Change Healthcare Cyberattack Affecting Pharmacies Nationwide

A Change Healthcare cyberattack has affected multiple systems at the Tennessee-based healthcare technology company and that attack has affected pharmacies across the United States. Change Healthcare is owned by UnitedHealth, which also owns Optum. Pharmacies that use the Optum system are unable to process insurance claims and determine copayment amounts, which has hampered their ability to fill prescriptions.

In the early hours of February 21, 2024, Change Healthcare confirmed that it was dealing with a cybersecurity issue that resulted in some Optum systems being made unavailable, and in an update provided at 05:05 EST, Change Healthcare confirmed that the incident has caused enterprise-wide connectivity issues. The issues were expected to continue throughout the day, but have continued through February 23, 2024.

Change Healthcare issued the following statement about the incident on February 21, 2024, “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.” Change Healthcare is investigating the unauthorized activity, has notified law enforcement, and has cybersecurity experts working around the clock to resolve the issues. Systems will be brought back online when it is determined to be safe to do so. Change Healthcare said the incident is thought to be specific to Change Healthcare and all other systems across UnitedHealth Group are operational.

Change Healthcare’s parent company, UnitedHealth, has filed a report with the U.S. Securities and Exchange Commission (SEC) about the incident and said that it is unable to provide information on the duration or extent of the disruption, and said it believes the attack to be the work of a nation state. It is naturally too soon to tell if any patient data has been compromised. If that turns out to be the case, the data breach could be considerable. Change Healthcare is one of the largest healthcare technology companies in the United States and processes 15 billion healthcare transactions each year. Change Healthcare explains on its website that one in three U.S. patient records are touched by its clinical connectivity solutions – Up to 129 million Americans could therefore be affected.

The American Hospital Association (AHA) said it has been in touch with the Federal Bureau of Investigation, the Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency about the incident, and based on those interactions and the statements provided by Change Healthcare, has issued the following statement: “In the interest of protecting our partners and patients, we recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.” The AHA also recommends that organizations that utilize Optum’s services prepare related downtime procedures and contingency plans, as it is possible that Optum’s services will remain unavailable for an extended period.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/