Pharmacies across the United States are still grappling with substantial disruptions following a cyberattack on UnitedHealth’s technology unit, Change Healthcare, as reported by multiple pharmacy chains through official statements and on various social media platforms. The attack led to a nationwide outage of a network designed to communicate data between healthcare providers and insurance companies.
According to a filing last Thursday with the Securities and Exchange Commission (SEC), UnitedHealth discovered a “suspected nation-state associated cyber security threat actor” had access to subsidiary Change Healthcare’s systems on Wednesday.
The healthcare technology company, a part of Optum and owned by UnitedHealth Group, shared in a statement on its website on Monday that it had taken “immediate action to disconnect Change Healthcare’s systems to prevent further impact in the interest of protecting our partners and patients.” It further listed more than 100 Change Healthcare services that were impacted by the attack, including benefits verification, claims submission, and prior authorization.
The company did not provide a timeline for when services would be restored. Fast Company reached out to Change Healthcare for additional information and will update this post if we hear back.
Despite the widespread disruption, including prescription delays and frozen services at numerous pharmacies across the United States, the media response to the news has been noticeably low-key. As one contributor to a cybersecurity-focused Reddit forum posed, “I get that it will take some time before this gets to a critical mass of impacting the general public. Also, I suspect the impacted age group so far is skewed above the social media age. Still, it seems like a big story of a single point of failure regardless of what the root cause ends up being.”
Healthcare services, as part of an ongoing digital transformation, are gradually integrating technology into their processes and patient care. This shift has increased the importance of easily accessible and shareable patient data, making healthcare services particularly attractive to would-be cyberattackers. As data systems become crucial for hospital operations, some may prefer paying a ransom to restore functionality rather than risking losing access to their digital networks.
This vulnerability leaves hospitals exposed to cyberattacks, and even if a ransom is paid, there is no guarantee that attackers have deleted stolen data. Furthermore, hospitals must navigate the legal obligation to disclose data breaches, placing the responsibility squarely on their shoulders in dealing with such attacks.