Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Businesses Medicine Security United States

Ransomware Attack Hampers Prescription Drug Sales at 90% of US Pharmacies (msn.com) 81

"A ransomware gang once thought to have been crippled by law enforcement has snarled prescription processing for millions of Americans over the past week..." reports the Washington Post.

"The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover." Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay... Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers. "When one of them goes down, obviously it's a major problem," said Patrick Berryman, a senior vice president at the National Community Pharmacists Association...

UnitedHealth estimated that more than 90 percent of the nation's 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price. At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are "a small number of cases in which our pharmacies are not able to process insurance claims" as a result of the outage. It said workarounds were allowing it to fill prescriptions, however...

For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient's co-pay or offer them the cash price. Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well... The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers. Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.

The situation has been "extremely disruptive," said Erin Fox, associate chief pharmacy officer at University of Utah Health. "At our system, our retail pharmacies were providing three-day gratis emergency supplies for patients who could not afford to pay the cash price," Fox said by email. "In some cases, like for inhalers, we had to send product out at risk, not knowing if we will ever get paid, but we need to take care of the patients." Axis Pharmacy Northwest near Seattle is "going out on a limb and dispensing product with absolutely no inkling if we'll get paid or not," said Richard Molitor, the pharmacist in charge.
UPDATE: CNN reports Change Healthcare has now announced "plans for a temporary loan program to get money flowing to health care providers affected by the outage." It's a stop-gap measure meant to give some financial relief to health care providers, which analysts say are losing millions of dollars per day because of the outage. Some US officials and health care executives told CNN it may be weeks before Change Healthcare returns to normal operations.
"Once standard payment operations resume, the funds will simply need to be repaid," the company said in a statement. Change Healthcare has been under pressure from senior US officials to get their systems back online. Officials from the White House and multiple federal agencies, including the department of Health and Human Services, have been concerned by the broad financial and health impact of the hack and have been pressing for ways to get Change Healthcare back online, sources told CNN...

In a message on its website Friday afternoon, Change Healthcare also said that it was launching a new version of its online prescribing service following the cyberattack.

Thanks to Slashdot reader CaptainDork for sharing the news.
This discussion has been archived. No new comments can be posted.

Ransomware Attack Hampers Prescription Drug Sales at 90% of US Pharmacies

Comments Filter:
  • by Dictator For Life ( 8829 ) on Saturday March 02, 2024 @10:53AM (#64284480) Homepage
    Only a particularly vile life form would stoop to putting innocent bystanders in harm’s way like this for the sake of a few bucks.
    • Re:Despicable (Score:5, Insightful)

      by Khyber ( 864651 ) <techkitsune@gmail.com> on Saturday March 02, 2024 @11:10AM (#64284498) Homepage Journal

      The Ransomware group or the Insurance companies?

    • Only a particularly vile life form would stoop to putting innocent bystanders in harm’s way like this for the sake of a few bucks.

      You may not want to admit it but that's almost everybody. I say this because despite the fact that climate change will kill hundreds of millions of people by 2100 (and if it get really bad then almost everyone by 2200), just about everyone keeps driving around in their cars like it's no big deal because "EVs cost more money" (despite having a lower Total Cost of Ownership). It's easy to do this because they are people you will never see, never meet, and they will never have the ability to shame you. The gr

      • I'm not excusing anyone, I'm saying it's a prevalent human failing to be OK with hurting people that you cannot see and it really is despicable.

        That's pretty much the meat industry too, if people saw how animals are treated and slaughtered, most would stop eating meat entirely.

    • Only a particularly vile life form would stoop to putting innocent bystanders in harm’s way like this for the sake of a few bucks.

      I can no longer get my glaucoma refills because of this. Please, intelligence agencies, put the supercomputers to work and break the cryprocurrencies that ransomware operators use. That's they ONLY way to put them out of business.

      • put the supercomputers to work and break the cryprocurrencies

        You are way overestimating the capability of supercomputers.

        That's the ONLY way to put them out of business.

        Or the insurance companies could fix the security holes on their servers.

        • put the supercomputers to work and break the cryprocurrencies

          You are way overestimating the capability of supercomputers.

          That's the ONLY way to put them out of business.

          Or the insurance companies could fix the security holes on their servers.

          You are right, but how satisfying is it to blame the victim. I mean, that woman dressed provocatively, so she deserved it, amirite?

    • by gweihir ( 88907 )

      Indeed. Hence life-sentences for those responsible for obviously extremely shoddy security in the systems affected for the sake of a few bucks. And, bonus, it is easy to find out who these cretins are! Glad we are on the same page!

  • by david.emery ( 127135 ) on Saturday March 02, 2024 @10:58AM (#64284484)

    Why vendors should not be held legally liable for vulnerabilities in their software that enable such attacks?

    And, of course, the US medical system once again shows the implicit problems with the complexity of the network of middlemen that "manage" heath care by adding overhead to the system to line their own pockets.

    • And, of course, the US medical system once again shows the implicit problems with the complexity of the network of middlemen that "manage" heath care by adding overhead to the system to line their own pockets.

      You think other palces are immune?

      UK
      https://www.theguardian.com/te... [theguardian.com]

      Barcelona
      https://apnews.com/article/bar... [apnews.com]

      Germany
      https://www.scmagazine.com/bri... [scmagazine.com]

      France
      https://www.bleepingcomputer.c... [bleepingcomputer.com]
    • Why vendors should not be held legally liable for vulnerabilities in their software that enable such attacks?

      bEcAuSe ThE FrEe mArKeT!!!

      And, of course, the US medical system once again shows the implicit problems with the complexity of the network of middlemen that "manage" heath care by adding overhead to the system to line their own pockets.

      The implicit problem is that ensuring security/correctness (which requires time/money) runs counter to their profit motive. In commercial software their is an eternal fight between profit and security, so it's no wonder nothing ever changes.

    • by aaarrrgggh ( 9205 ) on Saturday March 02, 2024 @12:48PM (#64284644)

      I'll ask a much easier question: Why don't we have single payer healthcare?!

      This is a perfect example of why our system costs so much. You have so many levels of companies trying to make a buck in the chain of healthcare that it creates an unsustainable model.

      But back to the vulnerabilities, the vendors are linked in as middlemen to a business process. That situation will always be complex and fragile, especially when they seek to be middlemen for the broader market. Securing the mess is practically impossible. (Hence my original question.)

      • I'll ask a much easier question: Why don't we have single payer healthcare?!

        This is a perfect example of why our system costs so much. You have so many levels of companies trying to make a buck in the chain of healthcare that it creates an unsustainable model.

        Ding!

        You have asked the right question ...and answered it. We have too many companies making too much profit for too many people to allow an efficient and effective healthcare system. The economy would lose billions! Millions would be unemployed! Profits would fall! Retirement investments would be harmed!

        That is not sarcasm...just hyperbole. There would be widespread negative consequences if we fixed our healthcare system. Many very profitable corporations would be eliminated, their stocks worthless,

        • Yet somehow MS putting people out of work is ok.

        • We need to open up more spots in medical school and bring in something like H1b visa Healthcare workers to bring down the code of care. When we start importing cheap skilled labor, the entrenched groups will beg the government to provide single payer Healthcare so their jobs are protected, making them all government employees. On second thought, I don't want the goverent to provide my Healthcare. I can already see how we've weaponized the government against political rivals. It will only get worse if we w
          • First you need to reduce the cost of medical school. I know at least one HMO decided to open their own. Doctors are trained with the specific end-goal of working in their hospitals.

    • Why vendors should not be held legally liable for vulnerabilities in their software that enable such attacks?

      If you hold vendors legally liable for vulnerabilities in their software, no one will be willing to make software.
      Why risk jail or financial ruin if something goes wrong?

      • If you hold vendors legally liable for vulnerabilities in their software, no one will be willing to make software.
        Why risk jail or financial ruin if something goes wrong?

        That hasn't stopped people from making cars, airplanes, medical devices, prescription or non-prescription drugs, to name Just A Few industries... And to pick on Boeing, do you think it's A Good Thing that Boeing NOT be held liable for the safety problems in their aircraft? The MCAS problem was in large part a software problem.

        • That hasn't stopped people from making cars, airplanes, medical devices, prescription or non-prescription drugs, to name Just A Few industries... And to pick on Boeing, do you think it's A Good Thing that Boeing NOT be held liable for the safety problems in their aircraft? The MCAS problem was in large part a software problem.

          To pick on your Boeing example... that is not an example of a vulnerability to an attack from an outside source. If a Boeing jet was shot out of the sky with a surface-to-air-missile and Boeing was to be held liable for not preventing it... that would be comparable to what you proposed.

    • by micheas ( 231635 )

      In this case, they are going to be facing questions from HHS (department of Health and Human Services) and if HHS doesn't like the answers they receive they can refer them to the Justice Department for prosecution under HIPAA for negligence with a maximum jail term of 10 years.

      Their defense will be "We followed HITRUST and are certified as HITRUST compliant". Never mind that HITRUST is a severely flawed security standard that has many requirements that weaken security.

      It is the worst thing about working in

  • Given (Score:4, Insightful)

    by Ol Olsoc ( 1175323 ) on Saturday March 02, 2024 @11:35AM (#64284524)
    Given that these are the lowest form of life, and

    Given that they are interfering with life giving drugs, and Given that innocent people could die.

    When found, they should be terminated with extreme prejudice.

    • When they are found, it will be possible to stop them without committing murder.

      If your concern is that they might have killed people, it is especially hypocritical of you to insist upon their death when they can be stopped without it.

      • by Calydor ( 739835 )

        If someone kills a person they can, at least in some countries, be sentenced to death themselves - even though they have stopped killing the person (on account of the person being dead and all).

        This is no different. These ransomware guys have gone from hackers to terrorists literally endangering (and possibly ending) the lives of others. I am generally not in favor of capital punishment, but these guys - the actual guys, not just who we would like to think did it - deserve it.

        • If someone kills a person they can, at least in some countries, be sentenced to death themselves - even though they have stopped killing the person (on account of the person being dead and all).

          This is no different. These ransomware guys have gone from hackers to terrorists literally endangering (and possibly ending) the lives of others. I am generally not in favor of capital punishment, but these guys - the actual guys, not just who we would like to think did it - deserve it.

          It is a war situation, no different that say, the attack by the Empire of Japan on Pearl Harbor, or any of the other attacks that kill people.

          I'm not a death penalty advocate either. But utter cowards attempting to create havoc and death need removed ASAP. So I am okay with terminating them with extreme prejudice.

      • When they are found, it will be possible to stop them without committing murder.

        If your concern is that they might have killed people, it is especially hypocritical of you to insist upon their death when they can be stopped without it.

        I see, you would have been a blast to be around in WW2 - "Don't fight back against the Empire of Japan, or Germany, and Italy. I mean sure, they're killing our people, but yo kill any of them would be hypocritical."

        Anyhow, I take it you won't defend yourself either.

      • When they are found, it will be possible to stop them without committing murder.

        If your concern is that they might have killed people, it is especially hypocritical of you to insist upon their death when they can be stopped without it.

        Heads on pikes will convince others never to go into this line of business.

        • Heads on pikes will convince others never to go into this line of business.

          Indeed when a whole bunch of these people suddenly turn up mysteriously dead, word will spread in the places on the dark web that they like to gather. They need a bit more risk to balance out the rewards.

    • Given that these are the lowest form of life, and

      Given that they are interfering with life giving drugs, and
      Given that innocent people could die.

      When found, they should be terminated with extreme prejudice.

      Apropos of nothing, would this be before or after the trial?

      • Given that these are the lowest form of life, and

        Given that they are interfering with life giving drugs, and Given that innocent people could die.

        When found, they should be terminated with extreme prejudice.

        Apropos of nothing, would this be before or after the trial?

        How many do you want to die while the others continue.

        To me, another person in another part of the world that is actively trying to extort and kill completely innocent people who already have some big problems needs stopped.

        The question might also be asked should Americans have put every Japanese Soldier on trial before terminating them? I suppose it all depends on whether you think that purposely killing innocent people in another nation is an act of war or not. If you think it is just computer fun

      • Apropos of nothing, would this be before or after the trial?

        Ask ISIS how that works.

    • Per Khyber

      The Ransomware group or the Insurance companies?

    • by gweihir ( 88907 )

      Half of the ones responsible are known: The fuckups that have "laughable" level security on critical systems. I think we should start with lining them them against a wall, which they richly deserve. Glad you agree!

      • Half of the ones responsible are known: The fuckups that have "laughable" level security on critical systems. I think we should start with lining them them against a wall, which they richly deserve. Glad you agree!

        Did ya ever wonder how much of this lack of security on the user end was because the security people were hamstrung?

        You identify half of the problem, but blame the victim. You know, like those pretty women that dress provocatively, you know, to turn men on, so the woman are responsible if a man molests them.

        Y'all trying to claim hypocrisy, when I have made my point clear - I and many others consider it an act of war, and as such the soldiers for the other side can't demand we not fight back - of cour

        • by gweihir ( 88907 )

          I am well aware that often "management" will be among the fuckups. I do expect security experts to quit their jobs though when they are prevented from securing critical systems properly. And obviously, there are quite a few incompetent security people as well. So no victim blaming at all. Being incompetent while holding a critical position makes you a _perpetrator_.

    • by micheas ( 231635 )

      Given that these are the lowest form of life, and

      Given that they are interfering with life giving drugs, and Given that innocent people could die.

      When found, they should be terminated with extreme prejudice.

      We already know where the Health Insurance C suite executives live.

    • When found, they should be terminated with extreme prejudice.

      If I could trust you to positively identify them rather than merely dragging out some poor souls who got caught in your dragnet, I would allow you to do so. Satisfy your rage some other way bro.

      • When found, they should be terminated with extreme prejudice.

        If I could trust you to positively identify them rather than merely dragging out some poor souls who got caught in your dragnet, I would allow you to do so. Satisfy your rage some other way bro.

        It is not possible to be 100 percent sure of anything. So we just let them carry on, and if they cause any problems, the victims are the real guilty party.

        Appears to be the overwhelming consensus in here.

        • It is not possible to be 100 percent sure of anything. So we just let them carry on, and if they cause any problems, the victims are the real guilty party.

          I am glad you are not the one responsible for thinking of solutions. You have scorched earth and doing absolutely nothing as your only options presented.

          Instead of punching you, I will empathize with you. You obviously have no power in your individual life, same as myself. I know this because your answers are so extreme. You want something, anything, to fucking change for the better and no matter what you do, it keeps getting worse. So you are down to two choices. I get it.

          But, you are still wrong. There ar

          • It is not possible to be 100 percent sure of anything. So we just let them carry on, and if they cause any problems, the victims are the real guilty party.

            I am glad you are not the one responsible for thinking of solutions. You have scorched earth and doing absolutely nothing as your only options presented.

            Instead of punching you, I will empathize with you.

            Wow, you do have a temper don't you? A simple discussion, and I present something you don't like, and you are near violence. You should work on that homie.

            You obviously have no power in your individual life, same as myself. I know this because your answers are so extreme.

            First off, you are incorrect about any power I possess. In my present position, you are in the facility at my pleasure. I can shut what you are doing down, and if you do not leave immediately, the police will escort you out. Your interactions with them will determine whether you are released or arrested, or at my discretion, you will be arrested first.

            I

  • When will corporations, Governments, and courts realize that high security and strong encryption are critical to prevent these attacks from happening???

    If I wasn't so old, I'd go back to school to specialize in cybersecurity consulting.
    • When will corporations, Governments, and courts realize that high security and strong encryption are critical to prevent these attacks from happening???

      * Corporations: When it stops being profitable to allow these attacks to happen.
      * Governments: When politicians stop being bought off.
      * Courts: When it stops being legal to allow these attacks to happen.

      The real question you need to be asking is, "What is causing society to behave so badly as to allow this and how can it be rectified?"

      The answer lies in changing the propaganda that society is being exposed to on a daily basis.

    • by gweihir ( 88907 )

      When they get the greed and stupidity of their executives under control, i.e. "never".

    • by micheas ( 231635 )

      When will corporations, Governments, and courts realize that high security and strong encryption are critical to prevent these attacks from happening??? If I wasn't so old, I'd go back to school to specialize in cybersecurity consulting.

      I can give you about a 99.9% confident answer that everything was encrypted in transit and at rest.

      There is a huge HITRUST framework that insurance companies try and get their vendors to follow. It is about 70% good ideas, 29% meaningless, and 1% bad ideas that will undermine security. HITRUST makes the mistake of thinking that human beings are reliable if they are not malicious and it is very fond of error prone manual processes over reliable automated processes.

      There is a law, and there is a detailed spec

  • by groobly ( 6155920 ) on Saturday March 02, 2024 @12:05PM (#64284562)

    I have so far received 4 hack notices from 4 different places related to health care providers, all due to the same hack of a third party processor.

    The problem here is that there has evolved a huge interconnected web of 3rd party processors where certain ones are essentially monopolies, providing a weak link to access everyone's data. These outfits are generally not visible to the public and probably completely unregulated.

    Do you use billpay at your bank? That is processed by a near monopoly. Do you know their name?

    • by micheas ( 231635 )
      These companies are either covered by HIPAA or sign a Business Associates Agreement (BAA) agreeing to be covered by HIPAA and subject to the penalties of HIPAA (maximum fine of $50,000 per users data disclosed in a breach and up to 10 years in jail if the cause of the breach is determined to be negligence).

      The problem is that it is an industry ruled by certifications and checklists more than knowledge and ability.

      There are people working at fixing the individual flaws in HITRUST but not in the flaw of think

    • You do realize this is all structured to eliminate liability. You got fucked (as did I) and there is not a single thing either of us can do. But wait, there is more, there is not a single fucking thing ANYONE will do except send some police dudes to maybe find the people and put them in a prison.

      No one in a position of power to change anything will ask them any hard questions just like nobody ever asked UTSW any hard question or asked the OPM any hard questions. It is all, "it's Microsoft's fault" while ope

  • To deny my latest medication. They want me to take one that causes severe side effects that nearly killed me when I tried it in 2012. Their low rent doctor who doesn't practice medicine told my doctor that it was safe.
    • by sjames ( 1099 )

      I heard of at least one case where the patient's doctor demanded the insurance company doctor's prescriber number "to make sure the right party gets the malpractice suit". The denial was reversed.

  • Companies like this are leeches sucking US citizens dry. They inflate costs and contribute nothing but paperwork. Every time I see a story like this, I give thanks that I live in a civilized country, where health care is a right.

  • by Anonymous Coward

    Legacy CHC employee here, and all I can say is that yes, it's bad.

    Most of us have been down or idle for 10 days, unable to login or do any real work since a lot of our tools are also down or inaccessible (jira, clarity, servicenow, etc etc).

    Keep a happy thought that this shit will get straightened out soon.

    • by micheas ( 231635 )

      Legacy CHC employee here, and all I can say is that yes, it's bad.

      Most of us have been down or idle for 10 days, unable to login or do any real work since a lot of our tools are also down or inaccessible (jira, clarity, servicenow, etc etc).

      Keep a happy thought that this shit will get straightened out soon.

      Or it is all lost and DHHS finds that it was negligence of the C suite that allowed the breach to happen and people go to jail and someone has to rebuild it with security and not HITRUST in mind.

  • Commercial software has three competing groups of profit-seekers: the vendor, the corporate user, and hackers.

    • * Vendors of commercial software (that is not explicitly designed to be secure) is provided by vendors with just good enough security. Security could be a total facade but it appears to be secure and thus selected by businesses.
      • * Vendors of software explicitly designed to be secure will have a much better chance of resisting hackers as their reputation is a major factor in profiting. However, they
    • by micheas ( 231635 )

      Commercial software has three competing groups of profit-seekers: the vendor, the corporate user, and hackers.

      • * Vendors of commercial software (that is not explicitly designed to be secure) is provided by vendors with just good enough security. Security could be a total facade but it appears to be secure and thus selected by businesses.
        • * Vendors of software explicitly designed to be secure will have a much better chance of resisting hackers as their reputation is a major factor in profiting. However, they are still profit-seekers so there are limits to their own security.
      • * Hackers specialize in different pieces of software and the fewer vulnerabilities, the longer specialization requires. When a hacker (group) specializes in a pieces of commercial software and exploits a vulnerability then then response vendor response is a patch that is just good enough to prevent it from happening in the same way. Vulnerabilities in the similar vein may be discovered in the process and patched but there is no grand effort to seek out all vulnerabilities that span any meaningful length of time.
      • * For the corporate user, If too many security breaches occur due to a particular piece of software then that piece of software is not selected for and thus a new piece of software replaces it's function. The new software may or may not have superior security but by switching anyone specifically targeting you must specialize in a new piece of software which is done in the hope of increasing the cost/time for you to be attacked by the same actor.
        • * If the commercial software is a dependency of other software then it can cause a locked-in effect where the (perceived) cost of moving to a new system exceeds to cost of further breaches. So even if commercial software is likely to be breached again, so long as the (perceived) cost of switching software exceeds that of another breach then the commercial software is determined to be just good enough and thus remains selected for.

      The result is businesses will continue using a bad commercial software so long as it is perceived as just good enough. Before most commercial software was deeply tied to relying on remote servers, old versions of software remained just good enough, so long as no unsolvable problems were encountered. Remote servers are now used to function as an instant unsolvable problem and thus forcing a version upgrade which has added new added vulnerabilities.

      Final note: Commercial software will ALWAYS fail when pitted against nation-state actors because the cost to a nation-state is largely irrelevant as the primary motive using the information gained from the breach. As such, the only way to resist nation-state actors is to use software and hardware that is designed expressly to be secure. That said, doing this merely shifts the focus/burden to the system/people that surrounds your software/hardware.

      For something like a major insurance company, they should be assuming that they will be hit by nation-state actors and that they need to have a plan B, plan C, and probably a plan D for when it fails. It doesn't seem like they were prepared.

      • they should be assuming that they will be hit by nation-state actors...

        They absolutely are assuming they will be hit by nation-state actors. That said, there is literally no penalty for a breach, so spending money on security that isn't mandatory is laughable to a profit-driven entity.

  • I hope nobody dies as a result of not getting their medications. But if anyone does, charge those responsible for homicide. If the homicide victim's jurisdiction has a "felony murder" charge that fits, use it.

    Unfortunately, most of the people involved in the ransomware gang will probably never be identified, and most of those who are will never face trial. But for those who are indicted in the US, they can forget about vacationing to any country where they would face extradition.

    • by micheas ( 231635 )
      The person most likely to go to jail is the person who swore that the company's disaster recovery plan has been tested and that they can recover in under 48 hours.
  • Now, if these people were pushing drugs or, worse, they were black people, then law enforcement would gladly do something about them! But as it is, they do not care.

  • It used to be a thing, hard drives were unreliable and we had to back up everything. Not only that, additional backups were made so that it could be taken off site incase of fire or theft. Ransomware is much like a drive failure, data is corrupted. Just reformat the drives and restore backups.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...