged members to test their data backups, check that critical patches are up-to-date and designate staff for shifts to manage manual processes.
“There is fragility in our infrastructure and in the lack of redundancy, the lack of rehearsals,” said Theresa Payton, CEO at cybersecurity consulting firm Fortalice.
Healthcare organizations have come under sustained assault from hackers in recent years, with 2023 reaching record levels of attacks by September. Data on over 133 million people was breached by attacks over the course of last year, according to regulatory filings. Cybercriminals frequently target healthcare providers because of the sensitive personal and financial information they hold on patients, and because any interruption in service can have severe consequences for patient safety, potentially making companies more likely to pay ransoms.
Tricare, the U.S. military’s healthcare provider for active-duty personnel, said all military pharmacies, clinics and hospitals worldwide were affected by Change Healthcare’s systems going offline. The pharmacies are filling prescriptions manually. Landstuhl Regional Medical Center in Germany, the largest military hospital outside the U.S., said on social media it was experiencing delays and warned patients to expect longer wait times as a result of the disruption.
Scott Air Force Base in Illinois said in a social-media post that its clinic “is facing heavy delays with both activation and refill for prescriptions.” General Leonard Wood Army Community Hospital in Missouri said it would fill prescriptions using “an offline process.”
Many local retail pharmacies have warned of delays and an inability to send orders through insurance plans.
