The attack on health care has not resulted in any harm to veterans’ care, VA says

The cyberattack on Change Healthcare in February affected some Department of Veterans Affairs systems and temporarily delayed some veterans’ prescription orders, but did not have “any negative impact on patient care or outcomes,” a department spokesperson said.

Change Healthcare – a subsidiary of UnitedHealth Group and the largest healthcare payment system in the US – was the target of a ransomware attack in February that disrupted payment and prescription processing at hospitals and medical centers across the country. Some healthcare providers reportedly lost up to $1 billion per day as a result of the cyberattack.

VA press secretary Terrence Hayes said the agency’s cybersecurity operations center “confirmed (that) there was no malicious activity or irregularities present” in the agency’s systems, though he added that the attack “affected a significant number of VA’s information technology functions .”

Hayes said the cyber incident was responsible for “taking offline the CommonWell health information exchange and taking offline the clearinghouse services that support Community Care claims, revenue operations and payment operations.” He also said the ransomware attack caused disruptions to incoming prescription orders and to VA’s ability to configure some of its systems to store and retrieve medical images and associated data.

As a result of the cyber incident, the agency experienced some difficulties filling prescriptions sent electronically by VA medical centers. This affected the medications of just over 40,000 veterans, even though VA fills approximately 525,000 prescriptions on an average day and quickly moved to fill the orders for affected veterans without identifying any resulting patient harm. The department said most of the affected orders were for refills, which are processed and filled several days before the patient’s refill date.

“We have restored many of the impacted capabilities, veterans’ access to care has not been impacted and community providers serving veterans are being paid,” Hayes said, adding that “VA continues to work diligently to restore all excellent capabilities.”

After the cyberattack occurred, VA posted a banner on its main website and on the medical center websites notifying veterans, physicians and health care providers of the incident. It also created alternative claims pathways to help minimize the impact on the processing of veterans’ claims.

While the third-party administrators of VA’s Community Care Network – Optum and TriWest – continued to pay providers for health care claims during the ransomware attack, providers outside the agency’s network were hit harder by the cyberattack. VA continues to process these claims now, but the department said that “the extended period during which VA was unable to receive these claims” resulted in some providers having to resubmit their claims to the department to receive payment.

During an April 16 hearing of the House Appropriations Subcommittee on Military Construction and Veterans Affairs, VA Secretary Denis McDonough said the deployment of the agency’s new Oracle Cerner electronic health record system at the Captain James A. Lovell Federal Health Care Center in North Chicago, Illinois the last time that month successfully took place in the middle of the ransomware attack. However, he said VA could not determine whether some issues with the EHR system’s prescription software were related to the new EHR system or to the cyber incident.

“It’s hard to discern, you know, some of our concerns about, for example, the pharmacy function in our record and how much of that is a reflection of Change Healthcare, and the interoperability of that system with ours now, and how much of that is the new system ” said McDonough.

He added that “there are still challenges with UnitedHealth Group” and that VA has held “a very serious meeting with them” to discuss ongoing issues.