Change Healthcare Cyberattack: What Consumers Should Know

5 min read

March 25,  2024 -- Last month’s cyberattack on a major health claims processor that handles transactions involving 1 in 3 U.S. patient records is still impacting patients and may have lasting effects on doctors, pharmacies, laboratories, and other health organizations. 

“We are not through the woods yet,” said Jesse M. Ehrenfeld, MD, MPH, president of the American Medical Association.

Three major issues now face consumers, according to Ehrenfeld and Jillanne Schulte Wall, JD, senior director of health and regulatory policy for ASHP, the American Society of Health-System Pharmacists:  

  • Potential leakage of protected, sensitive patient data
  • Ongoing difficulties getting prescriptions or health care requiring prior authorizations
  • Long-term financial impact on doctors and practices, which could lead to doctors leaving practices or practices closing, affecting patient access to care

A Quick Overview 

Change Healthcare, part of Optum and owned by UnitedHealth Group, processes about half of medical claims in the U.S. for about 900,000 doctors, 118,000 dentists, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories, according to figures from a 2022 DOJ lawsuit that attempted to block UnitedHealth Group’s acquisition of Change Healthcare. 

When the breach, which occurred on Feb. 21, was discovered, the company shut down the systems, triggering massive issues. Key functions of Change Healthcare include pharmacy claims transactions, provider claims processing, patient access and financial clearance, provider payments, and patient authorizations and medical necessity reviews. 

Was Data Breached?

Did protected sensitive data get leaked? On an update about the cyberattack posted March 22, United Health Group posted in response to this question: “Our privacy office and security information teams are actively engaged and working to understand the impact to members, patients and customers.”

“We just don’t know and we can’t speculate,” Ehrenfeld said of the possibility of personal data breaches. “I don’t think anybody knows.”  He calls for UnitedHealth Group to be more vocal on this question and notes the severity of such breaches.

Consumers rightfully expect their personal information to be protected during health care transactions, and once that trust is broken, it’s difficult to regain, Ehrenfeld said.

“Once the genie is out of the bottle, you can’t put it back in," he said. 

Issues With Prescriptions

Immediately after the attack was discovered, filling prescriptions was next to impossible for about 5 days at his hospital, Ehrenfeld said. Patients came in for surgery but often couldn’t get the needed prescriptions they required to take upon discharge, for instance.

Sometimes, health care providers had to estimate copays for prescriptions, Schulte Wall said. While they were doing their best to help, “patients may be getting bills down the road.”  

The situation has gotten better, but it’s not fully restored. About 99% of ChangeHealth pharmacies were up and running as of March 7, according to the update on United, but it acknowledged that challenges remain. 

When systems were down, “a lot of providers had to move to paper record keeping and had to switch to paper claims submissions, so that takes a while to process,” Schulte Wall said. She expects ripple effects for months.

Suggested Solutions

Some pharmaceutical companies have stepped in, offering new savings cards when the previous ones did not work or explaining a post-transaction reimbursement copay claims process. 

Lilly has made new savings cards for its medicines available for eligible patients after pharmacies reported trouble processing previous ones right after the cyberattack.  On its site, it has a timeline of when the cards became available for specific medicines. Eligible commercially insured consumers can submit a claim for reimbursement if their copay card was not honored at their pharmacy after the outage, according to Lilly.

As for Novo Nordisk, its impacted copay programs have been restored and are operational. An alternate processor is handling the copay offers now. The company is also offering a refund of the difference between the full copay amount and final out-of-pocket cost for those who paid the full copay during the outage, with details here.

Amgen has posted that consumers can use the same copay card used before the outage and offered instructions on what to do if they still have problems processing it.   

Long-Term Financial Effects 

Patients may not see the long-term financial effects immediately, Ehrenfeld said, but the financial impact of the crisis has not been mitigated. “Plans are not being paid, practices are being squeezed,” he said.

He cited an internal AMA survey conducted of its members in mid-March, with many reporting they are out of cash, trying to get bridge loans, or taking money from their retirement accounts to stay afloat. That’s true despite efforts from the Centers for Medicare and Medicaid Services (CMS), such as relaxing prior authorization requirements and a loan program from UnitedHealth Group. 

Small practices often don’t have the cash reserves on hand that larger ones do to weather such a crisis, Ehrenfeld said. If the situation gets extremely bad, practices could go bankrupt or close.  

“It’s something we are concerned could happen," he said. 

After the pandemic, “nobody is sitting on cushions of cash, so you as a consumer may be looking at reduced services down the road depending on how badly and how lasting the financial impacts are for various types of providers,” Schulte Wall said.

Bottom Line

UnitedHealth Group has posted a timeline of when to expect services to be fully back over the coming weeks.

But even when systems are fully restored, the issues aren’t expected to be resolved immediately. Without a cyberattack, insurance and other health care transactions typically take time, such as waiting for a primary insurance carrier to decide on payment before coverage from a secondary carrier kicks in. 

“United bears the responsibility of cleaning this up,” Ehrenfeld said. 

Regaining trust, another important issue, may take even longer than the technology recovery. When patients show up at a pharmacy, for instance, and are told they can’t get their medication because they can’t determine the copay (when the systems were down), “that is going to undermine consumer confidence,” Schulte Wall said. “I wonder if people are going to be as trusting knowing that half of the health care system went down because of one cyberattack."