Change Healthcare is a giant in the healthcare industry, processing 15 billion claims annually totaling more than $1.5 trillion. The company operates the industry's largest electronic “clearinghouse,” acting as a conduit between health care providers and the insurance companies that pay for services and determine how much patients should pay. The company helps tens of thousands of doctors, dentists, pharmacies and hospitals and processes 50% of all medical claims in the United States, the Justice Department said in a 2022 lawsuit, adding that UnitedHealth's acquisition of the company Attempts were made to prevent it, but failed.
Citing internal documents, prosecutors wrote that Change concluded that “the health care system … cannot function without Change Healthcare.”
The hackers, a ransomware group once considered defunct by law enforcement, stole data about patients, encrypted company files and demanded money to unlock them. The company shut down much of its network in February in preparation for recovery.
Quantifying impact remains a moving target, and its severity depends on how dependent the organization is on the change. But three senior officials at the Department of Health and Human Services said the situation was serious.
The urgency also came when Senate Majority Leader Charles E. Schumer sent a letter to the Centers for Medicare and Medicaid Services on Friday asking it to expedite payments to hospitals, pharmacies and other health care providers affected by the power outages. increased. The New York Democrat wrote that hospitals are struggling to bill patients and receive payments, while patients are unable to get information about whether their treatments will be covered by insurance.
“Payment delays are costing hospitals across the country millions of dollars each week if they continue, and people are struggling to get prescriptions filled at their local pharmacies,” Schumer said in a statement Sunday. ” “That's why I urge CMS to use its authority to cut through red tape and provide swift, upfront payments to affected health care providers, just as we did during COVID-19. That’s what I’m asking you to do.”
An HHS spokesperson told the Washington Post that the agency “recognizes the impact this attack has had on medical operations,” and that the agency is working with UnitedHealth to avoid disruption to patient care. he added. The incident highlights “the urgency of strengthening cybersecurity resiliency across the ecosystem,” the spokesperson said.
Molly Smith, vice president of the American Hospital Association's public policy group, said Sunday that “in our assessment, this is the most significant attack on the health care system in American history” to date.
At one point, Smith said, the association heard from hospitals that weren't discharging certain patients because they couldn't get their medications refilled. Much of that confusion is being resolved as providers rely on manually submitting claims, she added.
Optum, a medical services company also owned by UnitedHealth, announced that it has established a temporary assistance program to provide cash to organizations whose payment systems have been affected. This is a short-term loan that must be repaid once the change recovers, and running. A senior HHS official said the agency is working with UnitedHealth to ensure the program is effective.
A UnitedHealth spokeswoman said Sunday there was no update, but said the company had hired a consultant and was working with law enforcement. Since the hack, UnitedHealth said it has implemented “multiple workarounds to ensure people receive the medications and care they need.”
Simply switching from Change to another vendor can be complicated by contractual arrangements and technical reasons, according to industry insiders and pharmacists. In addition to forwarding the claim to your insurance company, Change also scrubs the claim information to ensure codes and other details are correct. Smith said some competing vendors have developed some alternatives, but they don't have the cleanup capabilities that Change offers, and many providers are receiving a lot of rejections. .
“The workarounds we have at the moment are very incomplete, which means we still have cash flow problems,” she said.
Jose Arrieta, former chief information officer at HHS, said the cyber attack was one of the most serious in the health care sector in recent years and was based on previous breaches.
“The scale of the attack doesn't matter. What matters is its impact,” Arrieta said. “And if you have the wherewithal to aim for Fortune 5; Company…Everyone in the United States should take this as a warning, no matter what field they work in. ”
At a solo practice in southern New Jersey, Craig Wax said his case was “backwards, upside down, and on fire.” The doctor sees patients of all ages and accepts multiple types of insurance, relying on a small billing company that uses software providers that rely on Change's platform.
“We're going to paper dump,” which means filing claims in paper forms, “and we're hoping that the insurance companies will honor the paper claims,” he said.
Another reason for skepticism is that some of the most persistent critics of the U.S. health care system, such as the American College of Physicians and Surgeons, who oppose programs such as Medicare, the federal health insurance program for older Americans, Citing the Change Healthcare hack. of the current payment model.
The group's executive director, Jane Orient, said the incident “illustrates the disaster that can ensue from reliance on centralized networks and third-party payments.”
Medium to large hospital systems across the country suffered varying degrees of cyber attacks, according to hospital groups.
The Minnesota Hospital Association said some members' billing systems have been disrupted and they are unable to process claims or receive reimbursement. The Change Healthcare hack followed another local cyberattack that hit a radiology clinic in Minnesota.
“There are growing concerns about the long-term impact on patient care and operational stability,” the association said in an email. “This places a significant burden on the financial sustainability of the health care system.”
The association representing Massachusetts hospitals said in an update to its members scheduled for Monday that many of its members who learned of the hack had been disconnected from all Change Healthcare systems.
The association says hospitals are scrambling to establish alternative payment channels with insurers in the state. “This is yet another layer of financial stress for a health system that is already struggling to stay afloat,” Karen Granoff, senior director of managed care policy at the Massachusetts Hospital Association, said in an update. Stated.
At the University Hospital System in Cleveland, the outage prevented patients from obtaining prescription drugs from retail and specialty pharmacies, but the hospital system's in-house pharmacy was not affected, a spokesperson said in an emailed statement. mentioned in.
Meanwhile, Florida is drying up hundreds of millions of dollars in weekly claims, and damage will soon reach $1 billion, according to Mary C. Mayhew, president and CEO of the Florida Hospital Association. It is possible that it will be reached.
“These hospitals had built their operations around daily payments for the care they provided, and that came to a screeching halt, and we are now on the 11th day of the attack,” she said.
The lack of critical information from UnitedHealth is exacerbating the situation, she added, noting that switching to manual claim submission or finding another clearinghouse is not the preferred solution. The latter could take 90 days, she said, according to one of its member hospitals.
And while large systems may be able to weather the crisis by drawing on reserves, Mayhew warned that most community hospitals have fallen victim to corporate attacks. Created vulnerabilities through market power.
“This is devastating for small and medium-sized hospitals that already have very low profit margins and tight cash flow,” she says.