As a cyberattack continues to disrupt insurance processing at pharmacies across the United States, people like Mara Furlich are facing a stark choice: Pay, at least initially, out of pocket for critical care or risk the health consequences of not getting treatment.
Furlich, a 32-year-old Detroit social worker, went to a CVS pharmacy in the suburbs on Wednesday to get a Paxlovid prescription filled as her Covid-19 symptoms worsened, she told CNN.
But the pharmacy couldn’t bill her, and neither could multiple other pharmacies in the area. Nervous about a past case of long Covid, Furlich says she paid $1,600 of her own money to get Paxlovid, an FDA-approved drug for mitigating the effects of the coronavirus.
“It was really distressing,” Furlich said. “If we didn’t have $1,600, which most people wouldn’t just have … then we probably wouldn’t have been able to get it, and then I’m risking the consequences of Covid.”
The insurer has agreed to reimburse her, Furlich said, but she is one of many Americans in multiple states who are dealing with the fallout of a cyberattack this week on Change Healthcare, a unit of health IT giant UnitedHealth that processes prescriptions to insurance for tens of thousands of pharmacies nationwide.
It is only the latest in long list of hacking incidents that have roiled the health care sector in the last few years. Other cyberattacks have forced hospitals to divert ambulances and cancel patient ambulances.
The Naval Hospital at Camp Pendleton, the sprawling military base in Southern California, was among the health facilities where prescription services were disrupted by the Change Healthcare hack this week.
“This is impacting all military pharmacies worldwide and some retail pharmacies nationally,” Camp Pendleton said in a statement on its website.
Prescription insurance processing at big university health systems in Indiana and California have also been disrupted, according to internal email correspondence at the health systems reviewed by CNN.
The disruptions were ongoing on Friday afternoon, two days after they began, as a message on Change Healthcare’s website reiterated that it was dealing with a cybersecurity issue that had forced it to “disconnect our systems to prevent further impact.”
The disruptions were ongoing on Friday afternoon, two days after they began, as a message on Change Healthcare’s website reiterated that it was dealing with a cybersecurity issue that had forced it to “disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to.”
“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” the statement continued. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect.”
The American Hospital Association has advised affected health care organizations to consider disconnecting from Change Healthcare’s network altogether until the issue has been resolved.
The hacking incident has alarmed some US cybersecurity officials.
For the last two days, officials from multiple agencies, including the FBI, the US Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services (HHS), have held multiple phone calls to try to stay on top of the Change Healthcare incident and track potential impacts on patient care, a US official familiar with the calls told CNN.
But a clear picture of those impacts is difficult to attain, the official said, describing ongoing disruptions and reporting coming in from across the country.
“HHS is working closely with Optum Insight to assess the cyber incident and its impact on patient care,” an HHS spokesperson said in a statement to CNN, referring to a health care business that merged with Change Healthcare in 2022. “The incident is a reminder to all healthcare providers and contractors to stay vigilant.”
Details are unclear on who was responsible for the hack. In a regulatory filing Thursday, Change Healthcare’s parent firm said “suspected nation-state associated” hackers had breached some of their computer systems.
CNN has not been able to independently corroborate that assessment. The Change Healthcare spokesperson declined to comment when asked on what information the company based its assessment that foreign government-linked hackers could be responsible.
The FBI and CISA did not respond for requests for comment on whether they agreed with Change Healthcare’s assessment on who was responsible for the hack.
The recovery process from the hack for Change Healthcare will likely be “lengthy and burdensome … before they can expect any return to normalcy,” said Max Henderson, an assistant vice president at security firm Pondurance, who has responded to numerous health care-focused cyberattacks.
“Investigations in these situations, especially for a victim of this size, can take weeks before any formal, final attestation letter towards containment (of the hack) can be provided to clients who require them.”
