MICHEL MARTIN, HOST:
If you've been experiencing chaos trying to navigate your health care the last few weeks, you are not alone.
STEVE INSKEEP, HOST:
People around the country have had trouble filling their prescriptions. Many doctors have not been able to bill insurance providers all because one company was targeted with a cyberattack.
MARTIN: NPR cybersecurity correspondent Jenna McLaughlin is here to tell us what's going on. Good morning, Jenna.
JENNA MCLAUGHLIN, BYLINE: Good morning, Michel.
MARTIN: So this attack happened - what? - two weeks ago, and things still aren't back to normal?
MCLAUGHLIN: Yes. It's been over two weeks, and things are still messed up. At pharmacies, sources say things are starting to improve, but, you know, there are still major issues, like patients paying full price for drugs. Meanwhile, doctors are having problems submitting insurance claims and looking up patient medical histories. Yesterday, the U.S. Department of Health and Human Services announced that they're stepping in to help provide emergency funding, but it's not totally clear how that will play out yet.
MARTIN: So how can this attack on a single company, which, frankly, many of us have probably never heard of, so profoundly disrupt the American health care system?
MCLAUGHLIN: Yeah. Basically a ransomware gang called BlackCat breached Change Healthcare. As a cybersecurity reporter, I hadn't heard of them, either, but I sure got a crash course in exactly how important they are. Let me break it down and, you know, it gets complicated, so bear with me. Change Healthcare is like a digital middleman. Pharmacies, doctors, clinics, they all use it to check patient's eligibility for services, look up their medical histories and then bill the insurance company for treatment. Now, they're owned by Optus, which is a subsidiary of UnitedHealth, one of the largest health insurance companies in the country.
But basically, Michel, what's important to know is that this is a big, juicy target for hackers. Once the payment platform went down, the whole health care system was disrupted. I spoke to Douglas Hoey. He is the CEO of the National Community Pharmacists Association about all this. Listen to how he described it.
DOUGLAS HOEY: One of the biggest lessons learned from this situation is that when we put all of our eggs in one basket, when that basket tips over, all the eggs crack and there's none left. We're scrambled at that point.
MCLAUGHLIN: I also talked to a senior administration official at the White House. They've been working on this, and they said that this is an attack that's a real example of concentrated risk and the dangers of a single point of failure.
MARTIN: This is obviously very unnerving. So tell us more about what's being done to fix this.
MCLAUGHLIN: So part of the Health and Human Services announcement was that they wanted to help providers figure out ways to make their systems more resilient. If another company like Change Healthcare gets attacked tomorrow, providers should be able to easily switch to another similar one so that they can keep billing insurance without disruption. It turns out, there are companies working on this very thing.
MARTIN: But have they been successful?
MCLAUGHLIN: Yeah. Actually, I reached out to Zach Kanter. He's the founder of a technology company called Stedi. He actually ended our conversation on a positive note. Here's what he said.
ZACK KANTER: It's a very solvable problem. There's lots and lots of very capable people working on this, both at Stedi and at other companies. And it's - look, it's different than the power company going out and you don't have a backup power source. In this case, it's just a matter of companies getting in touch.
MCLAUGHLIN: But even if that problem gets solved tomorrow, it could be something else. The cybersecurity standards need to improve across the board. Hopefully, Michel, this is a moment the health care industry learns from. You know, never let a good crisis go to waste.
MARTIN: NPR cybersecurity correspondent Jenna McLaughlin. Jenna, thank you.
MCLAUGHLIN: Thank you.
(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
