After Crippling Ransomware Attack, VA Is Still Dealing with Fallout, Trying to Pay Providers

Bottles of prescription medication move along a conveyor belt at the Department of Veterans Affairs’ Consolidated Mail Outpatient Pharmacy facility in North Charleston, South Carolina. (VA Photo)
Bottles of prescription medication move along a conveyor belt at the Department of Veterans Affairs’ Consolidated Mail Outpatient Pharmacy facility in North Charleston, South Carolina. (VA Photo)

Four months after a crippling cyberattack on a company that manages prescription processing and community provider payments for the Department of Veterans Affairs, the VA continues to address the fallout, with officials saying Tuesday they are taking steps to clear a backlog of payments to pharmacies and medical providers.

A Feb. 21 ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group that serves as a clearinghouse for insurance payments and pharmacy prescriptions, disrupted operations at hospitals and clinics nationwide, including the Defense Department and VA.

Immediately following the breach, the VA disconnected its network from the company and reviewed its system for infiltration. Despite the swift action, however, the VA's community care and non-network providers were affected, generating a backlog of claims and invoices for services and prescriptions.

Read Next: Service Members' Access to Birth Control Remains Low. Democrats Want the Pentagon to Explain Why.

The attack disrupted pharmacy services for some veterans but greatly affected the companies that manage VA's network of community doctors, as well as non-network providers.

The disruption caused a backlog of more than 1 million pharmacy prescriptions and claims, along with 6 million invoices handled by network managers Optum Public Sector Solutions, which is part of UnitedHealth Group, and TriWest Healthcare Alliance.

During a press conference Tuesday, VA officials said they expect to have worked through the backlog of pharmacy prescriptions by August and payments for those prescriptions cleared by Oct. 1.

The VA also is working through paying Optum and TriWest and trying to restore claims processing payments for CHAMPVA, the program that provides health care services to eligible family members, by July.

Some providers who contract directly with the VA may not see regularity in their payments until February, according to Ian Komorowski, executive director of strategic investment management for the Veterans Health Administration.

"There remain no known adverse patient events, and there's no known impact to patients. Our care to veterans remains active both at our VHA facilities and through our community care providers," Komorowski said during the press conference.

Some providers who rely on prompt payments from the federal government to continue practicing medicine, however, have reported struggling since the cyberattack.

But Komorowski and VA Secretary Denis McDonough said at the press conference that the department prioritized payments to non-network providers and worked with TriWest and Optum to ensure that providers were paid, with the contract managers bearing the brunt of the payment delays.

"They were able to make payments throughout, and we are now catching them back up," McDonough said of the two companies. "Have we had any evidence of any of our providers in our network and even our non-network providers having to stop seeing veterans? My general sense is I have not seen that feedback in my ongoing close consideration of this issue."

According to Komorowski, the breach also resulted in the exposure of VA data to the hackers, but he said Change Healthcare has not provided any information on the type of information that was involved.

"We do not know the extent of the data that has been extracted. We have not been informed by Change Healthcare," Komorowski said.

The breach affected pharmacy operations at Defense Department facilities, forcing military pharmacies to fill prescriptions manually. Normal operations in Defense Health Agency facilities resumed April 2, according to the DoD.

Cyberattacks on the U.S. health care industry are on the rise as hackers see health systems as vulnerable to infiltration and willing to pay to protect patient services. According to the Department of Health and Human Services, attacks on heath care operations have risen 256% in the past five years.

VA Deputy Assistant Secretary for Information Security Lynette Sherrill said the department has stepped up monitoring and working to prevent attacks on its IT systems.

That includes regular training of all VA employees, according to McDonough.

"I can cop to the fact that I failed the training last week, so shame on me," McDonough said during the press conference. "But to be honest, the very constant unannounced training for each of us is very important."

Related: Electronic Health Record System Unveiled at VA and Pentagon's Largest Shared Health Care Facility

Story Continues