USA: Pharmacies impaired by cyberattacks

A Walgreens location
Even large pharmacy chains like CVS and Walgreens are said to be affected by the problems. (Source: Anthony92931 – CC BY-SA 3.0)

Since last week, many pharmacies in the USA have been unable to fill prescriptions. The reason behind this is a cyberattack on the company, Change Healthcare. This attack has also resulted in worldwide effects on US military hospitals.

Change Healthcare offers services for the US health care system. For example, pharmacies can use the system to bill insurances for medication or to verify whether patients are entitled to a specific medication. According to their own statements, the company processes about 15 billion transactions within the health care system. According to the American Hospital Association, Change Healthcare is one of the largest tech companies within the health care system in the United States.

Already since days, a cyberattack on the service provider has affected the daily operations of US pharmacies. According to media reports, many pharmacies are no longer able to bill insurances for prescriptions. Patients are left with a decision: Either they pay for their medication out of pocket or go without treatment.

For example, CNN reports of a 32 year old woman from Detroit who unsuccessfully tried to fill a prescription at several pharmacies – including a CVS pharmacy. In the end, she had to pay 1,600 US dollars out of pocket to receive her medication. Although her insurance confirmed that they would reimburse the costs, she described the experience to CNN as “distressing”. Furthermore, many people would not have this this amount at their disposal and would need to go without treatment, she said.

Disruptions since Wednesday

Change Healthcare first reported of system failures on Wednesday and later confirmed a cyberattack, as shown in a status report. Once the incident was noticed, systems were shut down to prevent further repercussions. The company has not yet provided more details about the incident.

According to present knowledge, the attack did not have an effect on the systems of other companies that also, like Change Healthcare, belong to the parent company, UnitedHealth Group. Meanwhile, in a statement made to the US Securities and Exchange Commission (SEC), an attacker with connections to a nation-state was presumably responsible. However, the company did not provide further details. Cybersecurity experts and prosecutors are involved with the case. According to details provided by the company, it is not foreseeable how much longer the interruption will continue.

In additional to normal pharmacies in the USA, this has impacted US military hospitals and pharmacies “worldwide” as communicated by the US military health care program, Tricare. Until the issue can be resolved, prescriptions need to be manually processed and urgent prescriptions prioritized.

Even the Landstuhl Regional Medical Center in Rhineland-Palatinate, the largest US military hospital outside the United States, reported on Facebook that they were affected by the problem. On Monday, they wrote that there would be delays with processing prescriptions – Patients should expect long waiting times.

Warnings of severe consequences

The health care industry trade group, American Hospital Association, warned at the end of last week of interruptions in all health care organizations as a result of the cyberattack. Therefore, the American Hospital Association has been in contact with the FBI and Department of Health and Human Services.

More experts of the health care system also warned of severe consequences should the interruption continue as reported by the Wall Street Journal (WSJ). Carter Groome, CEO of the consulting firm, First Health Advisory, told the newspaper: “It’s a mess, and I believe it’s our Colonial Pipeline moment in healthcare”. Groome is referring to a cyberattack in 2021 on the operator of a large pipeline in the USA. As the pipeline was shut down as a result of the attack, there were panic purchases in succession, leading to long lines at gas stations in the Eastern United States.

Security incidents in the health care sector

Over the past year, there were several cybersecurity incidents in the health care sector in the USA. At the end of October, the US Department of Health and Human Services stated that more than 88 million people were affected by data breaches in 2023.

For example, in May 2023 social security numbers and health data including X-rays and details regarding prescribed medication were stolen from millions of insured patients.

Also in December: Criminals gained access to millions of people’s sensitive data at Norton Healthcare, a hospital operator.

Additionally, at the end of the last year a company that operates 30 hospitals in six US states had to divert patients to other hospitals from some of their emergency rooms. The systems there taken offline after ransomware was discovered. (js)