Fallout from a cyberattack on one of the largest health care technology companies in the country is continuing to impact the entire health care system more than a week after it began.
Change Healthcare, a technology company that's part of Optum and owned by UnitedHealth Group, was hit with the attack on February 21. It has disrupted patient care and hospital operations, threatened the security of patients' information, prevented some prescriptions from being filled and delayed paychecks for medical workers.
The American Hospital Association called it "the most serious incident of its kind leveled against a U.S. health care organization."
According to Change Healthcare, the company processes 15 billion health care transactions annually and touches 1 in every 3 patient records. The company provides a range of services that directly affect patient care, including eligibility verifications and pharmacy operations, as well as claims transmittals and payment. All of these have been disrupted to varying degrees over the past several days and the full impact is still not known.
Change Healthcare said a ransomware group known as "ALPHV/Blackcat" has claimed responsibility for the attack, thought it is still "actively working to understand the impact to members, patients and customers." The group claims it has stolen "millions of sensitive records, including medical insurance and health data," Reuters reported.
Once it became aware of the threat, Change Healthcare says it "took immediate action" to disconnect its systems and minimize the impact.
"Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need," the company said. "We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action."
The company said it is working closely with law enforcement and third-party consultants, Mandiant and Palo Alto Network, to handle the situation as it returns to normal operations, but it cannot estimate how long that will take.
The American Hospital Association said it has also been in contact with Department of Health and Human Services, the FBI and the Cybersecurity and Infrastructure Security Agency.
"Due to the sector wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health care technologies and clinical authorizations provided by Optum across the health care sector," the association said.
On Friday, Change Healthcare said it was rolling out a new instance of its Rx ePrescribing service for pharmacies nationwide that appears to be working without issue. Organizations using the company's other services have been urged to prepare contingency plans in the event that services remain unavailable for an extended period of time.