A ransomware gang once thought to have crippled law enforcement blocked prescriptions from being processed for millions of Americans last week, forcing some to choose whether to pay prices that could reach hundreds or thousands of dollars above their usual insurance-matched rates, or whether they want to forego life-saving medications.
Insurance giant UnitedHealthcare Group said the hackers targeted its Change Health division, which routes prescription claims from pharmacies to companies that determine whether patients are covered and what they should pay. The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network while it worked to recover.
Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee to refer claims to insurers.
“If one of them goes down, that's obviously a big problem,” said Patrick Berryman, senior vice president of the National Community Pharmacists Association.
A notorious Russian-language ransomware ring called ALPHV claimed responsibility for the February 21 breach, ending a series of attacks involving multiple hospitals.
The ongoing problems underscore the continued fragility of critical infrastructure, nearly three years after a ransomware attack on Colonial Pipeline led to the shutdown of the largest network of fuel pipelines in the United States. Gas stations, particularly in the eastern half of the country, ran out of fuel as consumers rushed to fill up.
Since then, U.S. officials and their international partners have announced a series of operations that have included hacking the gangs, taking over their chats with business associates and, in some cases, arrests. ALPHV was the target of a shutdown in December, but it was short-lived.
U.S. pharmacies reported a variety of impacts, with independent stores struggling with some of the worst problems.
UnitedHealth estimates that more than 90 percent of the country's more than 70,000 pharmacies have had to change the way they process electronic claims because of the Change Health outage. However, it said only a small number of patients had been unable to obtain their prescriptions at a certain price.
At CVS, which operates one of the largest pharmacy networks in the country, a spokesman said that due to the outage, there are “a small number of instances in which our pharmacies are unable to process insurance claims.” However, it said workarounds would allow him to fill prescriptions.
Many pharmacies have begun routing claims through CoverMyMeds, which posted a notice online on Feb. 22: “There are no outages here.” The McKesson-owned company did not respond to a request for comment Thursday.
For pharmacies unable to quickly route claims to another company, the Change Health outage left pharmacists trying to manually calculate a patient's copay or offer them the cash price.
To compound the impact, thousands of organizations have cut off Change Health from their systems to ensure the hackers don't also infect their networks.
Optum Rx, UnitedHealth's own pharmacy services company, also said it had severed ties but that it would not penalize pharmacies that did their best to find out whether a particular drug was covered for a patient. Optum said in a letter to those pharmacies that it is “committed to reimbursing all reasonable claims based on the good faith belief that a drug should be covered.”
The attack on Change Health has left many pharmacies in a liquidity crisis as they face bills from the companies that supply the drugs without knowing when they will be reimbursed by insurers.
Some pharmacies require customers to pay full price for their prescriptions if they cannot say whether they have insurance. In some cases, this means people are paying more than $1,000 out of pocket, according to social media posts.
The outage has also led to devastating consequences for patients who use drug manufacturer coupons to get their prescriptions at a discount. Some reported being told that the voucher system was also based on Change Health.
Amy Ginsburg, a Bethesda resident, said her local CVS was unable to process a coupon she used for her diabetes medication.
“Normally it would be a $25 copay, but it will actually be a $250 copay,” she said. Ginsburg, 62, still has some medication left and plans to wait until next week to get a refill, hoping the situation will clear up by then.
“If I didn’t have enough to tide me over, it could have serious consequences,” she said. “Not everyone has an extra $250 that they didn’t want to spend.”
The situation was “extremely concerning,” said Erin Fox, deputy chief pharmacy officer at University of Utah Health.
“In our system, our retail pharmacies provided three days of free emergency care to patients who could not afford to pay the cash price,” Fox said via email. “In some cases, such as inhalers, we have had to ship products at risk without knowing whether we will ever get paid, but we have to take care of patients.”
Axis Pharmacy Northwest near Seattle “goes all out and dispenses products without any idea whether we're getting paid for it or not,” said Richard Molitor, the pharmacist in charge. “Probably the biggest impact we had was on our hospice clientele, whose needs were not taken into account at all.”
The Change Health outage was particularly hard on independent pharmacies because they can only see prescriptions that a patient filled at their pharmacy – and not those the patient filled at another pharmacy. The “switch” connects independent pharmacies with insurers or pharmacy benefit managers who have a broader perspective.
This means that small pharmacies do not know whether a medication they dispense interacts with another medication that a patient received at another pharmacy or whether a patient attempts to purchase a controlled substance from multiple pharmacies.
“They're operating blindly when it comes to prescriptions that are filled at other pharmacies,” said Berryman, an official with the National Community Pharmacists Association.
ALPHV is one of the largest groups offering “ransomware as a service,” splitting extortion money with partners who do the actual hacking and then install ALPHV’s BlackCat ransomware encryption program. ALPHV then takes care of the threats and negotiations.
The group has raised more than $300 million this way and reached such high-profile destinations as Caesars Palace in Las Vegas.
In December, the Justice Department said it and partner countries had hacked ALPHV and recovered hundreds of decryption keys, allowing victims to get their data back without paying, and some analysts predicted the group would not recover from the internal intrusion.
But as the past week has shown, ALPHV was hardly hindered. ALPHV reappeared within days on another website and announced revenge. It called on its affiliates to break into more sensitive American targets.
“These law enforcement-generated disruptions are most effective when they result in an arrest or the identification of information about an individual,” said Adam Meyers, senior vice president of intelligence at security firm CrowdStrike.
Groups that are open to partners are particularly resilient unless trust among criminals is broken, said Chris Krebs, former head of the U.S. Cybersecurity and Infrastructure Security Agency.
“If you want to have lasting, long-lasting impact, you have to take some of these people off the field,” Krebs said. “But there are more people waiting in the starting blocks.”