United Health, Optum, Change Healthcare cyber attack and what it means to you

As of this afternoon, March 1, 2024 3pm EST, Change Healthcare announced that their ePrescribing service was operational and at 3:45pm EST they made this update:

For clarity, Change Healthcare's Clinical Exchange ePrescribing providers' tools are still not operational.

We have completed standing up a new instance of Change Healthcare's Rx ePrescribing service. Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types. As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.

If you are a medical practice, lab, pharmacy, or related business who is impacted by this event, you may have some possible opportunities and possible complications to consider:

• UnitedHealth Group Chief Operating Officer Dirk McMahon has said the company was in the process of setting up a loan program for providers who are unable to submit insurance claims while systems are offline.  You should probably keep an eye on this possibility.

• If you are impacted by this incident, for example you’ve been unable to submit claims and/or post payments, reach out to your practice’s insurance broker. You may have immediate cause to file a claim for contingent/dependent business interruption or something similar. These provisions most often provide up to $100k in many cyber policies. (Yet one more reason why you need cyber-liability insurance coverage.) Your E&O policy may come into play also in these situations. Remember your broker is the expert.

• The possible threat actors ALPHV/Blackcat, who are suspect in this event, are known to exfiltrate data as part of their attacks (I did a deep dive on this group a year ago, they are not amateurs). We may not know, however, for quite a while if this is the case.

• Subscribe to updates on Change Healthcare’s website dedicated to this event – linked below, so you can stay informed as they release information. 

• Pay special attention to any email communications that appear to be coming from UnitedHealth Group/Optum/Change Healthcare – big events like this that make the news are popular bait for phishing emails. Be aware of this possibility, especially if there is an “urgent” ask in the message and warn your employees. I can already envision phishing emails going out to medical practices such as: “United Health free loan program ends tonight, click this link to apply before it’s too late!” 

• Should this event become a data breach - and this has not been determined yet - your practice and your impacted patients will be informed as part of that process, but it may be a while before anyone knows. Use this time now to think about how you’ll answer inquiries from patients – talk to your own legal counsel for advice on managing expectations. Keep in mind though, as of right now, we just don’t know if it is, or it isn’t a data breach since Change Healthcare hasn’t said anything yet. 

• If you do medical billing in house or via a third-party medical billing service, there may be work arounds with some insurance companies to key claims directly to their portals or possibly submit paper claims. RealTime-Medical is doing these things where possible for our own clients, but it is a lot of extra work, so plan accordingly.

Talk to your cybersecurity and IT Teams to make sure they are aware of the issue and be sure to understand your own potential risks related to this event.

To be safe, and it’s a step we always recommend when cyber incidents occur – assume that your credentials used to access UHG/Change Healthcare/Optum are potential at risk and change them to unique, difficult to guess, long passwords. If your mobile phone number was associated with your logon information and it is used for MFA, see if you can switch to app-based MFA if possible – I don’t know if UHG supports that. Be careful about anything texted to your mobile number too.

Finally, if your business is financially impacted to the point you may not be able to pay invoices, it’s probably better to talk to those vendors sooner rather than later. Most everyone should be aware of this incident by now and they will hopefully understand that it’ll be sorted out soon (maybe that is just my endless optimism talking.) Again, your insurance policy may come into play with business interruption coverage, so please talk to your insurance broker – they’ll know the best way to proceed. 

Link to the SEC FORM 8-K related to this incident: https://www.sec.gov/Archives/edgar/data/731766/000073176624000045/unh-20240221.htm

Change Healthcare’s latest updates related to this incident: https://status.changehealthcare.com/incidents/hqpjz25fn3n7  Suggest you subscribe to updates if you are impacted.