Change Healthcare attack did not result in harm to veteran care, VA says

The February cyberattack on Change Healthcare affected a number of the Department of Veterans Affairs’ systems and temporarily delayed some veterans’ prescription orders but did not cause “any adverse impact on patient care or outcomes,” according to a department spokesman. 

Change Healthcare — a subsidiary of UnitedHealth Group and the largest healthcare payment system in the U.S. — was the target of a ransomware attack in February that disrupted payments and prescription processing at hospitals and medical centers across the country. Some healthcare providers reportedly lost up to $1 billion a day as a result of the cyberattack. 

VA Press Secretary Terrence Hayes said the agency’s cybersecurity operations center “confirmed [that] no malicious activity or irregularities were present” in the agency’s systems, although he added that the attack “impacted a significant number of VA’s information technology functions.”

Hayes said the cyber incident was responsible for “taking the CommonWell health information exchange offline and taking the clearinghouse services that support Community Care claims, revenue operations and payment operations offline.” He also said the ransomware attack caused disruptions to inbound prescription orders and VA’s ability to configure some of its systems for storing and retrieving medical images and associated data. 

As a result of the cyber incident, the agency experienced some issues fulfilling prescriptions electronically sent from VA medical centers. This affected just over 40,000 veterans’ medications, although VA fills approximately 525,000 prescriptions on an average day and quickly moved to fill the orders for affected veterans without identifying any resulting patient harm. The department said most of the affected orders were for refills, which are processed and filled multiple days in advance of patients’ refill date.

“We have restored many of the capabilities impacted, veteran access to care has not been impacted and community providers serving veterans are being paid,” Hayes said, adding that “VA continues to work diligently to restore all outstanding capabilities.”

After the cyberattack occurred, VA placed a banner on its main website and on the websites for its medical centers to alert veterans, clinicians and providers about the incident. It also created alternative claims pathways to help minimize any impact on processing veterans’ claims.

While the third-party administrators for VA’s Community Care Network — Optum and TriWest — continued to pay providers for healthcare claims during the ransomware attack, providers outside the agency’s network were more significantly affected by the cyberattack. VA is continuing to process these claims now, but the department said “the extended period of time where VA was unable to receive these claims” resulted in some providers needing to resubmit their claims to the department in order to receive payment.

During a House Appropriations Subcommittee on Military Construction and Veterans Affairs hearing on April 16, VA Secretary Denis McDonough said the deployment of the agency’s new Oracle Cerner electronic health record system at the Captain James A. Lovell Federal Health Care Center in North Chicago, Illinois last month successfully occurred in the midst of the ransomware attack. He said, however, that VA was unable to determine whether some issues with the EHR system’s prescription software were related to the new EHR system or to the cyber incident. 

“It's hard to discern, you know, some of our concerns about, for example, the pharmacy function in our record and how much of that is a reflection of Change Healthcare, and the interoperability of that system with ours now, and how much of that is the new system,” McDonough said.

He added that “there are still challenges with the UnitedHealth Group” and that VA held “a very serious meeting with them” to discuss ongoing issues.