Change Healthcare, medical providers still reeling from cyberattack

Image of a mysterious and threatening figure in a hoodie sitting at a computer keyboard. Change Healthcare, medical providers still reeling from cyberattack.

By Doug Bailey

Change Healthcare – the nation’s largest medical financial and administrative exchange – is still recovering from the massive cyberattack that jeopardized treatment and payments for millions of patients.

While ransomware attacks on medical companies are nothing new, industry officials said they had never seen anything as brazen and widely disruptive as the Change Healthcare event due to its near monopoly position in the industry. Change Healthcare, a subsidiary of UnitedHealth Group, initially released a somewhat opaque statement in late February that it discovered a “threat actor gained access to one of” its “environments.”

Translated, that meant that a notorious ransomware network, ALPHV/Blackcat, stole reams of patient data, encrypted it, and demanded a big payday for its return.

“I’ve been in this industry for 25 years and I’ve never seen anything like this,” Steve Cela, founder and president of Strategic Office Support (SOS), which provides intake and revenue cycle management services told HMS News. “A clearinghouse like that is the Mastercard or Visa of our industry and it’s now become a single point of failure, because nearly everyone’s using Change Healthcare. Our clients saw a decrease in cash flow immediately.”

Systems taking weeks to get back online

It’s not known if Change paid the ransom or what the asking price was, but the company was forced to disconnect its systems and it has taken weeks to get it all back on line. By its own admission, Change retains health records for one in every three medical patients in the country.

The disruption impacted thousands of medical practitioners, hospitals, pharmacies, and insurers nationwide that depend on Change Healthcare for pharmacy and provider claims processing, patient access and clearance, provider payments and authorizations, and medical necessity reviews. Providers and pharmacy had to rely on backup systems, even Faxes and mailed documents to process authorization and payments. One dental provider told InsuranceNewsNet she had to copy patient information onto thumb drives and physically deliver them to insurance company offices and pharmacies.

Revenue streams impacted, says N.H. commissioner

“We're hearing from providers across the board that their ability to bill and to keep their revenue streams going has been significantly harmed,” David J. Bettencourt, New Hampshire Insurance Commissioner said in a press conference Tuesday. “They're getting payments way later than they should. In some cases, they're not getting payments. In other cases, the payments are very, very slow because they're having to go through that paper process, which is obviously very time intensive. And somebody's got to go through all of that paperwork. I mean, we're going back to the old school way of doing things. You've got to fill out the paperwork. You've got to email, scan, fax. However, you've got to get it over to the carrier.”

Bettencourt, who blamed the attack on Russian hackers, said half the revenue streams in the state’s five hospitals have been impacted by the event.

In its latest update posted on its website, Change said it had advanced more than $2.5 billion to care providers through a temporary assistance program and began processing $14 billion in claims that had been backlogged.

“We want to help care providers, especially smaller practices, who have been affected by this crisis,” the posting said.

The website posting stated that most of the company’s functions should be restored by now, but some carriers and hospitals say their systems are still down and Change Healthcare doesn’t expect to be fully up and running until mid-April.

Last week, Change Healthcare started releasing medical claims preparation software to try and resume some services. The software was made available to thousands of customers.

UnitedHealth CEO: 'Significant progress' made

“We continue to make significant progress in restoring the services impacted by this cyberattack,” Andrew Witty, CEO of UnitedHealth Group, said. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”
Not known is what becomes of all the personal medical data what was in the hands of the ransomware bandits. Change Healthcare said its “privacy office and security information teams are actively engaged and working to understand the impact to members, patients and customers.”

But New Hampshire’s Bettencourt said it isn’t clear if UHG’s efforts are enough.

“They stated that $1.9 billion had been made available as relief funds subject to reconciliation at a later date,” Bettencourt said. “However, they were unable to give any context for this number such as how it compares to the payments that have been disrupted. And therefore, without that information, it is impossible for us to assess the adequacy of the response.”

Security measures questioned

The event brought heat from regulators, law enforcement and elected officials across the country who want information about the cyberattack and whether Change Healthcare and its immediate corporate parent, Optum, had done everything it could to prevent such a devastating attack and restore service.

“My office will look into whether Change Healthcare used reasonable security procedures and practices to protect this information as required by Arkansas law,” said Arkansas Attorney General Tim Griffin.

“All Optum has done is offer a really bad 10-day loan payment program as their solution,” said Gene Ransome, the CEO of the Maryland State Medical Society. “I don't understand why more people aren't screaming and yelling. This is a major risk to our whole health care system.”

HSS working on mitigating cash flow issues

Andrea Palm, deputy secretary of the U.S. Department of Health & Human Services said the department is focusing on mitigating the cash flow issues on the healthcare sector.

"Obviously, we are well aware of the impacts that this Change cyberattack has had on the healthcare sector,” she said, adding that officials are working on “the last mile” or last group of clinicians still having cash flow problems.

"We're doing the work that is necessary to get them through this the next couple of weeks, so they are able to remain viable and serve patients," she said in an emergency webinar last week.
During opening comments last week at a hearing on President Biden’s proposed 2025 HSS budget, Senate Finance Committee member Mike Crapo, R-Idaho, said the agency was slow in responding to the Change Healthcare crisis.

“The over two-week delay resulted in [avoidable] uncertainty,” he said. “Already financially vulnerable rural hospitals and providers, with little to no cash reserves, required immediate action by the administration to ensure payrolls could be met and services could continue without interruption.”

HSS said last week that its Office of Civil Rights will investigate whether Change Healthcare or UnitedHealth Group violated the Health Insurance Portability and Accountability Act (HIPAA),
Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” the health department said in a letter to the industry.

U.S. Sen. Maggie Hassan, a Democrat from New Hampshire, called on the company and government to speed up its reaction time and restore systems and support providers.

“Through no fault of their own, medical providers found their cash flow disappear overnight, putting at risk their ability to continue to provide patients the care that they need,” Hassan said.

Steve Ahnen, president/CEO at New Hampshire Hospital Association, thanked Hassan and others for trying to gain more reasonable terms for Change Healthcare’s loan program, “something they should have been willing to do without being prodded into action,” he added.

Doug Bailey is a journalist and freelance writer who lives outside of Boston. He can be reached at [email protected].