Pharmacy chains throughout the United States are currently grappling with disruptions due to a cyberattack targeted at Change Healthcare – a Nashville-based company specializing in processing patient payments for a variety of healthcare organizations. This report provides detailed information regarding the current situation which is impacting services nationwide. Owned by Optum – a UnitedHealth Group subsidiary, Change Healthcare manages approximately 15 billion transactions annually, making it the largest commercial prescription processor in the country.
The discovery of an unauthorized access incident into the systems of Change Healthcare was made on Wednesday. The notification about this violation was contained in a public filing made by UnitedHealth with the Securities and Exchange Commission. The company has stated that the affected systems were immediately isolated from interacting with other systems on becoming aware of the breach. The company’s systems, albeit still offline, are expected to regain capacity soon.
This unexpected interruption has had a striking impact on the pharmaceutical industry, affecting military pharmacies across the globe and several retail pharmacies in the U.S., including CVS. At this point, there is no indication of CVS’ systems being compromised. CVS has comprehensive business continuity strategies in place to mitigate the impact of such incidents by minimizing service disruptions wherever possible.
Response from the American Hospital Association to this attack has been uncompromising. Organizations across the healthcare sector were advised to consider disconnection from Optum until an independent verification of safety can be re-established.
In tandem with the SEC filing, UnitedHealth revealed that the unauthorized party believed to have accessed their systems reportedly has links to a ‘suspected nation-state associated cyber security threat actor.’ The Cybersecurity and Infrastructure Security Agency specifies that such nation-state adversarial entities contribute significantly to threat elevation. They may target the critical infrastructure of the U.S., including healthcare services, potentially using them as cyber-attack vectors.
This incident serves as an incisive reminder of the imminent cyber threats looming over the healthcare sector. It underlines the necessity for transparency in the aftermath of cyber incidents, the importance of ongoing investments in cyber defense mechanisms, robust processes, and comprehensive staff security awareness and training.