Fearful of coronavirus symptoms, some Americans pay thousands out of pocket for care as cyberattack disrupts insurance processing

As a widespread cyberattack continues to disrupt insurance processing at pharmacies across the United States, Americans like Mara Furlich are facing a stark choice: Pay, at least initially, out of pocket for critical care or risk the health consequences of not getting treatment.

Experts say the hacking incident, which has impacted healthcare organizations and pharmacies around the country, could prompt patients to undergo further medical treatment to treat issues that could have been avoided had they been able to fill prescriptions.

Furlich, a 32-year-old Detroit social worker, went to a CVS pharmacy in the suburbs on Wednesday to get a Paxlovid prescription filled as her Covid-19 symptoms worsened, but the pharmacy couldn't bill her insurance, and neither could multiple other pharmacies in the area. Paying out of pocket would have cost Furlich $1,600 for the treatment, a cost that spurred the social worker to pay out of pocket to mitigate the potential consequences of Covid, such as a case of long Covid.

While the insurer has since agreed to reimburse her, Furlich is one of many Americans in multiple states who are dealing with the fallout of a cyberattack this week on Change Healthcare, a unit of health IT giant UnitedHealth that processes prescriptions to insurance for tens of thousands of pharmacies nationwide.

The incident is a reminder to all healthcare providers and contractors to stay vigilant, say officials, and individuals should take precautions, including updating passwords and looking out for any unusual activity, such as fraudulent communications. Details are unclear on who was responsible for the hack, but in a regulatory filing Thursday, Change Healthcare's parent firm said "suspected nation-state associated" hackers had breached some of their computer systems.

The recovery process from the hack for Change Healthcare will likely be "lengthy and burdensome" before they can expect any return to normalcy, says Max Henderson, an assistant vice president at security firm Pondurance. Investigations in these situations, especially for a victim of this size, can take weeks before any formal, final attestation letter towards containment (of the hack) can be provided to clients who require them.

Read more