“Malicious Threat Actor” Accesses UnitedHealth Group’s Monopolistic Data Exchange, Harming Patients and Pharmacists
Washington, D.C. — Since last Wednesday, doctors, pharmacies, and patients nationwide have been having trouble prescribing, dispensing, and accessing prescription medication. The reason is that a ‘threat actor’ infiltrated the quiet but critical systems of Change Healthcare, a dominant health care electronic data exchange.
It is unclear what information the threat actor accessed, but more than half of all medical claims in the United States pass through Change’s EDI clearinghouse, which in 2019 included “900,000 physicians, 118,000 dentists, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.” The Medicaid systems of Oklahoma, Washington state, Wisconsin, Minnesota, Illinois, Utah, Wyoming, Rhode Island, and Kansas rely entirely on Change Healthcare’s claims processing engine that relays prescriptions among doctors, pharmacies, and pharmacy benefit managers.
In 2022, Judge Carl Nichols approved the merger of UnitedHealth Group and Change Healthcare, over the objections of the Antitrust Division. He found that UnitedHealth Group “built a culture of trust and integrity around protecting the [competitively sensitive information] of its external customers, including rival payers.”
“We don’t know precisely why this disaster happened, but it is deeply concerning,” said Matt Stoller, Research Director at the American Economic Liberties Project. “It’s obvious that a core reason is that big business groups have been lobbying against mandatory cybersecurity standards, which means they don’t have to spend money preventing precisely such infiltrations. Less clear but as potentially important is the role of concentration. The clearinghouse market is far too consolidated and since there’s very little competition, customers can’t move to a different firm even though security is lax. We also don’t know how and whether the UnitedHealth Group-Change Healthcare merger impacted the security of these systems. Did Change Healthcare employees focus on on integrating with UnitedHealth Group instead of ensuring the security of patient data? What impacts did this merger have on cybersecurity standards, if any? There are many questions here and pharmacists and patients need answers.”
“The government needs to immediately investigate the lax security practices of UnitedHealth Group, and Congress must act to mandate corporate America implements cybersecurity standards,” Stoller added. “In addition, judges like Nichols need to reconsider their naïve belief in the promises of corporate executives to uphold standards of trust and integrity when there is no competitive pressure forcing them to do so.”
According to the company’s website, the following systems have been down since last Wednesday:
This incident affects: Change Healthcare Enterprise, Clinical Network (Clinical Document Collector API, Clinical Exchange, Clinical Exchange Channel Partners including ePrescribe and Orders & Results, Clinical Exchange Labs and Hospitals, CommonWell, Connectivity Gateway), Cost Transparency (Predictive Engagement, Provider Directory, True View), Dental Network (Credentialing Advocate Solution, Dental Claim Attachments, Dental Connect, Dental Credentialing Manager, Dental EDI Network, Dental Practice Analytic Insights, Dental Revenue Cycle Insights, SimpleAttach Solution), Eligibility & Enrollment (Dual Enrollment Advocate & Recert Complete, My Advocate, Part D Complete & Community Advocate, SSI Enrollment Advocate), Medical Network (Advanced Claim Management, Batch Claims, Claiming & Remittance, Claims Automation, Eligibility & Patient Access, ERA Transactions, Medical Claim Attachments, Paper-to-EDI, Payer Connectivity Services, Payer Data Services, Payer Finder website and API, Real-time Eligibility Transactions, Revenue Analytics), Medical Network APIs (Claims Responses and Reports API, Claims Status API, Eligibility API, Institutional Claims API, Payer Finder API, Professional Claims API), Medical Record Retrieval & Clinical Review (Clinical Abstraction, Medical Record Retrieval, Risk Adjustment Coding), Member Engagement & Experience (Interoperability API Connector, Member Payments, Smart Connect, Smart Appointment Scheduling, & Clinical Care Visits), Patient Engagement & Experience (Shop Book and Pay, Virtual Front Desk), Pharmacy Benefits & TPA (Medicaid Pharmacy Benefits Services, Smart Commercial Pharmacy Services), Provider Network Optimization (Contract Manager, Provider Manager, Reimbursement Manager), Revenue Cycle Management (AccuPost, Acuity Revenue Cycle Analytics, Ahi Lobby, AhiQA, Ambulatory Claims Manager, Assurance Reimbursement Management, Claims & Denials Advisor, Claims & Denials Management, Clearance Patient Access Suite, Financial Clearance, National Payments Connector, Patient Engagement Suite, Reporting & Metrics, Revenue Integrity, Revenue Performance Advisor), Risk Adjustment & Quality (Compliance Reporter, Dx Gap Advisor, Edge Complete, EMR Risk Advisor, Encounter Complete, Risk View), Value-Based Care (Business Process as a Service (BPaaS), Episode Manager, HealthQx, Prometheus Analytics, Risk Manager, Third-Party Administration, Value-Based Care Transformation Services), Customer Portals (Client Access System, ConnectCenter, Customer Care Hub, Customer Connection, Download Central, Download Connect, Enrollment Central, Vision), Payer Communications and Payment Services (Communications Complete – Payer, Payer Communications and Print, Payer Enrollment Services, Payment Network Advocate, Settlement Advocate), Provider Communications and Payment Services (Communications Complete – Provider, Member Correspondence Advocate, Patient Billing & Statements, Payment Automation, SmartPay for Providers, SmartPay Payment Integration, SmartPay Plus for Providers), Clinical Decision Support (InterQual® Review Manager – Hosted, InterQual® Government Services), and Pharmacy Solutions (MedRx, Network Solutions, Revenue Cycle Management, Rx Assist, Rx CardFinder Services, Rx Connect Solution, Rx Edit, SelectRx, UPBS Analytics website, UPBS Claims Manager website, UPBS Claims Processing, UPBS Configuration Manager website, Vaccination Record).
Learn more about Economic Liberties here.
###
The American Economic Liberties Project works to ensure America’s system of commerce is structured to advance, rather than undermine, economic liberty, fair commerce, and a secure, inclusive democracy. Economic Liberties believes true economic liberty means entrepreneurs and businesses large and small succeed on the merits of their ideas and hard work; commerce empowers consumers, workers, farmers, and engineers instead of subjecting them to discrimination and abuse from financiers and monopolists; foreign trade arrangements support domestic security and democracy; and wealth is broadly distributed to support equitable political power.