Health industry struggles to recover from cyberattack on a unit of UnitedHealth

Dr. Margaret Parsons, one of three dermatologists at a 20-person practice in Sacramento, California, is in a bind.

Since a Feb. 21 cyberattack on a previously obscure medical payment processing company, Change Healthcare, Parsons said, she and her colleagues haven't been able to electronically bill for their services.

She heard Noridian Healthcare Solutions, California's Medicare payment processor, was not accepting paper claims as of earlier this week, she said. And paper claims can take 3-6 months to result in payment anyway, she estimated.

"We will be in trouble in very short order, and are very stressed," she said in an interview with KFF Health News.

The hacked company handles "14 billion clinical, financial, and operational transactions annually," according to its website.

A California Medical Association spokesperson said March 7 that the Centers for Medicare & Medicaid Services had agreed in a meeting to encourage payment processors like Noridian to accept paper claims. A Noridian spokesperson referred questions to CMS.

The American Hospital Association calls the suspected ransomware attack on Change Healthcare, a unit of insurance giant UnitedHealth Group's Optum division, "the most significant and consequential incident of its kind against the U.S. health care system in history." While doctors' practices, hospital systems, and pharmacies struggle to find workarounds, the attack is exposing the health system's broad vulnerability to hackers, as well as shortcomings in the Biden administration's response.

To date, government has relied on more voluntary standards to protect the health care system's networks, Beau Woods, a co-founder of the cyber advocacy group I Am The Cavalry, said. But "the purely optional, do-this-out-of-the-goodness-of-your-heart model clearly is not working," he said. The federal government needs to devote greater funding, and more focus, to the problem, he said.

The crisis will take time to resolve. Comparing the Change attack to others against parts of the health care system, "we have seen it generally takes a minimum of 30 days to restore core systems," said John Riggi, the hospital association's national adviser on cybersecurity.

In a March 7 statement, UnitedHealth Group said two services — related to electronic payments and medical claims — would be restored later in the month. "While we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established," the company said.

"We're determined to make this right as fast as possible," said company CEO Andrew Witty.

Providers and patients are meanwhile paying the price. Reports of people paying out-of-pocket to fill vital prescriptions have been common. Independent physician practices are particularly vulnerable.

"How can you pay staff, supplies, malpractice insurance — all this — without revenue?" said Dr. Stephen Sisselman, an independent primary care physician on Long Island in New York. "It's impossible."

Jackson Health System, in Miami-Dade County, Florida, may miss out on as much as $30 million in payments if the outage lasts a month, said Myriam Torres, its chief revenue officer. Some insurers have offered to mail paper checks.

Relief programs announced by both UnitedHealth and the federal government have been criticized by health providers, especially hospitals. Sisselman said Optum offered his practice, which he said has revenue of hundreds of thousands of dollars a month, a loan of $540 a week. Other providers and hospitals interviewed by KFF Health News said their offers from the insurer were similarly paltry.

In its March 7 statement, the company said it would offer new financing options to providers.

Providers pressure government to act

On March 5, almost two weeks after Change first reported what it initially called a cybersecurity "issue," the Health and Human Services Department announced several assistance programs for health providers.

One recommendation is for insurers to advance payments for Medicare claims — similar to a program that aided health systems early in the pandemic. But physicians and others are worried that would help only hospitals, not independent practices or providers.

Anders Gilberg, a lobbyist with the Medical Group Management Association, which represents physician practices, posted on X, formerly known as Twitter, that the government "must require its contractors to extend the availability of accelerated payments to physician practices in a similar manner to which they are being offered to hospitals."

HHS spokesperson Jeff Nesbit said the administration "recognizes the impact" of the attack and is "actively looking at their authority to help support these critical providers at this time and working with states to do the same." He said Medicare is pressing UnitedHealth Group to "offer better options for interim payments to providers."

Another idea from the federal government is to encourage providers to switch vendors away from Change. Sisselman said he hoped to start submitting claims through a new vendor within 24 to 48 hours. But it's not a practicable solution for everyone.

Torres said suggestions from UnitedHealth and regulators that providers change clearinghouses, file paper claims, or expedite payments are not helping.

"It's highly unrealistic," she said of the advice. "If you've got their claims processing tool, there's nothing you can do."

Mary Mayhew, president of the Florida Hospital Association, said her members have built up sophisticated systems reliant on Change Healthcare. Switching processes could take 90 days — during which they'll be without cash flow, she said. "It's not like flipping a switch."

Nesbit acknowledged switching clearinghouses is difficult, "but the first priority should be resuming full claims flow," he said. Medicare has directed its contractors and advised insurers to ease such changes, he added.

Health care leaders including state Medicaid directors have called on the Biden administration to treat the Change attack similarly to the pandemic — a threat to the health system so severe that it demands extraordinary flexibility on the part of government insurance programs and regulators.

Beyond the money matters — critical as they are — providers and others say they lack basic information about the attack. UnitedHealth Group and the American Hospital Association have held calls and published releases about the incident; nevertheless, many still feel they're in the dark.

Riggi of the AHA wants more information from UnitedHealth Group. He said it's reasonable for the conglomerate to keep some information closely held, for example if it's not verified or to assist law enforcement. But hospitals would like to know how the breach was perpetrated so they can reinforce their own defenses.

"The sector is clamoring for more information, ultimately to protect their own organizations," he said.

Rumors have proliferated.

"It gets a little rough: Any given day you're going to have to pick and choose who to believe," Saad Chaudhry, an executive at Maryland hospital system Luminis Health, told KFF Health News. "Do you believe these thieves? Do you believe the organization itself, that has everything riding on their public image, who have incentives to minimize this kind of thing?"

What happens next?

Wired Magazine reported that someone paid the ransomware gang believed to be behind the attack $22 million in bitcoin. If that was indeed a ransom intended to resolve some aspect of the breach, it's a bonanza for hackers.

Cybersecurity experts say some hospitals that have suffered attacks have faced ransom demands for as little as $10,000 and as much as $10 million. A large payment to the Change hackers could incentivize more attacks.

"When there's gold in the hills, there's a gold rush," said Josh Corman, another co-founder of I Am The Cavalry and a former federal cybersecurity official.

Longer-term, the attack intensifies questions about how the private companies that comprise the U.S. health system and the government that regulates them are defending against cyberthreats. Attacks have been common: Thieves and hackers, often believed to be sponsored or harbored by countries like Russia and North Korea, have knocked down systems in the United Kingdom's National Health Service, pharma giants like Merck, and numerous hospitals.

The FBI reported 249 ransomware attacks against health care and public health organizations in 2023, but Corman believes the number is higher.

Federal efforts to protect the health system are a patchwork, according to cybersecurity experts. While it's not yet clear how Change was hacked, experts have warned a breach can occur through a phishing link in an email or more exotic pathways. That means regulators need to consider hardening all kinds of products.

One example of the slow-at-best efforts to mend these defenses concerns medical devices. Devices with outdated software could provide a pathway for hackers to get into a hospital network or simply degrade its functioning.

The FDA recently gained more authority to assess medical devices' digital defenses and issue safety communications about them. But that doesn't mean vulnerable machines will be removed from hospitals. Products often linger because they're expensive to take out of service or replace.

Senator Mark Warner (D-Va.) has previously proposed a "Cash for Clunkers"-type program to pay hospitals to update the cybersecurity of their old medical devices, but it was "never seriously pursued," Warner spokesperson Rachel Cohen said. Riggi said such a program might make sense, depending on how it's implemented.

Weaknesses in the system are widespread and often don't occur to policymakers immediately. Even something as prosaic as a heating and air conditioning system can, if connected to a hospital's internet network, be hacked and allow the institution to be breached.

But erecting more defenses requires more people and resources — which often aren't available. In 2017, Woods and Corman assisted on an HHS report surveying the digital readiness of the health care sector. As part of their research, they found a slice of wealthier hospitals had the information technology staff and resources to defend their systems — but the vast majority had no dedicated security staff. Corman calls them "target-rich but cyber-poor."

"The desire is there. They understand the importance," Riggi said. "The issue is the resources."

HHS has proposed requiring minimum cyberdefenses for hospitals to participate in Medicare, a vital source of revenue for the entire industry. But Riggi says the AHA won't support it.

"We oppose unfunded mandates and oppose the use of such a harsh penalty," he said.

KFF Health News is a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF—an independent source of health policy research, polling, and journalism. Learn more about KFF.