Last year’s ransomware attack on Change Healthcare affected interface assessments of the Department of Veterans Affairs’ modernized electronic health record system at a key medical facility, the agency’s watchdog said in a new report.
Wednesday’s management advisory memorandum from VA’s Office of Inspector General reviewed how the agency and Oracle Health were following interface testing procedures at the Captain James A. Lovell Federal Health Care Center in North Chicago, Illinois.
VA and the Department of Defense officially announced the launch of the new EHR system at the Chicago medical center in March 2024. VA’s software is designed to be interoperable with the Pentagon’s similar Oracle Health system.
The watchdog analyzed a sample of the Chinago site’s EHR interfaces and found that, while VA and Oracle Health officials “conducted the correct tests and applicable retesting,” they did not sufficiently document their results. Part of this issue, it noted, was due to the Change Healthcare attack.
The February 2024 cyberattack on the UnitedHealth Group subsidiary — the largest healthcare payment system in the country — disrupted prescription services and provider payments at facilities across the U.S. The company ultimately made a $22 million ransom payment, although the attackers claimed they stole six terabytes of patient data.
“For example, the required repository for recording problems identified in testing did not show testing had been done before the healthcare center went live with the Financial Management System interface, which bridges the EHR system and VA’s payment and billing system,” OIG said in its report summary. “Testing was delayed by a cyberattack, and results were recorded in another system.”
The watchdog said testing of interfaces — connections between separate devices or applications — is necessary to ensure that veterans’ medical information can be shared between the new EHR software, VA’s legacy systems and other networks. The report added that documentation “is needed to verify proper implementation, operation, and security requirements critical to future EHR deployments.”
OIG found that the Oracle Health system’s Application Lifecycle Management Tool at the Chicago site “contained no documentation showing testing had been done at the Lovell [Federal Health Care Center] before going live with the Financial Management System interface, which bridges the EHR system and VA’s payment and billing system.”
While the watchdog found that the interface did eventually undergo delayed testing, it said “VA and Oracle Health could not conduct a localized test on the interface until it was released because Change Healthcare’s system, on which this interface relied, shut down due to a cyberattack in February 2024.”
Due to security concerns, officials subsequently replaced the interface capability with a new system that was not operational until November 2024.
“The leaders reported the Financial Management System required a full month’s worth of data to validate interface deployment,” OIG said. “When the data were available in January 2025, the VHA Office of Finance and the [Electronic Health Record Modernization] Integration Office validated the necessary transactions. EHRM Integration Office senior officials confirmed that the test evidence for this interface was stored in another system outside the tool.”
A VA spokesman told Nextgov/FCW in April 2024 that the Change Healthcare attack did not cause “any adverse impact on patient care or outcomes,” although they said it did knock several of the agency’s IT systems and other platforms offline. Then-VA Secretary Denis McDonough told lawmakers earlier that same month that the deployment of the EHR system at Lovell successfully occurred despite the ransomware attack, but he also added that the agency was unable to determine whether some ongoing issues were related to the EHR system or to the cyber incident.
While the Lovell rollout marked the final deployment of DOD’s modernized EHR system at medical sites around the world — and the only joint rollout of the software between the two massive departments — VA has struggled to deploy the Oracle Health software at its facilities.
VA first signed a $10 billion contract — later revised to over $16 billion — with Cerner in May 2018 to modernize its legacy health record system and make it interoperable with the Pentagon’s new health record, which was also provided by Cerner. Oracle later acquired Cerner in 2022 and rebranded the new unit as Oracle Health.
Problems with VA’s new Oracle Health EHR software arose almost as soon as it was first rolled out in 2020. Patient safety concerns, performance glitches and usability challenges plagued the system, leading VA to pause the modernization project in April 2023 at all sites, with the exception of Lovell. The new EHR system has been implemented at just six of VA’s 170 medical centers.
VA, however, is currently in the process of restarting the modernization project, with plans to deploy the EHR system at 13 medical sites in 2026.
In June, VA Deputy Secretary Paul Lawrence said the agency was making “real progress” in its push to restart deployments of the software next year and is undertaking “a no-fail mission to deliver a Federal EHR at every VA medical center by 2031.”
