A ransomware attack targeting a popular insurance billing service has prevented some patients nationwide from receiving medications for nearly 10 days.

Why it matters: Patients told Axios they haven't been able to receive medications needed to treat diabetes, migraines and other chronic conditions.

• Change Healthcare — the insurance billing tool that hackers are holding for ransom — has not provided a timeline for when operations will return to normal.

What they're saying: "The cyberattack against Change Healthcare that began on Feb. 21 is the most serious incident of its kind leveled against a U.S. health care organization," Rick Pollack, president and CEO of the American Hospital Association, said in a statement Thursday.

Driving the news: Change Healthcare, which is owned by UnitedHealth, said in an emailed statement Thursday that ransomware gang ALPHV, also known as BlackCat, was behind the ongoing outages, which started Feb. 21.

• Law enforcement seized BlackCat's online infrastructure in December, but since then, the Russia-based hacker group has been able to rebuild.
• BlackCat claimed on its dark-web leak site Wednesday that it had stolen roughly 6 terabytes of "highly selective data," including health records and insurance information. However, that statement was removed from BlackCat's site by Thursday evening.

The big picture: Most ransomware attacks tend to focus on local organizations, such as a school district or a hospital, that serve only one region, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.

• In this case, pharmacies across the country have had to require some patients to pay out of pocket for certain medications or have even turned to tedious phone-based systems that take longer to process payments.
• The impact of the outage also goes beyond pharmacies: Some doctor's offices and other medical facilities are struggling to get insurance payments for services, according to social media posts.

Between the lines: While a Change Healthcare spokesperson told Axios that most pharmacies have found a workaround to the outage, patients said those processes aren't fully operational.

• One person based in Phoenix told Axios that his local Safeway pharmacy hasn't been able to process a prescription for a glucose monitor needed to treat his type 2 diabetes.
• The prescription was submitted Feb. 14, and as of Thursday morning, Safeway still hadn't processed it, said the person, who asked to remain anonymous to discuss personal medical issues. The generic version of the glucose monitor would cost about $300 a month out of pocket.
• "As a temporary workaround right now, I have to starve myself, and stay off some of the [other diabetes] drugs, and poke my fingers about four to six times a day," the person said.

Another patient told Axios that she hadn't been able to get her migraine medicine for about a week.

• Normally, Beth Morton, host of the MigraineChat online community, based in Vermont, pays $2 a month after both her Medicare and state-run prescription insurance plans kick in.
• "My regular pharmacy wasn't sure if I could be reimbursed," Morton told Axios. "I called another to ask how they were handling it, and they told me I did need to pay the $630 out of pocket, but they would rebill everything after the outage was resolved."

Pharmacy techs are now working under unsustainable conditions, Ilisa Bernstein, senior vice president for practice, policy and partnerships at the American Pharmacists Association, told Axios.

• Some pharmacies have completely switched over to a new provider to process payments, but they're still working through the backlog they piled up last weekend before the switch.
• Others are also manually processing prescriptions — requiring pharmacists to have to call insurance companies to figure out the co-pay information, she said.
• One medical facility serving an Air Force base in New Mexico said on Facebook that it's now manually processing, with some requests taking three to five days to fill.
• "This is unprecedented, and this can't happen again," Bernstein said.

The other side: A top UnitedHealth executive reportedly told hospital cyber officers this week that the company is setting up a loan program to help providers who aren't able to submit insurance claims, according to audio obtained by STAT.

• In that call, the executive said the program would run for the next few weeks — which suggests Change Healthcare anticipates having service disruptions during that time.

The bottom line: Ransomware has become an endemic issue that's likely to get much worse before law enforcement actions are able to curb the number of attacks.

• Businesses should establish cybersecurity plans, patch software bugs, and enable multifactor authentication to help keep hackers out of their networks, Steinhauer said.