UnitedHealth Blamed ‘Nation-State’ Threat in Hack That Disrupted Pharmacy Orders

(Bloomberg) -- A cyberattack against a division of UnitedHealth Group Inc. has caused a nationwide outage of a computer network that’s used to transmit data between health-care providers and insurance companies, rendering some pharmacies unable to process prescriptions, according to the company and reports from affected organizations.

Most Read from Bloomberg

• BYD’s New $233,450 EV Supercar to Rival Ferrari, Lamborghini

• Stock Rally Stalls at Start of Data-Packed Week: Markets Wrap

• Freddie Mercury’s London Residence Lists at £30 Million

• Jacob Rothschild, Financier and Philanthropist, Dies at 87

• A Spike in Heart Disease Deaths Since Covid Is Puzzling Scientists

UnitedHealth found a “suspected nation-state associated cyber security threat actor” had access to subsidiary Change Healthcare’s systems on Feb. 21, prompting the company to disconnect them from other parties, the company said in a filing Thursday.

UnitedHealth, the country’s largest health insurer, said in a statement Thursday that the cyberattack and related “network interruption” only impacted Change Healthcare and that all its other systems are operational. Change Healthcare is a key intermediary in the $1.5 trillion US health insurance market.

UnitedHealth is working with law enforcement and security experts but can’t say when the service will be restored, according to the filing. The company hasn’t determined that the attack is likely to affect its financial results, it said.

“Change Healthcare is experiencing a cybersecurity issue, and our experts are working to address the matter,” the Minnetonka, Minnesota-based company said earlier in a statement on its website. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact.”

The incident is the latest in a series of attacks where hackers have compromised providers of back-end IT software and services — companies that are often little-known outside of their industries yet play critical roles in the normal functioning of everything from financial markets to government services — and triggered cascading disruptions across their customer bases.

Last month, for example, a ransomware attack against Tietoevry Oyj, a Finnish information technology company, crippled payroll and other services for government agencies and hospitals, retailers, cinemas and other customers throughout Sweden. Three days later, a ransomware attack against EquiLend, a financial technology firm in New York whose software processes trillions of dollars of stocks, bonds and derivatives trades each month, knocked some of that company’s services offline, causing trading desks at some of the world’s biggest banks to revert to inputting transactions manually.

Read More: Latest Cyberattack Leaves Banks Stuck With Excel and a Headache

The full scale of the disruptions caused by the UnitedHealth attack isn’t yet known; the company declined to provide further details. But some impacted organizations have disclosed information online.

“We’re aware that some pharmacies are experiencing systems issues due to a nationwide outage from the largest prescription processor in North America,” BlueCross BlueShield of Montana said in a statement posted to its website. “Some pharmacies cannot confirm insurance coverage, which could delay filling or refilling your medications.”

The statement continued, “If you choose not to delay filling your prescription, you have the option to pay for the medication out-of-pocket and submit the receipt with the reimbursement form. You may also try to fill the prescription at another pharmacy.”

The size of Change Healthcare’s operations is massive. The company operates the largest medical electronic data interchange (EDI) clearinghouse in the country, a network that acts as a middleman shuttling claims information back and forth between insurance companies and doctor’s offices, hospitals and other health-care providers seeking payment for their services, according to public filings.

When Change Healthcare went public in 2019, the Nashville, Tennessee-based company’s S-1 filing included key details about the business, including that its customers include “the vast majority of US payers and providers” and “approximately 2,200 government and commercial payer connections, 900,000 physicians, 118,000 dentists, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.” A lawsuit three years later by the US Department of Justice opposing the company’s $7.8 billion acquisition by UnitedHealth on the grounds that it would give the insurance giant visibility into and control over rival insurers’ proprietary data, described Change Health as a linchpin of the US health-care system. It also stated that “over 50% of US medical claims pass through (or touch) Change’s EDI clearinghouse, making it a vital link between providers and insurers.” The Justice Department lost its antitrust challenge, and the deal closed in October 2022.

On Thursday, a representative of the American Hospital Association, an organization that also opposed the acquisition, published an alert to the group’s roughly 5,000 member hospitals and other health-care providers advising them to disconnect their systems from Change Healthcare, which is part of UnitedHealth’s Optum information technology division.

“Due to the sector-wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health-care technologies and clinical authorizations provided by Optum across the health care sector,” John Riggi, a former FBI cyber official and now the hospital group’s national adviser for cybersecurity and risk, posted on his LinkedIn page. “Based upon below statements from Optum, that they became aware of an ‘outside threat’ and disconnected ‘in the interest of protecting our partners and patients,’ we are recommending that all health-care organizations should also consider disconnection from Optum as well, until independently deemed safe to reconnect to Optum.”

The two biggest US pharmacy chains said they both were experiencing limited disruptions. In a statement, CVS said it is continuing to fill prescriptions “but in certain cases we are not able to process insurance claims, which our business continuity plan is addressing to ensure patients continue to have access to their prescriptions.” Walgreens Boots Alliance said the “vast majority” of prescriptions it fills were not impacted, but that “for the small percentage that may be affected, we have procedures in place so that we can continue to process and fill these prescriptions with minimal delay or interruption.”

--With assistance from Fiona Rutherford.

(Updates with additional details from filing starting in second paragraph)

Most Read from Bloomberg Businessweek

• Elon Musk’s Vegas Tunnel Project Has Been Racking Up Safety Violations

• The High Cost of Eating Out in America

• Transcript: Did Musk Buy Twitter to Keep His Movements Secret?

• Why Elon Musk Bought Twitter in the First Place

• Can the Masters of Hipster Cringe Conquer Hollywood With Wall Street Cash?

©2024 Bloomberg L.P.