Desperate patients around the country have been forced to choose between paying out of pocket for essential medications or forgoing them entirely as the aftermath of a cyberattack on a major health care company stretches into its third week.
Change Healthcare, a little-known but critical subsidiary of UnitedHealth Group, detected the attack on Feb. 21. Since then, pharmacies, doctors offices and patients say their lives and work have been upended due to widespread outages in systems commonly used for medical billing and insurance claims.
Disruptions to co-pay assistance and coupon card processing at pharmacies, in particular, have highlighted key vulnerabilities in a system on which people’s lives depend.
Ronda Miller, 54, said she and her husband rely on a discount card to afford his insulin — he has type 2 diabetes and congestive heart failure. But when she attempted to pick up his medication at her pharmacy in Deadwood, South Dakota, on Feb. 22, the card could not be processed. Without it, the medications would cost hundreds of dollars.
“When you are diabetic, whether it’s type 1 or type 2, without insulin they’re going to die,” Miller said.
Change Healthcare’s technology is involved in transactions throughout the industry — beyond those involving United Healthcare insurance. The company says it completes 15 billion transactions per year, amounting to $1.5 trillion in health claims. On its website, Change said the hack affected 21 parts of its business, including many that providers use to receive payments, get reimbursed by insurers and process patients’ insurance eligibility.
“Anything that requires interaction between health plans, a pharmacy, a facility, an office has been disrupted,” said Dr. Jesse Ehrenfeld, president of the American Medical Association. “That has far-reaching implications, whether you’re on routine, standard medications, whether you rely on a rebate program from a pharmaceutical company, whether you’re just trying to get clearance to have routine elective surgery.”
UnitedHealth Group said in a statement after the cyberattack that it took “immediate action to disconnect Change Healthcare’s systems to prevent further impact” and that the services would “remain offline until we are certain we can turn them back on safely.”
On Tuesday, the company said that a new network connecting pharmacies to benefit managers could come online as soon as Thursday.
Laura Lester, who owns Marion Family Pharmacy in Marion, Virginia, said the biggest effect in her community has been to patients who can’t afford their medications without co-pay assistance cards.
“We’ve got people walking away from diabetes medicines, antipsychotics, ADHD medications,” she said.
“We had one woman yesterday who had to pay $1,100 out of pocket because the co-pay card wasn’t working,” Lester added. The patient needed the medication for her irritable bowel syndrome, she said.
Even patients who don’t use co-pay assistance have faced immense challenges. Donna Hamlet, a 73-year-old breast cancer patient at Florida Cancer Specialists & Research Institute, takes a medication called IBRANCE that would cost her around $16,000 per month without insurance. But on Feb. 23, she said, a pharmacist told her they couldn’t process her refill through insurance because of the cyberattack.
Without the drug, Hamlet said, “the cancer would fill up my body and I guess I would die.”
After four or five days of phone calls, she got her prescription filled via OptumRx, a UnitedHealth Group pharmacy benefit manager.
Nathan Walcker, CEO of the Florida institute treating Hamlet, estimates that $350 million worth of the practice’s charges have been affected by billing delays due to the cyberattack.
But Walcker said he worries most about patients who can’t get prior authorizations processed — many insurance companies require this for cancer treatments, which can cost up to $100,000 per course.
“We have no ability today to even know if we have a prior authorization in hand for a new patient,” he said.
The Centers for Medicare and Medicaid Services on Tuesday encouraged Medicare and Medicaid programs to remove or relax prior authorizations during the outage, and to consider giving health providers advanced funding. Hospitals can submit accelerated payment requests, CMS said, and Medicare providers struggling to submit claims can send paper versions and may be eligible for exceptions or extensions.
UnitedHealth Group said that as of Tuesday, around 90% of claims were “flowing uninterrupted,” with pharmacy claims “flowing at near-normal levels,” thanks to temporary fixes or systems coming back online.
The company has encouraged health care providers to switch to an Optum system to expedite the process of submitting claims and receiving payments. Meanwhile, the new network connection that the company expects on Thursday should address “the majority of the coupon volume” managed by Change Healthcare, it said.
Optum is also offering temporary loans to medical practices, but providers say they’re insufficient.
Dr. Christine Meyer, who owns an internal medicine practice in Exton, Pennsylvania, said her office submits up to $600,000 per month in claims but was only offered a monthly loan of $4,000.
Amid the sudden halt in revenue, Meyer said, the small offer was “an emotional slap in the face.”
Her practice is manually submitting some claims to insurance websites, she said, and her staff printed around 1,000 paper claims and FedExed them to Medicare.
“The next thing I have to do is start to cut expenses, stop buying supplies and vaccines, then reduce our staff, then reduce our hours and then, God forbid, the unthinkable: just shut our doors,” Meyer said.
Doctors, pharmacists and industry experts say the hack has exposed major vulnerabilities in the health sector, particularly given Change Healthcare’s dominance.
“How do you have a system where it has this big of a leak and almost two weeks later, you’re leaving the small pharmacy owners to try to figure out a solution?” said Dr. Mayank Amin, the owner of Skippack Pharmacy in Skippack, Pennsylvania.
Amin said he and his staff have spent hours calling insurance companies to find out patients’ eligibility manually, one at a time. The work has kept him up until 2 a.m every night, he said. Amin even plans to pick up free samples of a blood-thinner medication tomorrow from a local doctor’s office to distribute to a patient.
“What do I get out of this? Zero profit, but the feeling that you’re able to help somebody who relies on you,” he said.
Ronda Miller said her pharmacy in South Dakota gave her husband a free box of his diabetes medication for now, and his doctor also provided a sample. But for families like hers, she said, the disruption has meant “playing with people’s lives.”
Change Healthcare said the perpetrator of the cyberattack “represented itself to us as ALPHV/Blackcat.” Alphv was involved in the attack on MGM Resorts last year, costing the company $100 million. It is developed and maintained by a group of Russian-speaking cybercriminals.
In total last year, victims of cybercrime sent a record $1 billion in extortion payments to ransomware criminals, according to Chainalysis, a company that tracks cryptocurrency payments.
UnitedHealthcare did not answer questions about whether it paid a ransom. But experts at the cybersecurity company Recorded Future and the cryptocurrency analytics company Tenable pointed to a bitcoin wallet that received a payment of more than $22 million on Friday. The companies say the wallet, which was viewed by NBC News, belonged to Alphv. Wired first reported the news.
The sum has since been dolled out, mostly in $3.2 million portions that the two companies have not been able to trace fully. Alphv’s site on the dark web claims it is no longer operational.
Eric Noonan, a cybersecurity expert and the CEO of CyberSheath, said that if UnitedHealth did pay a ransom, “it’s a terrible precedent because what it now does is say this is a viable market.”
Change Healthcare was “a very attractive target,” Noonan added, because it runs critical infrastructure and the attack has had visible consequences.
Noonan said UnitedHealth needs to address whether patients’ personal information has been compromised. Thus far, the company has said only that its teams are “actively engaged and working to understand the impact.”
Noonan also called for the federal government to require mandatory minimum cybersecurity for all critical infrastructure sectors, including health care.
“Americans I think are somewhat defenseless in this regard, because they’re relying on the companies to implement the right levels of cybersecurity, and that’s largely not happening,” he said.
