Change Health and a competitor, CoverMyMeds, are two of the biggest players in the so-called switch business, which charges pharmacies a small fee for insurers’ claims.
“When one of these goes down, it’s obviously a big problem,” said Patrick Berryman, senior vice president of the National Community Pharmacists Association.
A Russian-speaking ransomware ring known as ALPHV claimed responsibility for the February 21 breach, capping a string of attacks that included several hospitals.
The enduring problems underscore the continued fragility of critical infrastructure nearly three years after the largest network of fuel pipelines in the United States was shut down following a ransomware attack on Colonial Pipeline. Service stations, particularly in the eastern half of the country, suffered from fuel shortages as customers rushed to get gas.
Since then, U.S. authorities and their international partners have announced a series of actions that have included hacking into the groups, intercepting their chats with business associates and, in some cases, arrests. ALPHV was targeted in a December takedown that proved short-lived.
US pharmacies reported a wide range of impacts, with independent stores experiencing some of the worst problems.
UnitedHealth estimates that the ChangeHealth shutdown has forced more than 90 percent of the nation’s more than 70,000 pharmacies to change how they process electronic claims. But he said only a small number of patients are unable to get their prescriptions at some cost.
At CVS, which operates one of the nation’s largest pharmacy networks, a spokeswoman said the closings resulted in “a number of cases in which our pharmacies are unable to process insurance claims.” However, he said work routes are allowing him to fill prescriptions.
Several pharmacies have begun routing claims through CoverMyMeds, which posted a notice online on Feb. 22 saying, “There is no closure.” The company owned by McKesson did not respond to a request for comment Thursday.
For pharmacies that weren’t able to immediately send claims to another company, ChangeHealth’s shutdown left pharmacists trying to manually calculate a patient’s co-pay or offer them a cash price.
Exacerbating the impact, thousands of organizations cut ChangeHealth from their systems to ensure hackers didn’t infect their networks as well.
UnitedHealth’s own pharmacy services company, Optum Rx, said it was also disaffiliated but that it would not fine pharmacies that did their best to disclose whether a given drug was covered for a patient. Optum said in a letter to those pharmacies that it is “committed to paying all claims that are reasonable and believe in good faith that a drug should be covered.”
The attack on Change Health has left many pharmacies cash-flow-strapped, as they face bills from companies that supply drugs without knowing when they will be reimbursed by insurers.
Some pharmacies are asking customers to pay the full price of their prescriptions when they can’t tell if they’re covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.
The shutdown has also wreaked havoc for patients who use drugmaker coupons to get their prescriptions at a discount. Some are being told that the coupon system also relies on Change Health.
Bethesda resident Amy Ginsburg said her local CVS was unable to process the coupons she uses for her diabetes medication.
“Normally, it would be a $25 co-pay, but it’s actually going to be a $250 co-pay,” she said. Ginsburg, 62, still has some medication left and plans to wait until next week for a refill, hoping the situation will be resolved by then.
“If I didn’t have enough to control me, it could have had serious consequences,” he said. “Not everyone has an extra $250 they weren’t expecting to spend.”
Erin Fox, associate chief pharmacy officer at University of Utah Health, said the situation has been “very devastating.”
“In our system, our retail pharmacy was providing three days of free emergency supplies for patients who could not afford to pay the cash price,” Fox said via email. “In some cases, like for the inhaler, we had to ship the product at risk, not knowing if we’d ever get reimbursed, but we needed to take care of the patients.”
Axis Pharmacy Northwest near Seattle is “going out on a limb and shipping product with absolutely no question whether we’re going to get paid or not,” said Richard Molitor, pharmacist in charge. “Perhaps the biggest impact has been on our hospice clients, whose claims are not going through at all.”
Change Health’s shutdown has been particularly hard on independent pharmacies, because they can only see prescriptions that a patient has filled at their pharmacy — and not those filled by patients from others. “Switches” connect independent pharmacies with insurers or pharmacy benefit managers, which have a broader view.
This means that small pharmacies may not know if a drug they dispense interacts with another drug that a patient receives at a different pharmacy or whether a patient fills a controlled substance from multiple pharmacies. is trying
“They’re blindsided when it comes to prescriptions filled at other pharmacies,” said Berryman, an official with the National Community Pharmacists Association.
ALPHV is one of the largest groups performing “ransomware-as-a-service,” which splits the ransom money with affiliates who perform actual hacking and then install ALPHV’s BlackCat ransomware encryption program. ALPHV then handles threats and negotiations.
The group has raised more than $300 million this way, targeting high-profile targets like Caesars Palace in Las Vegas.
In December, the Justice Department said it and partner countries had hacked ALPHV, recovering hundreds of decryption keys so victims could get their data back without paying, and some analysts predicted That this group will not be deterred by internal interference.
But as the past week has shown, ALPHV was hardly inactive. ALPHV reappeared on another site within days and announced that it would exact revenge. He invited his colleagues to penetrate more sensitive American targets.
“These deterrents are most effective at leading law enforcement when they are paired with arrests or identifying information about individuals,” said Adam Meyers, senior vice president of intelligence at security company CrowdStrike. “
Chris Krebs, former head of the US Cybersecurity and Infrastructure Security Agency, said groups open to affiliates are particularly resilient as long as trust between criminals is not broken.
“If you want permanent, long-lasting effects, it’s going to require taking some of these guys off the playing field,” Krebs said. “But there are others waiting in the wings.”