UnitedHealth Group Inc. is headquartered in Minnetonka, Minnesota, USA
Mike Bradley | Bloomberg | Getty Images
Change Healthcare's systems are down for the fourth straight day after parent company UnitedHealth Group disclosed that a suspected cybersecurity threat actor gained access to part of its information technology network on Wednesday.
UnitedHealth, the largest healthcare company in the US by market capitalization, owns healthcare provider Optum, which merged with Change Healthcare in 2022. Optum serves more than 100 million patients in the U.S., according to its website and Change Healthcare provides payment and revenue cycle management solutions.
UnitedHealth said it had identified a “suspected nation-state-affiliated” actor behind the attack, according to a filing Thursday with the U.S. Securities and Exchange Commission. The company isolated and shut down the affected systems “immediately upon detecting” the threat, the filing said. UnitedHealth did not provide further details about the nature of the attack in the filing.
In an update around 2 p.m. ET on Saturday, Change Healthcare said the outage was expected to last “at least” throughout the day. The company said Friday that it has a high level of confidence that Optum, UnitedHealthcare and UnitedHealth systems were not affected.
“We are working on multiple approaches to recover the affected environment and will not take any shortcuts or additional risks as we bring our systems back online,” Change Healthcare said Saturday.
UnitedHealth did not provide CNBC with any additional information beyond the update.
While UnitedHealth did not specify in its regulatory filing which Change Healthcare systems were affected by the attack, companies including CVS Health said the disruption impacted some of its business operations.
CVS Health continues to fill prescriptions but is unable to process insurance claims in certain cases, the company told CNBC in a statement on Saturday. CVS Health said there was “no indication” that its own systems were compromised.
“We are committed to ensuring access to health care as we weather this disruption,” CVS Health said in the statement.
The American Hospital Association released a statement Thursday urging healthcare organizations to divest from Optum until it is deemed safe to reconnect. The AHA said it spoke to the Department of Health and Human Services, the FBI and the Cybersecurity and Infrastructure Security Agency about the attack, the statement said.
The AHA declined to comment on the Change Healthcare cyberattack. The FBI, HHS and CISA did not respond to CNBC's requests for comment.