Fallout from a ransomware attack on the country’s largest health care payment processor is “the most serious incident of its kind leveled against a U.S. health care organization,” American Hospital Association CEO Rick Pollack said Thursday evening.
The attack has crippled Change Healthcare, a company that provides a widely used program for health care providers to manage customer payments and insurance claims. The company has taken most of its systems offline to prevent the attack from spreading, a common countermeasure.
“Nine days into the attack on Change Healthcare, a health care technology company that is part of Optum and owned by UnitedHealth Group, effects are continuing to be felt throughout the entire health care system,” Pollack said in a news release. The American Hospital Association is the country’s largest health care industry group.
That outage has been devastating for small and midsize health care providers. Doctors told CNBC that the outage has prevented them from being able to electronically fill prescriptions and has kept insurance providers from reimbursing providers.
Change says it processes 15 billion health care transactions each year and is involved in a third of all American patient records.
In an emailed statement, a spokesperson for Change Healthcare’s parent company, UnitedHealth Group, indicated that thousands of pharmacies are using “offline processing workarounds.”
More than 90% of the more than 70,000 U.S. pharmacies that use Change Healthcare’s payment processor are using alternate ways to process payments, the spokesperson said.
UnitedHealth Group announced on its website that it discovered the attack on Feb. 21, and that cybercriminals deployed a type of ransomware called Alphv.
Alphv is created by Russian-speaking cybercriminals, though it’s unclear who installed it on Change Healthcare’s systems.
The same ransomware was used in the devastating attack on MGM Resorts in Las Vegas last year, though experts and a person familiar with that attack said it was installed by a small group of young, English-speaking hackers.
A coalition of U.S. and European law enforcement agencies announced an operation to disrupt Alpv in December, though it appears it has somewhat recovered.
Change Healthcare is working with U.S. law enforcement and has retained two major cybersecurity companies, Google-owned Mandiant, and Palo Alto, to work on recovery, a spokesperson said in a statement.