Change Healthcare is grappling with a cybersecurity incident. Change, which is part of Optum, provides healthcare technology services to hospitals. Health systems are worried about potential ripple effects.
Hospitals are seeing the impact from the cyberattack that has hit Change Healthcare, and health systems are worried about the possibility of wider disruptions.
UnitedHealth Group, the parent company of Optum, which includes Change Healthcare, said in an SEC filing the incident was discovered Wed., Feb. 21. Optum said Friday it had disconnected Change Healthcare’s systems and is highly confident that UnitedHealthcare systems and Optum’s systems have not been affected.
Hospitals are anxious about the ramifications of the attack, John Riggi, the national advisor for cybersecurity and risk for the American Hospital Association, told Chief Healthcare Executive®.
“My understanding is Change/Optum touches almost every hospital in the United States in one way or another,” Riggi said in an interview Friday night.
Change Healthcare’s services to health systems include pharmacy solutions, revenue cycle management, data analysis, patient engagement and clinical support. So far, Riggi said the hospital association has received anecdotal reports of disruptions to hospitals with prescriptions and payment reimbursements.
“This is really a systemic issue,” Riggi said. “This is not only an attack on Change Healthcare/Optum. … Yes, it was an attack on that individual organization, but it has sector-wide impact in potential risk. So really, this is an attack on the entire sector.”
Some military hospitals around the world have been affected. The Naval Hospital at Camp Pendleton posted a message on its website that said the attack on Change Healthcare “has affected military clinics and hospitals worldwide.”
“This is impacting all military pharmacies worldwide and some retail pharmacies nationally,” the hospital message stated. The naval hospital said it is filling prescriptions manually, with priority going to this with urgent needs.
Fears of financial, clinical impacts
With Change Heatlhcare’s systems being disconnected, Riggi said the hope is that the malware is contained and “will not spread to other hospitals.” But he said there could be cascading effects that could affect hospitals and health systems.
“Hospitals and providers, physicians, may not get timely reimbursement from their insurers,” Riggi said. “That's one of the primary services that Change provided.”
Then, hospitals could see clinical impacts.
“As of now, there are delays in prescriptions. They're being done manually, probably causing some delay. What is the impact to patient care there? Is it posing a risk to patient safety or again, understanding what the clinical impact will be? And as this extends, those impacts could become more pronounced.”
Hospitals are also worried about the potential for disruptions in getting authorization for treatments and services.
“Many hospitals have expressed concern about potential, future, timely pre-authorizations for surgeries and other clinical procedures,” Riggi said. “We haven't seen that yet. At least I'm not aware of it, I should say. But many, many hospitals are expressing concern about that as a potential impact.”
Riggi said he has been on the phone with federal law enforcement officials throughout the day, and he said they have been responding aggressively. FBI officials held a conference call Friday with other federal officials and thousands of hospital leaders.
Some pharmacies had reported delays in filling prescriptions, and Walgreen’s has seen some issues, CBS News reported.
About the attack
UnitedHealth said in the filing that “a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”
In a post Friday, Optum said, “In the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to.”
“We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue,” Optum said in the post. Aside from Change Healthcare, all other systems across UnitedHealth Group are operational, Optum said.
Still, the American Hospital Association is urging hospitals to take caution, since Change Healthcare, and Optum, provide a wide array of services used by health systems.
Even as Optum says it has high confidence that its systems appear to be secure, Riggi said that health systems should make their own risk assessments on remaining connected to Optum’s network. Riggi added that for Change Healthcare systems that remain down, hospitals should consider disconnecting those systems, or keeping them disconnected.
“We're saying stay disconnected on our side, so it's shut off from both ends,” Riggi said. “So just to make sure that if the adversary was in their network, and they opened it up again, that they won't have an electronic bridge into other organizations. So you want to basically close the bridge from both sides.”
Hospitals should also ensure all known vulnerabilities have been patched, and review their cyber incident response plans.
UnitedHealth said the organization is working with law enforcement and has notified customers and government agencies.
It’s unclear how long the disruptions will continue. In a post at 6:03 p.m. Friday, Optum said the disruption “is expected to last at least through the day,” a message the company has posted since Wednesday.
Optum said it would be cautious as it works to restore Change Healthcare’s systems.
“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect,” Optum said Friday afternoon.
Concerns about disruptions
Riggi credited Optum for being transparent about the nature of the disruption stemming from a cyberattack, and for taking proactive steps to disconnect systems.
Nonetheless, Riggi said, “We still have strong concerns as voiced by our members about the timeline, the restoration and the ongoing impact and disruption to the services that they provide.”
Health systems and hospitals have faced hundreds of cybersecurity incidents in recent years. An attack affecting Ann & Robert H. Lurie’s Children Hospital in Chicago last month gained nationwide attention.
Most attacks involve criminals seeking ransom payments to restore services or threats to release private health information unless they’re paid. While Riggi said he couldn’t comment specifically on the motives or demands in the Change Healthcare incident, he said groups involved in cyberattacks generally are looking to get paid.
“A group extorting a payment from a victim often relies on the disruption they cause,” Riggi said. “So it goes hand in hand. The reason why hospitals are attacked quite a bit, is because they know the disruption poses an immediate risk to patient care and safety. So that disruption creates an urgency to restore. Their ultimate goal is to collect the ransom payment.”
Health systems of all sizes have suffered breaches of their systems in cyberattacks. More than 100 million Americans were affected by breaches of private health information in 2023.
Riggi has repeatedly warned hospitals and health systems about the risks of attacks on third parties, and advised hospitals to work with vendors to minimize potential threats. While he stressed that he wasn’t faulting Optum, Riggi said the incident underscores the need for hospitals to look beyond their own organizations when it comes to cybersecurity.
“I've talked a lot about third-party risk being a major force of cyber risk exposure for the healthcare sector,” Riggi said.
“Whenever you have a concentration of mission critical services under one entity, you have a concentration of risk as well,” he added. “If that entity is hit, and all those mission critical services become unavailable, there is sector-wide impact and risk.”
Read more: These are the 11 biggest health data breaches of 2023