Hackers jam prescription drug copays | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

A ransomware gang once thought to have been crippled by law enforcement has snarled prescription processing for millions of Americans over the past week, forcing some to choose between paying prices hundreds or thousands of dollars above their usual insurance-adjusted rates or going without lifesaving medicine.

Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay. The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover.

Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers.

“When one of them goes down, obviously it’s a major problem,” said Patrick Berryman, a senior vice president at the National Community Pharmacists Association.

Arkansas Pharmacists Association Chief Executive Officer John Vinson said nearly all of the state’s pharmacies have been affected by the attack, “but it’s to varying degrees.” He said some pharmacies are completely down and are charging customers their previous copay, hoping that the system is up and running again soon so that they can bill the claims.

A notorious Russian-speaking ransomware ring known as ALPHV claimed responsibility for the Feb. 21 breach, capping a string of attacks that included several hospitals.

The lasting issues underscore the continued fragility of critical infrastructure nearly three years after a ransomware attack on Colonial Pipeline prompted a shutdown of the biggest network of fuel pipelines in the United States. Service stations, particularly in the eastern half of the country, ran short of fuel as consumers rushed to gas up.

Since then, U.S. officials and their international partners have announced a series of operations that have included hacking the gangs, taking over their chats with business associates and, in some cases, making arrests. ALPHV was targeted in a December takedown that proved short-lived.

U.S. pharmacies reported a wide range of impacts, with independent stores experiencing some of the worst problems.

UnitedHealth estimated that more than 90% of the nation’s 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price.

At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are “a small number of cases in which our pharmacies are not able to process insurance claims” as a result of the outage. It said workarounds were allowing it to fill prescriptions, however.

Many pharmacies have started routing claims through CoverMyMeds, which posted a notice online Feb. 22, “No outages here.” The company, owned by McKesson, did not respond to a request for comment Thursday.

For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient’s copay or offer them the cash price.

Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well.

UnitedHealth’s own pharmacy services company, Optum Rx, said it, too, disconnected but that it would not penalize pharmacies that made their best efforts to tell whether a given drug was covered for a patient. Optum said in a letter to those pharmacies that it was “committed to reimbursing all claims that are appropriate and filled with the good faith understanding that a medication should be covered.”

The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers.

Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.

The outage has also created havoc for patients who use drugmaker coupons to get their prescriptions at a discount. Some reported being told that the coupon system also relies on Change Health.


Spencer Reed, who co-owns ReedHutchins Pharmacy in Heber Springs, has been allowing customers to pay their copay from previous refills. He said up to 30% of his patients have been affected.

“For some of them, we’ve gone out on a limb and processed it, put it into a holding field and charged them what we normally charge them,” he said. “And we’re hoping that, when they get all this corrected, we’ll be able to process and get reimbursed for it like we should. If we don’t, then we’re obviously losing money on it.”

In Reed’s 25 years as a pharmacist, similar problems have typically been solved within 48 hours. It’s been a challenge to explain to customers what the problem is.

“All they really want is their medication,” he said. “In certain cases, it’s diabetic medication.”

The Arkansas Pharmacists Association’s Vinson said he is worried the businesses that handle prescription and insurance data have consolidated to the point that they are too big to fail: “Not enough competition and not enough choices that whenever there’s a ransomware attack like this, probably from some foreign government, if we have so much consolidation in our health care space, then it puts our entire system at risk. There’s not enough market competitors, and it can cripple our infrastructure.”

“It underscores the vulnerability of our health care delivery system when we don’t have good market solutions that are local and not vertically integrated and consolidated at such a large level,” he said. “When you have 100% of the pharmacies in Arkansas relying on Change Health to process claims for prescriptions that patients need to save their lives, that’s a problem.”

Reed said he is similarly concerned about the lack of competition among switch businesses.

“Optum and Change Health run so much of it and own so much of it that if they go down, you can’t switch over and use someone else just for a little while until they get back up and going, because there is no one else,” he said.


The Change Health hack has been particularly tough on independent pharmacies, because they can only see prescriptions that a patient filled at their pharmacy — and not ones that the patient filled at others. The “switch” connects independent pharmacies to insurers or pharmacy-benefit managers who have a more expansive view.

This means small pharmacies wouldn’t know if a drug they dispense interacts with another drug a patient received at a different pharmacy or whether a patient is trying to fill a controlled substance from multiple pharmacies.

“They’re flying blind when it relates to prescriptions filled at other pharmacies,” said Berryman, the National Community Pharmacists Association official.

ALPHV is one of the largest groups performing “ransomware as a service,” splitting extortion money with affiliates that do the actual hacking and then install ALPHV’s BlackCat ransomware encryption program. ALPHV then handles the threats and negotiations.

The group has collected more than $300 million this way, hitting such high-profile targets as Caesars Palace in Las Vegas.

In December, the Justice Department said it and partner nations had hacked ALPHV, recovering hundreds of decryption keys so that victims could get their data back without paying, and some analysts predicted the group would not recover from the internal penetration.

But as the past week has shown, ALPHV was hardly disabled. ALPHV reappeared on another site within days and announced it would exact revenge. It invited its affiliates to break into more sensitive American targets.

“These law enforcement-led disruptions are most effective when they are paired with an arrest or identifying information about individuals,” said Adam Meyers, senior vice president of intelligence at security company CrowdStrike.

Groups open to affiliates are especially resilient unless the trust among the criminals is broken, said Chris Krebs, former head of the U.S. Cybersecurity and Infrastructure Security Agency.

“If you want permanent, long-lasting impacts, it is going to require taking some of these guys off the playing field,” Krebs said. “But there’s more guys waiting in the wings.”

Information for this article was contributed by Joseph Menn and Daniel Gilbert of The Washington Post and Aaron Gettinger of the Arkansas Democrat-Gazette.


Click Here For The Original Story From This Source.


National Cyber Security