Blogs / CEO Blog

Burden of Change Healthcare cyberattack fell on pharmacists. But it shouldn’t have.

On The Cover

Loren Bonner & Corey Diamond, PharmD

Concept illustration representing computer network interconnectivity and security.

When the Change Healthcare cyberattack occurred on February 21, 2024, pharmacy staff at Moose Pharmacy of Monroe in North Carolina initially thought insurance processing was down.

“For workflow purposes, we began to share with patients waiting in the pharmacy that their insurance was currently down, but these types of matters typically do not take long to resolve,” said Ashley Moose, PharmD, pharmacy manager of Moose Pharmacy of Monroe in Monroe, NC. “We assured them the processing would be up very soon. We thanked them for their understanding.”

Moose said her staff began to hear chatter of a cybersecurity breach, but they did not receive definitive communication until February 23, 2024. By that time, the cybersecurity threat was being reported in the news media.

As this story was being reported in April 2024, many pharmacies were still waiting for Change Healthcare’s clearinghouse to resume, digging out of the backlog of claims and waiting to be reimbursed by insurance companies for certain prescriptions and services.

“It’s surreal—everyone always says a cyberattack would happen, but nobody said it would go on this long,” said Eric Russo, PharmD, co-owner of Hobbs Pharmacy in Merritt Island, FL.

Change Healthcare, which merged with Optum in 2022, helps insurance plans and health care facilities manage payments for services such as prescriptions. Several sources estimate that Change Healthcare and Relay Health together control over 95% of the switch aspect in the pharmacy industry.

“This attack on Change Healthcare illuminated the serious vulnerability we have in our health care system when very few vendors own nearly all the market share of business. Had an attack simultaneously occurred on Relay Health, the consequences to our system could have been catastrophic,” said Michael D. Hogue, PharmD, FAPhA, FNAP, FFIP, executive vice president and CEO of APhA, in a blog post from April.

Just like many small physician practices, independent pharmacies have taken some of the worst hits.

“It’s mostly a cash flow issue with smaller practices having a harder time,” said Russo.

Lisa Schwartz, PharmD, senior director of professional affairs at the National Community Pharmacists Association (NCPA), said it’s impossible to overstate the importance of real-time claims processing for pharmacies.

“Pharmacy businesses rely on having pretty quick cash flow velocity,” said Schwartz. “That is to say that they buy inventory close to the day they expect to dispense it and rely on prompt reimbursement from pharmacy benefit managers in order to make timely payment to their wholesaler.”

Even slowing down reimbursement just a few days could mean a pharmacy starts accruing interest on a line of credit used to purchase drugs, according to Schwartz, or—in the worst case—becomes insolvent.

Workarounds

Because of regional differences in Medicaid processor outages, as of mid-April, there were still community pharmacies around the country with a backlog of Medicare Part B claims for things such as vaccines, nebulized drugs, and DME based on the Change Healthcare product they used to translate pharmacy claims, said Schwartz.

Raj Chhadua, PharmD, from ReNue Apothecary in Texas, said their billing for COVID-19 and flu immunizations for older adult patients under Medicare Part B went through Change Healthcare.

“Because of that, right now we have 900 claims that are stuck,” said Chhadua, when he was interviewed for this story in mid-April.

The discount cards or manufacturer coupons for HIV medications were also unavailable, and pharmacy staff at ReNue’s pharmacy locations couldn’t bill with them. Most of the patients taking these medications use discount cards because HIV medications have large copays associated with them. Medication adherence is important for this patient population, so delaying or not giving the medications was not an option, said Chhadua.

“We were out of pocket on that and there’s no guarantee that we are getting paid,” said Chhadua.

They’ve had to track patients in their system while they wait for operations to resume.

Moose said the manufacturer coupons proved to be one of the biggest inconveniences for her pharmacy and the patients they serve.

“Many [patients] rely on cost savings to maintain continued therapy for management of diabetes, atrial fibrillation, and other chronic diseases,” said Moose. “Without the coupon, the cost of the medication is simply not affordable for most patients.”

Change Healthcare holds the sole contract for at least 40 health plans. They also have singular contracts for many pharmaceutical manufacturer coupons and compassionate use programs.

“This meant that not only was the cyberattack disruptive on our system, but it also negatively impacted individuals in our society with health disparities who are particularly vulnerable,” said Hogue in his blog post. “Singular contracts in any aspect of health care delivery without a backup plan is, frankly, irresponsible in today’s world.”

To work around the issue, Moose Pharmacy of Monroe developed temporary solutions to help patients maintain continuity of treatment with those medications for diabetes, AFib, and other chronic diseases.

“These medications are very expensive to stock and dispense,” said Moose. “Without promise of reimbursement, the pharmacy was 100% fronting the cost of the drug until the system outage was resolved. This practice, in many circumstances, can further contribute to declining operational cash flow for community-based pharmacies.”

When the initial message from UnitedHealth Group was that the outage would only last the weekend, many pharmacies provided 72-hour emergency supplies—a provision typical in most state laws.

“But as the outage persisted, pharmacies had to weigh financial liability for future unpaid claims,” said Schwartz.

She said pharmacies seemed to take a mixed approach of advancing a full months’ supply or asking patients to pay out of pocket, which could be refunded, minus the copay, once claims processing resumed.

OptumRx (one of Optum’s businesses) announced modifications to its audit program to give pharmacies some reassurance. Schwartz said no other PBM did the same to her knowledge.

Affected pharmacies have been allowed to apply for the Change Healthcare/Optum Payment Disruption (CHOPD) Advanced and Accelerated Payments program.

Restoration

Russo felt like they were one of the lucky ones initially. With a backup system through PioneerRx, they didn’t have problems processing their regular pharmacy claims when the Change Healthcare attack occurred.

Eventually, however, they discovered that many of the companies they contract with used Change Healthcare, including those who handled their 340B claims processing. For DME, Change Healthcare was the clearinghouse to submit claims.

“What’s been so enlightening is how much of a footprint it has in pharmacy and how many different ways it affected us,” said Russo.

“As with the larger settings, the degree to which an independent pharmacy was affected was based on how reliant they were on service products offered by Change Healthcare,” said Schwartz.

Immediately, everyone across the board suffered from not having real-time claims processing for more than 20% of their business, said Schwartz, because UnitedHealth Group shut down OptumRx claims processing as a precaution.

“Like how a grocery store needs to route a debit card transaction to the card issuer, pharmacies that relied on Change to route claims were completely cut off. Many waited weeks to either establish a connection with another claims switch or in the worst-case scenario, for Change to resume claims switching,” Schwartz said.

At Moose Pharmacy of Monroe, the ability to process some prescriptions regained functionality as the weeks progressed. Manufacturer coupon cards, Medicare DME, immunization billing, and medication reconciliation services remained impacted throughout the duration of the month of February and well into March, said Moose.

She said functionality of processing claims have been restored, and most claims for Medicare billing have also resumed. Manufacturer coupons have all been assigned new processing information.

“Our pharmacy staff has been working case by case to ensure claims impacted by the system outage have been properly reprocessed. Medication reconciliation services have not been entirely restored, but we are hopeful this will be resolved soon,” Moose said in mid-April.

Overreach

“All of this falls on us, but the burden needs to fall on these big companies—not on the providers,” said Chhadua.

Many see a failure on the government’s part, too.

Hogue said CMS did not exercise their obligation as the government’s purchaser of health care coverage to intervene in the crisis. “CMS should have taken a more forceful approach protecting pharmacies, as well as other health care providers, during the attack and Congress must give CMS the appropriate authorities to do so. This event should have been treated as any other public health emergency—with HHS having authority to do whatever is necessary to maintain access to care and the integrity of our health care system,” wrote Hogue.

He said HHS should evaluate all critical points in the U.S. health care infrastructure that rely on digital technology, and the redundancies or other fail-safes that are needed.

In written comments to NCPA, Chhadua said technology redundancy and government oversight in the pharmacy technology channel needs to change.

“The CVS/Caremark outage in July 2023 and, just seven months later, the Change Healthcare UHC cyberattack, which severely impacted health systems and pharmacies nationwide, underscore the urgency of this discussion. Every critical infrastructure, particularly in health care, must incorporate deliberate redundancy measures. Relying solely on monopolies with self-serving interests jeopardizes consistent access to care. Without robust federal governance, these entities are free to cannibalize health care technology infrastructure, perpetuating vulnerabilities that ultimately harm providers and patients, both financially and in terms of quality care,” wrote Chhadua.

He said this cyberattack clearly shines a light on the problematic nature of having a few vendors own nearly all the market share of business. ■

Prescription for cyber resilience: Tips for safeguarding patient health and protecting your pharmacy

Pharmacies are highly reliant on robust cybersecurity practices to protect patient information and provide optimal care. In light of the rise in cybersecurity incidents that have affected pharmacies, Pharmacy Today reached out to informatics specialists and cybersecurity industry experts to help pharmacists prepare and protect their pharmacy systems from compromise.

What should be included in cybersecurity training sessions for pharmacy staff?

Organizations should focus on educating their staff about the risks of phishing emails, which can often appear very realistic. Since many people fall for these sophisticated scams, training should include examples to help staff members spot these deceptive messages and a straightforward method for reporting them, said Sree Gangavarapu, RPh, pharmacy informatics and revenue cycle specialist at Henry Ford Health in Detroit.

According to Brady McNulty, PharmD, a cybersecurity specialist in Roseburg, OR, some topics to cover include common red flags found in fraudulent prescriptions, phishing techniques and social engineering tactics, complex passwords or passphrases, “credential stuffing” attacks, multifactor authentication, and reminders about HIPAA restrictions regarding what data can be shared and with whom.

How can pharmacists collaborate with IT experts to assess cybersecurity risks, implement effective defenses, and respond promptly to security incidents?

The best way to be prepared is a two-pronged approach of being cyberaware or cyberliterate and also reporting suspicious activity, emails, texts, and more, to teams in charge of monitoring this for the pharmacy, said Jason Lam, PharmD, assistant clinical professor at UC San Diego.

Most corporate pharmacies will have dedicated IT teams managing their security, including defenses, updates, and backups. “Independent pharmacies should work with their software vendors to make the update and backup process clear. Independents can also work with third-party IT vendors to set up a cybersecurity framework for their business,” said McNulty. “This step is critical, as having even basic protections in place might save a small business.”

Any suspected concern should be reported immediately, and corporate legal and IT teams should be consulted on how, what, and when to communicate to patients who may be at risk. It should not be a burden for staff or pharmacists in charge to have to develop a remediation plan, said Lam.

How should pharmacies back up essential data to minimize the impact of cybersecurity issues?

Pharmacies can minimize the impact of a cyberattack by performing regular backups, keeping offsite storage preferably in a secure cloud, making sure back-end data are encrypted, using automated backup processes, and more, said Gangavarapu.

“Ideally, backup copies of essential data should be maintained separate from the main network, such as in a cloud offering, to minimize the risk of it being exposed during a potential attack. If a threat actor enters the network, one of their priorities is to pivot and see where else they can travel on the network,” said McNulty. “If the backup server is connected to the same network, that machine is now a target for the threat actor.”

What are ways pharmacists can regularly update pharmacy software systems?

Restarting computer systems, running software and system updates, and using antivirus programs will ensure systems have the proper safeguards, said Lam.

Keeping systems patched—software codes to fix issues—and updated is one of the best steps pharmacies can take. However, no two pharmacies are alike. Companies should have a patch management process that balances security with the requirements of all software and devices running in the environment. For example, some medical equipment and pharmacy production software might have restrictions that cause delays in patching, said McNulty.

What standards do pharmacies have for their technology systems?

Pharmacies must abide by federal and state laws and regulations. HIPAA plays a large role in this, but so does the Health Information Technology for Economic and Clinical Health Act, which expands the requirements of HIPAA for data security and provides steeper penalties for violations, said McNulty.

To protect organizations from cybersecurity attacks, the National Institute of Standards and Technology released a draft Cybersecurity Framework Profile providing strategies to bolster defenses, said Gangavarapu.

Additionally, virtually every pharmacy processes credit card transactions, which brings them under the purview of the Payment Card Industry Data Security Standard (PCI DSS). This is an industry standard rather than a law, but it ensures the security and protection of cardholders and transaction data against misuse, McNulty said.

How can pharmacists help patients protect themselves?

Pharmacists can educate patients that scams and phishing attempts can take many forms—such as email, text, and phone calls. Often, social engineering attempts have information—such as name, date of birth, employer information, etc.—that causes patients to let down their guard and offer prescription or financial information. Threat actors often pose as a reputable source—such as a staff member from a provider’s office or a pharmacy team member, said Lam.

For older adult patients, this could be a phone call from someone posing as an insurance agent requesting their Social Security number or Medicare ID number so they can give them an even better insurance rate, or an email threatening to cut off the patient’s coverage altogether if they don’t provide the requested information, said McNulty.

“To protect against this, I recommend people become familiar with the signs of phishing attempts,” said McNulty. “Look for typos, suspicious links, and other hints in unsolicited emails. Double-check sender information to see if they’re using an address that’s similar to, but different from, the organization they purport to represent.”

Also, check the tone of the message. Is the other person being overly kind, mean, perhaps even threatening? These can be red flags, McNulty added.

“For email and texts, patients should avoid clicking on any links and look for bad grammar when receiving communication,” said Lam. “When in doubt, pharmacists can suggest patients call the pharmacy number back directly as an outbound call.”

“I also recommend they phone a friend; if something looks bogus, don’t be afraid to contact a loved one to run it past them,” McNulty suggested.

People can freeze their credit by contacting each of the three credit bureaus. “It’s easy to do and you only need to unfreeze it if you’re applying for credit or loans. Unfreezing is also easy and quick,” said McNulty.

“The best caution I provide to patients and family members is, ‘if it sounds too good to be true, it generally is’,” said McNulty. ■

Cybersecurity recommendations from APhA

On May 2, 2024, APhA issued cyber-security recommendations to secure pharmacy operations nationwide. They were issued as part of a congressional hearing taking place on the Change Healthcare cyberattack, and were also shared with the White House, HHS, and other relevant private and public organizations.

APhA said it stands ready to work with policymakers to discuss lessons learned from the Change Healthcare cyberattack, and what’s needed to implement these recommendations for prevention, mitigation, emergency preparedness and response, and penalties to ensure this does not happen again.

The recommendations include:

Map out the pharmacy ecosystem to identify infrastructure vulnerabilities.
Expand accountability for protection of protected health information.
Increase the penalties for breaches and noncompliance.
Clarify breach notification requirements for downstream covered entities.
Require business continuity/backup systems for entities that transmit, hold, or otherwise manage protected health information and health care business information.
End vertical integration practices that result in health care market consolidation.
Incentivize minimum standards for cybersecurity.
Establish a federal cyber-insurance program.
Consider and appropriately fund cybersecurity within emergency preparedness and response procedures and practices across the country.

Visit www.pharmacist.com/Advocacy/Issues/Cybersecurity to view the full recommendations. ■

The Joint Commission’s guidance for action during cyberattack threats

The health care sector faces a growing threat from cyberattacks, with hospitals being prime targets. Inpatient hospital pharmacies are essential but vulnerable components since they manage inpatient medications and play a critical role in patient care.

In 2023, The Joint Commission released a Sentinel Event Alert that specifically addressed how hospitals can preserve patient safety during and after a cyberattack. The alert calls for not just IT staff, but all hospital staff to have a response ready in the event of a cyberattack.

The Joint Commission Emergency Management (EM) Standards

Standard EM.11.01.01 requires hospitals to conduct a hazards vulnerability analysis, which instructs hospitals to identify human-caused hazards, including hazards from cyberattacks. Hospitals must implement measures to mitigate cyber security risks and prepare for potential disruptions to services.
Standard EM.13.01.01 requires hospitals to plan for continuity of operations.
Standard EM.14.01.01 requires a disaster recovery plan.
Standard EM.15.01.01 requires emergency management education and training.

The Joint Commission forecast

According to The Joint Commission, in the event of an attack, hospitals should be prepared to have life- and safety-critical technology offline for an extended period. Recommendations are based off case reports from previous attacks in recent years.

“In high-impact attacks, where there is a disruption or disablement of technology across the enterprise, we have seen very consistently that it will take about 4 weeks for just the mission critical technologies to be restored,” said John Riggi, a national advisor for cybersecurity and risk at the American Hospital Association in a podcast with Executives for Health Innovation from January 2023.

Among these critical systems that may be affected by a cyberattack are pharmacy systems, particularly medication order entry and medication reconciliation systems. For instance, the medication order entry systems are relied upon for several functions, including verifying dosages, detecting drug interactions, warning about allergies, administering chemotherapy safely, and determining appropriate dosing for pediatric patients based on their weight. Equally important is ensuring quick access to medical history and test results, and enabling rapid communication of laboratory, radiology, and pathology findings to various health care providers.

According the The Joint Commission, pharmacy departments should have plans to map the consequences of losing the support of these technologies.

Examples and lessons learned

The Joint Commission Sentinel Event Alert included a patient case example from the Academic Medical Center Patient Safety Organization EHR Downtime Task Force.

According to the report, a patient with a history of vascular issues was hospitalized due to deep vein thrombosis during an EHR system outage. The patient received I.V. blood thinners and later transitioned to warfarin. However, during this transition, there was no alert regarding a lipid-lowering medication the patient was also taking—which could potentiate the effects of warfarin. Additionally, delayed lab results due to the EHR being down further complicated the situation, leading the patient to develop GI bleeding.

This incident underscores how the absence of clinical decision support during EHR downtime negatively affected patient care. Consequently, the hospital’s pharmacy implemented specific protocols to closely monitor high-risk medications during such downtimes.

“The recent increase in cyberattacks, especially ransomware attacks, on hospitals and health systems means that the potential to experience a cyberattack that adversely affects operations is not an ‘if’ but a ‘when’ question,” wrote The Joint Commission in their newsletter. “There are actions that hospitals and other health care organizations can take to prepare to deliver safe patient care in the event of a cyberattack by using The Joint Commission’s EM Standards as a framework and following the suggested actions in this Sentinel Event Alert.” ■