5 Things To Know On The UnitedHealth Optum Cyberattack

According to reports, U.S. pharmacies are seeing major disruptions following a purported nation-state attack against Change Healthcare, a unit within UnitedHealth’s Optum subsidiary.

A cyberattack against a unit within UnitedHealth Group subsidiary Optum, Change Healthcare, has led to major disruptions for U.S. pharmacies and patients, according to reports.

Insurance giant UnitedHealth has attributed the widely felt attack against Optum’s Change Healthcare to a nation-state threat actor.

What follows are five things to know about the major UnitedHealth Optum cyberattack.

IT Systems Are Down

In a regulatory filing Wednesday, insurer UnitedHealth Group disclosed the cyberattack against Change Healthcare, a prescription processor that’s a part of its Optum subsidiary.

The threat actor behind the attack “gained access to some of the Change Healthcare information technology systems,” UnitedHealth said in the filing with the U.S. Securities and Exchange Commission.

“In the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact,” Change Healthcare said in the most recent statement posted on its website Friday. “This action was taken so our customers and partners do not need to.”

In a statement, the American Hospital Association said that Optum has a “sector wide presence” and provides numerous “mission critical services.” As a result, “the reported interruption could have significant cascading and disruptive effects,” the association said, including to insurance verification and payments as well as to “certain health care technologies and clinical authorizations.”

Timetable For Restoration

In the most recent statement Friday, Change Healthcare said that the disruptions from the attack are “expected to last at least through the day.”

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” Change Healthcare said in the statement. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect.”

Pharmacy Disruptions

Media reports indicated that the impacts to insurance processing from the attack have led to difficulties for patients in acquiring prescriptions using their insurance.

Local pharmacies have reported delays in addition to being unable to bill insurance plans for prescriptions, according to a report from the Wall Street Journal. CNN reported that patients have been resorting to paying out of pocket in order to access necessary prescriptions.

“During the disruption, certain networks and transactional services may not be accessible,” UnitedHealth said in the SEC filing.

A statement from the Naval Hospital at Camp Pendleton in California said that the attack has “affected military clinics and hospitals worldwide” as well as “some retail pharmacies nationally.”

More Details

In its SEC filing, UnitedHealth said it has “identified a suspected nation-state” as the threat actor behind the Change Healthcare attack. The company did not specifically attribute the attack to a certain country’s government.

“The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies,” UnitedHealth said in its SEC filing. “At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.”

In its latest statement Friday, Change Healthcare said it has a “high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.”

ScreenConnect Vulnerability Blamed

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that it has been seeing active exploits related to the ConnectWise ScreenConnect vulnerability that was reported last week. The ScreenConnect vulnerability (tracked as CVE-2024-1709) has been awarded a severity rating of “critical.”

On Friday, SC Media reported that the critical ScreenConnect vulnerability was exploited in the Change Healthcare attack, which was enabled through the use of a LockBit malware strain.

In a statement to CRN, ConnectWise said that “at this time, we cannot confirm that there is a connection between the Change Healthcare incident and the ScreenConnect vulnerability. Our initial review indicates that Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs.”