A ransomware gang once thought to have been crippled by law enforcement has snarled prescription processing for millions of Americans over the past week, forcing some to choose between paying prices hundreds or thousands of dollars above their usual insurance-adjusted rates or going without lifesaving medicine.
Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay. The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover.
Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers.
“When one of them goes down, obviously it’s a major problem,” said Patrick Berryman, a senior vice president at the National Community Pharmacists Association.
A notorious Russian-speaking ransomware ring known as ALPHV claimed responsibility for the Feb. 21 breach, capping a string of attacks that included several hospitals.
The lasting issues underscore the continued fragility of critical infrastructure nearly three years after a ransomware attack on Colonial Pipeline prompted a shutdown of the biggest network of fuel pipelines in the United States. Service stations, particularly in the eastern half of the country, ran short of fuel as consumers rushed to gas up.
Since then, U.S. officials and their international partners have announced a series of operations that have included hacking the gangs, taking over their chats with business associates and, in some cases, making arrests. ALPHV was targeted in a December takedown that proved short-lived.
U.S. pharmacies reported a wide range of impacts, with independent stores experiencing some of the worst problems.
UnitedHealth estimated that more than 90 percent of the nation’s 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price.
At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are “a small number of cases in which our pharmacies are not able to process insurance claims” as a result of the outage. It said workarounds were allowing it to fill prescriptions, however.
Many pharmacies have started routing claims through CoverMyMeds, which posted a notice online Feb. 22, “No outages here.” The company, owned by McKesson, did not respond to a request for comment Thursday.
For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient’s co-pay or offer them the cash price.
Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well.
UnitedHealth’s own pharmacy services company, Optum Rx, said it, too, disconnected but that it would not penalize pharmacies that made their best efforts to tell whether a given drug was covered for a patient. Optum said in a letter to those pharmacies that it was “committed to reimbursing all claims that are appropriate and filled with the good faith understanding that a medication should be covered.”
The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers.
Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.
The outage has also created havoc for patients who use drugmaker coupons to get their prescriptions at a discount. Some reported being told that the coupon system also relies on Change Health.
Amy Ginsburg, a Bethesda resident, said her local CVS wasn’t able to process a coupon she uses for her diabetes medication.
“Normally, it would be a $25 co-pay, but it will actually be a $250 co-pay,” she said. Ginsburg, 62, still has some medication left and plans to wait for the refill until next week, hoping the situation will be resolved by then.
“If I didn’t have sufficient quantity to tide me over, it could lead to serious consequences,” she said. “Not everyone has an extra $250 they weren’t expecting to spend.”
The situation has been “extremely disruptive,” said Erin Fox, associate chief pharmacy officer at University of Utah Health.
“At our system, our retail pharmacies were providing three-day gratis emergency supplies for patients who could not afford to pay the cash price,” Fox said by email. “In some cases, like for inhalers, we had to send product out at risk, not knowing if we will ever get paid, but we need to take care of the patients.”
Axis Pharmacy Northwest near Seattle is “going out on a limb and dispensing product with absolutely no inkling if we’ll get paid or not,” said Richard Molitor, the pharmacist in charge. “Probably the biggest impact has been with our hospice clientele, whose claims aren’t going through at all.”
The Change Health outage has been particularly tough on independent pharmacies, because they can only see prescriptions that a patient filled at their pharmacy - and not ones that the patient filled at others. The “switch” connects independent pharmacies to insurers or pharmacy-benefit managers, who have a more expansive view.
This means small pharmacies wouldn’t know if a drug they dispense interacts with another drug a patient received at a different pharmacy or whether a patient is trying to fill a controlled substance from multiple pharmacies.
“They’re flying blind when it relates to prescriptions filled at other pharmacies,” said Berryman, the National Community Pharmacists Association official.
ALPHV is one of the largest groups performing “ransomware as a service,” splitting extortion money with affiliates that do the actual hacking and then install ALPHV’s BlackCat ransomware encryption program. ALPHV then handles the threats and negotiations.
The group has collected more than $300 million this way, hitting such high-profile targets as Caesars Palace in Las Vegas.
In December, the Justice Department said it and partner nations had hacked ALPHV, recovering hundreds of decryption keys so that victims could get their data back without paying, and some analysts predicted the group would not recover from the internal penetration.
But as the past week has shown, ALPHV was hardly disabled. ALPHV reappeared on another site within days and announced it would exact revenge. It invited its affiliates to break into more sensitive American targets.
“These law enforcement-led disruptions are most effective when they are paired with an arrest or identifying information about individuals,” said Adam Meyers, senior vice president of intelligence at security company CrowdStrike.
Groups open to affiliates are especially resilient unless the trust among the criminals is broken, said Chris Krebs, former head of the U.S. Cybersecurity and Infrastructure Security Agency.
“If you want permanent, long-lasting impacts, it is going to require taking some of these guys off the playing field,” Krebs said. “But there’s more guys waiting in the wings.”