Cybercrime , Fraud Management & Cybercrime , Healthcare

Change Healthcare Cyber Outage Disrupts Firms Nationwide

HHS Issues Special Alert Urging Providers and Contractors to 'Stay Vigilant'
Change Healthcare Cyber Outage Disrupts Firms Nationwide
Image: Change Healthcare

Change Healthcare - a unit of Optum that provides IT services and applications to hundreds of U.S. pharmacies, payers and healthcare providers - is dealing with a cyber incident that has forced the company to take its applications offline enterprisewide. The company said is triaging the situation.

See Also: Reducing Complexity in Healthcare IT

The size of the company's client base and the potential effect on patients prompted the Department of Health and Human Services to issue a special alert Thursday, saying that it is working closely with Optum "to assess the cyber incident and its impact on patient care. The incident is a reminder to all healthcare providers and contractors to stay vigilant."

Optum, which is a subsidiary of UnitedHealth Group, acquired Change Healthcare in October 2022 for $7.8 billion. It has been posting periodic status updates about the incident since it was detected early Wednesday morning.

UnitedHealth Group, in a filing to the U.S. Securities and Exchange Commission late in the day Thursday, said the incident involves "a suspected nation-state associated cyber security threat actor" who gained access to some of the Change Healthcare IT systems.*

"During the disruption, certain networks and transactional services may not be accessible," the filing says. "The company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time."

The company said it working with cybersecurity experts and law enforcement, and it has notified customers, clients and certain government agencies.

UnitedHealth told the SEC that as of the company's filing, the company has not determined that the incident is reasonably likely to materially affect its financial condition or results of operations.

Optum initially on Wednesday said it had been triaging an "issue" and that some of its applications were unavailable. Later on Wednesday, the company added that it was experiencing "enterprise-wide connectivity issues" and was actively isolating and troubleshooting the problem, which was expected to last "at least through the day."

On Thursday, the company was still responding to the incident, and its applications and IT systems were still offline. It again stated that the outage was expected to last "at least" through the day.

"Change Healthcare is experiencing a network interruption related to a cybersecurity issue, and our experts are working to address the matter," Optum said in its latest update Thursday afternoon.

"Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. We will provide updates as more information becomes available."

Optum also said it believes the IT security issue "is specific to Change Healthcare" and that all other systems across UnitedHealth Group are operational.

Change Healthcare on its website boasts that its technology is used to process 15 billion healthcare transactions annually, and that the company's clinical connectivity solutions "touch" 1 in 3 patient records in the U.S.

Optum posted an extensive list of several dozen Change Healthcare applications and services that had been disrupted by the incident. The apps and services are used by clinicians, payers, pharmacies and other healthcare sector clients.

Products include Change Healthcare Enterprise, Clinical Network, Dental Network, Eligibility & Enrollment, Medical Network, Member Engagement & Experience, Pharmacy Benefits, Pharmacy Solutions, Revenue Cycle Management, Claims Management, Provider Communications, and a wide array of other applications and modules.

Optum did not immediately respond to Information Security Media Group's request for additional details about the incident, including whether it involved ransomware and approximately how many of its clients were affected by the outage.

Patient Impact?

Some experts are advising their clients to take precautionary measures in light of the Change Healthcare situation. "We have forwarded the HHS alert to several of our customers and are advising them to sever connections to Optum out of caution," said Wendell Bobst, partner and principal consultant at privacy and security consultancy tw-Security.

Some of the insurers who rely on Change Healthcare's claims processing and pharmacy-related services have posted their own notices about the outage.

"We're aware that some pharmacies are experiencing systems issues due to a nationwide outage from the largest prescription processor in North America," said BlueCross BlueShield of Montana in a statement Wednesday.

"Some pharmacies cannot confirm insurance coverage, which could delay filling or refilling your medications. We apologize for this inconvenience."

BlueCross BlueShield of Montana advised plan members that if they choose not to delay filling their prescriptions, "you have the option to pay for the medication out-of-pocket and submit the receipt with the reimbursement form. You may also try to fill the prescription at another pharmacy."

Change Healthcare's website says that it partners with other technology firms for some of its offerings, including Microsoft and its Azure cloud services for Change Healthcare's various pharmacy solutions.

Microsoft did not immediately respond to ISMG's request for comment on whether it has been affected by the Change Healthcare incident.

Change Healthcare's cyber incident joins a long and growing list of critical IT and related services providers to the healthcare sector that have been targeted in recent months and years. Those include ransomware attacks that have caused long disruptions as well as exfiltration incidents that have resulted in major health data breaches.

But these problems have not been limited to the U.S. healthcare sector.

Last November, a ransomware attack on Canada's TransForm Shared Service Organization, which provides IT services to several regional hospitals in Ontario, caused electronic health records and other IT systems outages that lingered for more than a month (see: Ontario Hospitals Expect Monthlong Ransomware Recovery).

A ransomware attack on Advanced, a U.K-based technology firm whose Adastra system is used by Britain's National Health Service, caused monthlong disruptions to the NHS' "111" emergency medical care triage activities and other healthcare services in August 2022 (see: Ransomware Attack Caused NHS IT Outage, Says Vendor).

Healthcare sector entities must always be prepared to not only respond to cyberattacks on their IT network but also to handle incidents that disrupt critical IT services providers and other vendors, experts say.

"The healthcare sector is always considered a lucrative target because of the very serious sense of urgency whenever IT operations are disrupted, not to mention interrupted entirely," said Yossi Rachman, senior director of security research at security firm Semperis.

"While there's nothing in Change Healthcare's updates that indicate this is the result of a ransomware attack, widespread IT interruptions are usually indicative of such types of attacks," he said.

Besides implementing cybersecurity measures - such as employee training, security updates, network and system security hygiene, integration of real-time identity and endpoint detection and response solutions - to help prevent falling victim to these incidents, entities must be prepared for potential worst-case scenarios involving their IT or their vendors, according to Rachman.

"I recommend that healthcare sector clients prepare processes and perform regular drills for handling IT disruptions as result of cybersecurity issues," he said.

That includes preparing disaster recovery plans for incidents involving data theft, destruction, corruption or system inaccessibility in their environments or their vendors.

"Proper cybersecurity measures are critical to mitigating operational risks in any modern data-driven organization. There's simply no other way around it."

*Update: Feb. 23, 2024 UTC 13:34 to reflect UnitedHealth Group's filing Thursday afternoon to the SEC.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.