For the better part of the past week, the largest healthcare company on earth, UnitedHealth Group has had to advise most of American healthcare to detach from its systems. There has been a cyber security attack.
United Healthcare is unimaginably huge. One of its unimaginable, huge subunits is called Optum. One of the companies Optum acquired was called Change Healthcare—acquired for $13 Billion.
One of the things that the founders of Change Healthcare might've spent more time with in school is ancient Greek playwriting. Had they done so, they would've been familiar with the concept of hubris. Welcome to The Frontier Psychiatrists, a newsletter, among other things.
To Wikipedia!:
Hubris (/ˈhjuːbrɪs/; from Ancient Greek ὕβρις (húbris) 'pride, insolence, outrage'), or less frequently hybris (/ˈhaɪbrɪs/),[1] describes a personality quality of extreme or excessive pride[2] or dangerous overconfidence and complacency,[3] often in combination with (or synonymous with) arrogance.[4]
In Ancient Greece, this hubris was routinely against the gods. Keep in mind, in the bronze age, there was no question of atheism. The questions people ask themselves did not involve whether there was a God, it was just the degree to which the gods were angry with you or not.
One of the ways mortals could routinely piss off the gods? Hubris.
Oedeipux Rex tried to avoid his fate, and in his pride, married his own mother. Icarus wanted to fly, but his hubris melted off his damn wings. Lady MacBeth thought murder would go well, but the “damn spot” removal afterward drove her mad.
These stories go on and on.
So, too, with the naming of companies in our modern age. Change Healthcare put “what would happen” in the name of the company. It would change. Change is, of course, directional. It can be for better or for worse. In what direction will healthcare change? This question seems important. And in refusing to address this question with their glib company naming strategy, they ensured the tragic ending of the story.
Here is the change we’ve gotten. In a filing with the SEC:
On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.
The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.
During the disruption, certain networks and transactional services may not be accessible.
The most telling detail…
As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
Well, of course, that wasn’t going to change.
However, other changes have occurred:
The company handles 15 billion payment transactions each year and is one of the largest commercial prescription processors in the U.S.
Claims processing is down for many physicians and hospitals.
Pharmacy services are down:
Pharmacies and other providers nationwide — including military facilities — have reported struggles processing prescriptions as a result of the outage. On Thursday, the American Hospital Association urged hospitals to disconnect from Optum, the UnitedHealth division that includes Change, and check their systems following the attack.
Risk Evaluation and Mitigation Strategies are rendered non-functional:
I spent about an hour Saturday morning trying to fill a prescription with Carelon Pharmacy, which may or may not be busted for the same reason…some of the hold music told me they used Availity, which is another digital plumbing provider, but part of Elevance. The brilliant Erin Alpert, a team member at Mark Cuban’s Cost Plus Drugs, did a great explainer on pharmacy switches, with graphics I will share before encouraging you to read her whole article:
Pharmacy switches are part of Change Health.
We have all been asked to disconnect from the vial plumbing of healthcare pharmacy, payment, adjudication, risk strategies, etc.
Change Healthcare made healthcare evermore interdependent, and very vulnerable to cyber attack. Which is of course what happened. Now healthcare has changed. In that, It doesn’t work. For our protection, we must do without the connective digital systems intended to make it work better and more efficiently.
Hubris!
At least with the ancient Greeks, it was those who angered the Gods who would feel their wrath. Now, it is the rest of us.
I have always known that the enormous data collection of modern healthcare could never avoid being vulnerable. This only confirms my suspicions. I am fully convinced that even the 'best' EMR (as if there were one) is wildly susceptible to compromise. Great piece, thanks. From an appreciative ER doc.
The damn spot removal was a symptom methinks.