Breaking: Walgreens’ VillageMD shutting in Florida; Change Healthcare system websites cyberattacked (updated 23 Feb)

The New Reality Strikes Again. Walgreens is closing all VillageMD locations in Florida. In addition to the 14 already closed, an additional 38 will be shuttered on 15 March for a total of 52. These are all co-located and attached to Walgreens locations (left).

Florida was a major expansion market for co-located clinics and its third largest market following Texas and Arizona) according to a report by investment analyst Jefferies.  In October, Walgreens announced the closure of 60 Village Medical locations in ‘non-strategic locations’. In January, CEO Tim Wentworth confirmed that about half of those locations were already closed. Doing the math, the rest of those locations will be in Florida.  Updated–see 29 February

Evidently, Walgreens’ US Healthcare unit views Florida as non-supportable to warrant a drastic move like this in a growing population market. Business Insider, which appears to have an inside track on this from the Jefferies report, “theorized” that many of these Village Medical locations were actually inside pharmacies–too small to attract patients and to recruit primary care doctors. If this is true, for a company that prides itself on retail know-how, as in the old real estate saw ‘location-location-location’, it has made a major and costly misstep.

Walgreens has sunk close to $9 billion into VillageMD: $5.2 billion for the majority stake and another $3.5 billion to aid with the Summit Health/CityMD buy. This does not include the earlier minority investment in VillageMD, so the total is likely well north of $10 billion. It all looked very different in 2020 when it was ‘go big or go home’. One wonders if VillageMD / Village Medical or its parts are on the selling block along with Shields Health if Walgreens has decided on a major strategic change.  Healthcare Dive

And another Reality is Cyberattack. Revenue cycle management and leading patient payment processor Change Healthcare is the latest victim. It notified users that it was disconnecting systems hours after Wednesday morning Eastern Time when it noticed disruptions to some applications that grew into “enterprise-wide connectivity issues.” The disruption is continuing into today (Thursday 22 Feb). There are few public specifics other than the timing and confirmation of the attack as of now, but it appears to have reached down to the local pharmacy level, into providers of all sizes, and shut down nearly every Change Healthcare system. This Editor visited the main website, which appears altered (shrunken); attempts to go to connecting links go to blank screens. Optum is not disclosing further information and perhaps shouldn’t at this point. Change Healthcare is part of UnitedHealth Group’s Optum and processes 15 billion transactions a year filled with PHI and PII, which adds to the scariness factor. TechCrunch, Becker’s, HealthITSecurity   This is a developing story and will be updated

Update 22 Feb: HISTalk reports that athenahealth customers are also affected, as their electronic data interchange is supported by Change Healthcare technology.

UnitedHealth Group said in an SEC filing that a “suspected nation-state associated cybersecurity threat actor” gained access to Change Healthcare’s information technology systems. It “cannot estimate the duration or extent of the disruption at this time.” UnitedHealth has retained security experts and was working with law enforcement. As of Thursday evening, the disruption continues and affects pharmacies nationwide in an inability to process insurance claims for prescriptions. Healthcare services are also being disrupted, said an unnamed director at a regional hospital system in Pennsylvania. Reuters

Update 23 Feb: Further corroboration in Fox Business on the above and continuing effects on pharmacies. Tricare, which covers active and retired military, stated on its website in a news release that this is impacting all military pharmacies worldwide. “Military clinics and hospitals will provide outpatient prescriptions through a manual procedure” until the ongoing cyberattack against Change Healthcare “is resolved.”

In more unwelcome news that this cyberattack is ongoing, the American Hospital Association (AHA) is formally advising healthcare facilities to not only disconnect from Change/Optum, but also check their own IT for vulnerabilities. AHA notice.  Also WSJ (not paywalled)

Categories: Latest News and Opinion.