Change Healthcare Cyberattack: Preserving Continuity of Care and Preparing for Recovery

Dear Colleagues,

The Feb. 21 ransomware attack on UnitedHealth Group subsidiary Change Healthcare has alarmed many of us in the healthcare sector and disrupted the daily operations of hospitals and pharmacy departments across the nation.

When news of the cyberattack was announced, ASHP began reaching out to our front-line members to learn how the event is affecting their work. We have also been in communication with the American Hospital Association, UnitedHealth Group, the Centers for Medicare & Medicaid Services, and other provider organizations as we work to support members and your patients in an incredibly challenging environment.

Many hospital and health-system pharmacies have reported being unable to process pharmacy claims or access e-prescribing. To work around these limitations, providers have been forced to default to new systems or even paper records, significantly increasing workloads and slowing workflows. For patients, this unprecedented cyberattack is delaying prescription processing and access to needed medications.

ASHP is working on key initiatives to support our members, including:

  • Requesting that the Department of Health and Human Services (HHS) take action to:
    • Increase Provider Communications: Although Change Healthcare has been in contact with providers through calls facilitated by UnitedHealth Group, ASHP members are still struggling to get information about the timeline for service restoration and reassurance that prescriptions that are filled while services are down will be reimbursed. ASHP urges HHS to act as a conduit for updates from Change Healthcare by sending information out via established HHS communications channels.
    • Pause Audits: Health plans and pharmacy benefit managers should be prohibited from conducting audits or compliance reviews until the cyberattack has been resolved.
    • Provide Regulatory Flexibility: Until services are restored, we urge HHS to provide flexibility and to exercise enforcement discretion related to e-prescribing and “good faith” estimates of prescription costs.
    • Make Pharmacies Whole for Good Faith Dispensing: ASHP is concerned about the uncertainty of receiving reimbursement for a prescription filled in good faith to ensure patient continuity of care and safety. ASHP will continue to work with stakeholders and members on this issue.
    • Address Longer-Term Impacts: Although providers are focused on addressing pressing needs, we need to address the long-term impact and the need for a national action plan for responding to future cyberattacks.
  • Leading a group letter from pharmacy organizations to HHS outlining next steps to ensure providers and patients are protected from continued fallout associated with the cyberattack.

This isn’t the first cybersecurity threat healthcare organizations have faced, and we know it won’t be the last. According to HHS, data breach reports more than doubled from 2022 to 2023, with more than 134 million Americans affected by breaches last year alone.

The findings from ASHP’s 2023 Pharmacy Forecast make clear that cybersecurity threats are a serious problem. About 60% of forecast panelists said it’s at least somewhat likely that cyberattacks will cause extended service interruptions at half or more of U.S. health systems in the near future. And about 80% said it’s similarly likely that a cyberattack or malware will cause a critical supply chain shortage.

The forecast report recommended that pharmacy operations be fully integrated into systemwide security efforts. The report also urges health systems to plan and prepare for extended downtime from cyber threats that affect the medication use process.

We don’t yet know when the Change Healthcare cyberattack will be resolved. But it’s clear that cyber threats are here to stay, and preventing and responding to them will remain an ongoing priority for ASHP.

Thank you for all you do for your patients and our profession.



Posted on March 1, 2024