A Cyberattack on the Largest Health Insurer in the U.S. Could Put Your Prescriptions and Personal Data at Risk The issue was detected last Wednesday and has caused disruptions for the past week.
By Amanda Breen •
Key Takeaways
- Data breaches in the U.S. are at an all-time high.
- The cyberattack targeted Change Healthcare, a division of United's Optum.
- Change Healthcare is responsible for roughly 15 billion transactions a year.
A possible ransomware attack on a unit associated with UnitedHealthcare — the largest insurer in the U.S. — has upset drug prescription orders at thousands of pharmacies for the past week.
The cyberattack, detected February 21, targeted Change Healthcare, a division of United's Optum; two senior federal law enforcement officials said it looked like a foreign country had undertaken the attack, The New York Times reported.
Related: The Jaw-Dropping Range of Cybercrimes is Due to the Gap in the Cybersecurity Workforce
Change, which was acquired by UnitedHealth Group for $13 billion in 2022, is responsible for roughly 15 billion transactions a year, spanning U.S. patient records and prescriptions across dental, clinical, and other medical areas. It serves as a "digital intermediary" for pharmacies that need to confirm a patient's coverage, per the outlet.
Data breaches in the U.S. are at an all-time high, according to a report from Apple: In the first nine months of 2023, data breaches nationwide increased by almost 20% compared to all of 2022.
"This [UnitedHealthcare] incident serves as yet another reminder of the interconnectedness of the domestic healthcare ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem," Jeff Nesbit, a spokesman for the U.S. Department of Health and Human Services, told the Times.
Change said in a statement Monday that it had "worked closely with customers and clients to ensure people have access to the medications and the care they need" and that many pharmacies were able to keep filling prescriptions despite the challenge.
Related: 3 Reasons to Increase Your Cybersecurity Protocols in 2024
It remains to be seen if patient information was breached; if it was, federal law requires "vendors of personal health records and related entities" to inform those affected.