On February 21, 2024, Change Healthcare, one of the major pharmacy claims processors in the United States, detected a cybersecurity incident and took its systems offline, causing disruptions to pharmacies and medical providers across the country. UnitedHealth Group, its owner, immediately acknowledged this incident in an 8-K filing to the SEC on Feb. 21. The healthcare ecosystem of payers, providers, and processors in healthcare continues to face an unrelenting wave of cyberthreats that result in diminished care experiences for patients.
Change Healthcare is a subsidiary of UnitedHealth Group. At present, other UnitedHealth Group systems seem to be unaffected. UnitedHealth Group released a statement attributing the attack to a “suspected” nation-state entity, but other than that, details are light. The specific nature of the attack is still under investigation.
The outage is causing various disruptions, which include:
- Delayed prescription processing. Some pharmacies reported issues filling prescriptions due to Change Healthcare’s role in claims processing. Reports indicate that pharmacies on military installations are reducing access to prescriptions for military personnel and their families. This is yet another example of how private sector companies hit with cyberattacks affect critical functions for civilians and government organizations.
- Disrupted healthcare operations. Providers relying on Change Healthcare’s services might face delays in communication and access to patient data. As mentioned above, the primary outage appears to be in claims processing, leaving pharmacies unclear as to whether a prescription is covered and what the reimbursement amounts from insurers may be.
- A potential data breach. The full scope of compromised data is unknown, but patient confidentiality could be at risk. Given that most ransomware breaches in recent years included data exfiltration along with encryption, it’s best to assume that patient data was also compromised as a result of the adversary activity, but the investigation is ongoing.
The Prescription: Prepare For Disaster Before It Strikes
- Check your business resilience and continuity. The scourge of cyberthreats that continue to impact customers puts renewed emphasis on continuity of operations and testing resilience processes. Whether B2B or B2C, testing your firm’s ability to fail over to manual and paper-based systems is still a necessity, even in 2024. And don’t forget that you also need to test data reconciliation after you recover, as many customer services still won’t be fully available until you have all the customer data back in your systems.
- Business disruption is business disruption, regardless of the method. Regardless of whether this was caused by a ransomware attack, many of the aftereffects will parallel those of ransomware disruption. Leverage some of the same techniques for ransomware defense and response in your own organization, such as enforcing strong passwords and multifactor authentication, as well as leveraging backup and recovery tools. Further, responses to attacks like these require strong coordination and awareness between security teams and infrastructure and operations to prepare, manage, and restore from backups.
- Consequences of third-party risk are not limited to cybersecurity. Consequences of a cyberattack on a third party don’t have to impact your cybersecurity to be painful. Change Healthcare’s decision to disconnect systems impacted over 100 applications and severely disrupted pharmacy operations nationwide. For the 67,000 US pharmacies at medical centers, retailers, and online providers, as well as military pharmacies relying on this health IT vendor, the impact of this event will have operational, financial, and reputational consequences. When evaluating the risks of doing business with a third-party entity, cybersecurity risk is just one piece of the process but must also account for risks across multiple risk domains. Healthcare organizations especially need to refocus third-party risk management efforts on bolstering clinical care, not just compliance. When the dust settles from this incident, organizations that have prepared for the operational consequences of third-party cyberincidents, and not just the cyberincidents themselves, will fare best.
- This is a crisis — be ready for the next one. Regardless of how the incident started, the cascading fallout from the disruption is a very public crisis for all affected parties. In addition to technical tabletop exercises for ransomware and data exfiltration, executives and boards must run an immersive crisis simulation focused on prolonged service disruptions. This exercise should be led by your outside counsel and your incident response service provider. It should involve media inquiries, customer calls and complaints, and regulatory notification. Preparing crisis communications for major business disruptions is critical and not limited to media statements and 8-K filings. Messaging related to a disruption must be provided to all customer-facing employees (e.g., call centers, retail locations, social media managers) with updates and recommendations for alternate methods to obtain needed products or services.
- Breach notification is an opportunity, when handled correctly. While there is no direct mention of this on the main pages of the Change Healthcare, Optum, or UnitedHealth Group websites, the timely 8-K filing links to an official status page about this incident that is being regularly updated with timestamps. How an organization communicates following a disruptive incident or breach sets the tone for response and rebuilding trust. This applies across public, customer-facing, and internal employee-facing communications. When personal data is affected, organizations will also have to comply with breach notification requirements to notify both regulators and individuals. Transparency and empathy — two of the seven levers of trust — must be cornerstones of these communication and notification efforts. Treating this critical part of response as an afterthought or a pure compliance checkbox will do more harm than good.
Connect With Us
Forrester clients, you can schedule an inquiry or guidance session with analysts to discuss your organization’s preparedness for cyberattacks, third-party incidents, and other disasters.