One Week On, Pharmacies Still Hampered by Cyberattack at Change Healthcare

A week after Change Healthcare was hit by a ransomware attack, pharmacies and health systems across the country are still feeling the impact, as the company’s issues have not been resolved.

Executives at Scripps Health in San Diego — which experienced a direct ransomware attack in 2021 — said they’ve been working hard to mitigate effects on patient care.

Even though the system wasn’t directly hit this time, the Change Healthcare attack “has hampered or slowed down many discharge medication programs, making it difficult for patients to receive essential medications in a timely manner, potentially impacting their post-hospital recovery,” Tony Jackson, PharmD, MBA, corporate vice president for pharmacy at Scripps, told MedPage Today in an email.

Jackson added that the outage has also “resulted in out-of-pocket costs for patients and increased financial risks for institutions like Scripps.”

Since electronic prescribing is the standard for getting patients their medications, Scripps has had to shift to more traditional prescribing methods, said Anil Keswani, MD, chief medical officer for ambulatory operations at Scripps Health.

To ensure quality, Keswani said, Scripps implemented three key steps, including verifying that prescriptions were received by pharmacies; helping patients use pharmacies that aren’t affected by the attack; and sometimes having patients pick up printed prescriptions in person.

Change Healthcare announced that it was hit by the cyberattack on Feb. 21. The company had been bought by Optum in 2022, which makes it a part of UnitedHealthcare, the country’s largest insurer, and parent company UnitedHealth Group. According to a statement from Optum, Change began disconnecting its systems so as not to impact the wider organization and maintains that it has a “high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems have not been affected by this issue.”

According to a statement from the American Pharmacists Association, Change Healthcare’s technology assists with claims processing and “helps pharmacies know how much to charge consumers at the pharmacy counter. As a result of this, many pharmacies throughout America could not transmit insurance claims for their patients. This is resulting in delays in getting prescriptions filled.”

Reuters reported on Monday that the Blackcat ransomware gang was behind the Change Healthcare outage. The group, also known as “ALPHV,” is “one of the most notorious of the internet’s many ransomware gangs,” Reuters reported, noting that it has previously hit large companies including MGM Resorts International and Caesars Entertainment with ransomware attacks.

Late last year, U.S. law enforcement officials seized several of the group’s websites and hundreds of digital keys to decrypt victims’ data, Reuters reported, and the group threatened to retaliate by extorting critical infrastructure providers and hospitals.

UnitedHealth Group spokesperson Tyler Mason said in an updated emailed statement that the company “continue[s] to work closely with law enforcement and a number of third parties” on the attack, adding that it has been working with its partners to “ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal.”

Mason also noted that more than 90% of the country’s more than 70,000 pharmacies have modified their electronic claims processing to create a workaround, while the rest have implemented offline workarounds. He also acknowledged the impact on payers and providers, noting that the episode hasn’t yet impacted “provider cash flows as payers typically pay 1 to 2 weeks after processing. As we work on bringing systems back online, we are also developing solutions to that challenge if needed.”

An emailed statement from the American Society of Consultant Pharmacists noted that during a call with Optum and Change Healthcare leadership on Wednesday, “assurances were provided that all appropriate pharmacy claims would be paid during this down period.”

That statement also noted that the timeline for Change Healthcare to be back up and running is unknown.

Scripps CEO Chris Van Gorder noted that it took about 3.5 weeks to restore all systems after his organization was directly hit by a ransomware attack, but that it took “months to recover administratively” — re-inputting manual work from that 3.5-week period — “and from a regulatory perspective, several years.”

Cheryl Clark contributed reporting to this story.

  • author['full_name']

    Kristina Fiore leads MedPage’s enterprise & investigative reporting team. She’s been a medical journalist for more than a decade and her work has been recognized by Barlett & Steele, AHCJ, SABEW, and others. Send story tips to k.fiore@medpagetoday.com. Follow

Please enable JavaScript to view the

comments powered by Disqus.