Six leading national pharmacy organizations have called on the Department of Health and Human Services to take additional action in response to the massive February 2024 cyberattack on Change Healthcare (UnitedHealth Group’s [UHG’s] technology arm) by the ransomware group BlackCat.
The attack left thousands of pharmacies unable to fill some prescriptions. The pharmacy groups, including ASHP and the American College of Clinical Pharmacy, American Pharmacists Association, American Society of Consultant Pharmacists, National Alliance of State Pharmacy Associations and National Community Pharmacists Association, requested that the agency be “fully engaged” in addressing continued fallout from the attack.
“Pharmacies across the country were unable to process pharmacy claims or access e-prescribing for several weeks,” the organizations said in a letter to HHS Secretary Xavier Becerra submitted on May 7. “Consequently, providers were forced to move to new systems or default to paper recordkeeping, significantly increasing workloads and costs, slowing workflows, and creating compliance concerns. For patients, this resulted in delayed prescriptions, and, for some, the choice between paying full price for a prescription or going without until the attack was resolved and normal processing resumed.”
The letter called for HHS to take several key steps to address continued fallout from the Change Healthcare attack:
- Establish HHS crisis communication plans for future attacks. The organizations noted that it took several days for HHS to engage fully after the Change Healthcare attack.
- Require health plans and pharmacy benefit managers to pause audits immediately in the event of any future data breaches.
- Ensure that pharmacies are made whole for good-faith dispensing during the cyberattack, with a payment solution applicable to all payors.
- Prevent punitive payor actions, including direct and indirect reimbursement fees based on disruptions in care or recordkeeping resulting from the attack.
- Clarify that providers will be held harmless for any data breaches resulting from the Change Healthcare attack.
- Create a national plan for response to future cyberattacks, convening all stakeholders to outline response plans, including communication plans for providers and the public.
In a May 1 hearing before the Senate Finance Committee, UHG CEO Andrew Witty said the catastrophic security breach was the result of hackers gaining access to a server that lacked multifactor authentication—“cybersecurity 101,” said Sen. Ronald Wyden (D-Ore.). On May 14, Sen. Bill Cassidy (R-La.), ranking minority member of the Senate Health, Education, Labor and Pensions (HELP) Committee, wrote to Mr. Witty requesting answers to 20 additional questions about the breach and data governance both before and after the attack. He noted that in early April, a second hacker group, RansomHub, claimed that it was cheated out of its share of the ransom payment and would sell 4 terabytes of stolen data to the highest bidder if it did not receive an additional ransom payment.
“On April 22, [UHG] confirmed that 22 screenshots containing PHI [protected health information] and PII [personal identifiable information] were posted on the dark web for about a week, but that no further publication of PHI and PII has occurred,” Mr. Cassidy noted. “This was the first time information alleged to have been extracted from the breach was shared publicly and confirmed that hackers possessed medical and patient records. Despite all of this, UHG has still not provided an accounting for the data that was compromised and has left millions of patients and providers wondering if their private data would be released publicly.”
This article is from the September 2024 print issue.