How a Ransomware Attack Exposed the U.S. Healthcare System’s Vulnerabilities

Highlights

• A ransomware attack hacks U.S. insurer UnitedHealth Group’s prescription processor paralysing the entire system including pharmacies, hospitals and clinics

• The cyber attack disrupts medical services and access to prescription drugs

• UnitedHealth allegedly pays USD 22 million to regain access to its systems

A unit of U.S. based insurer UnitedHealth Group Inc.’s subsidiary Optum experienced a cyber attack on February 21, 2024. The ransomware attack targeted the insurer’s prescription processor Change Healthcare, allowing hackers gaining access to some of its information technology systems.

A system-wide disruption

Change Healthcare along with Optum serves more than 67,000 pharmacies plus 129 million individuals with prescription processing and technological supplies. The cyber event has had a cascading effect on several associated companies ranging from pharmaceuticals to hospitals and clinics.

The American Hospital Association said in a statement that Optum’s “sector wide presence” could lead to significant disruption across the value chain. The cyber attack may impact “mission critical services” such as insurance verification, clinical authorisations and payments processing, the industry trade group added. The association had called upon healthcare companies to disconnect from Optum’s system to contain the security breach.

The initial impact was felt by patients who were unable to acquire prescription-based medication using insurance. Pharmacies could not bill insurance plans for the prescription with patients having to pay out of pocket to purchase vital medicines.

Nearly two weeks post the ransomware attack, the incident continues to impact claims processing activities. Doctors across the country face hurdles in verifying insurance plans, submit claims as well as receive payments.

Patients as well as doctors bear the brunt

The U.S. government plans to work with Medicare service providers to negotiate flexible payment terms for members. For example, Mel Davies, Chief Financial Officer of Oregon Specialty Group, said that the organisation is struggling to cope with the daily cost of services such as chemotherapy totaling about USD 1 million. The healthcare service provider faced obstacles to care for patients who take oral cancer drugs as the prescriptions need to be filled at retail pharmacies.

Ted Okon, Executive Director of the Community Oncology Alliance, said that oncologists have to go through several online approvals and red tape before a patient is eligible to receive treatment, a practice that has come to a stop post the cyber attack.

Laura Steensen, a Partner at GBCC Behavioral Health, a counseling center with six clinics across Maryland, said that the firm has not been able to bill any patient for therapy and sessions.

According to recent reports, United Health has allegedly paid the hackers about USD 22 million in bitcoin to regain access to its data and IT systems.