Providers say UnitedHealth cyberattack ‘a mess’ that threatens their financial health
While there's typically a several-week lag for submitted claims to be paid, hospitals and clinics say they may soon face a cash crunch because of the billing mess — which could have consequences for covering payroll and supply costs.
UnitedHealth Group says it's making progress on workarounds and fixes that are helping restore the payment system. Yet hospital and physician groups say many health care providers are still having major problems getting paid and have strengthened calls for relief from the financial fallout.
More aftershocks from the cyberattack surfaced this week, from federal lawsuits filed against UnitedHealth to reports of a possible ransom being paid to the hackers.
"What we are hearing is hundreds of millions of dollars of claims are just sitting, because they've not been able to go through this pipeline that's been shut off," said Dr. Rahul Koranne, chief executive of the Minnesota Hospital Association. "So there's a scramble to get to other pipelines."
The cyber incident on Feb. 21 prompted UnitedHealth to suspend operations of the electronic data clearinghouse at Change Healthcare. This system, which is widely used by pharmacies, hospitals and clinics, processed an estimated 50% of all medical claims in the U.S. during 2022.
Last week, UnitedHealth rolled out a financial assistance program for health care providers struggling with cash flow problems, but the American Hospital Association on Monday blasted this solution as far too insufficient, saying the company "can — and should — be doing more to address the far-reaching consequences."
Blue Cross and Blue Shield of Minnesota says its exploring options for making payments more timely. Minneapolis-based UCare is working with health care providers on a case-by-case basis on help during the stoppage.
On Tuesday, the federal government announced steps to help health care providers, but the American Medical Association says the measures don't go far enough.
UnitedHealth Group says its technical work is helping preserve patient access to medications.
"We continue to see pharmacy claims flowing at near-normal levels," the company said in a Tuesday afternoon update. "While some pharmacies are still unable to submit claims, we are making progress toward full restoration."
Yet the problems that remain are serious, said John Hoeschen, the owner of St. Paul Corner Drug. His pharmacy was fortunate to primarily rely on a clearinghouse other than Change Healthcare, yet Hoeschen still has a stack of claims for Medicare Part B payments that he hasn't been able to submit for about two weeks.
"If you can't submit a claim, you can't get paid for a claim," he said. "It's a mess — it's an absolute mess. And I don't know when it's going to get resolved."
The pharmacy problems have impacted patients, according to lawsuits filed this week in the U.S. District Court of Minnesota.
In one filing, a California resident says he was told that, because of the problem, he'd have had to pay full price for his medication and pursue an insurance claim after the fact. The plaintiff "is hesitant to pursue further medical care until he is assured that his information has been secured and his insurance coverage will be accepted," the lawsuit states.
A second lawsuit, brought by another California patient, says the inability to fill a prescription exposed him "to potential negative health risks."
"[UnitedHealth Group] is responsible for the data breach because it failed to implement reasonable security procedures and practices and failed to disclose material facts surrounding its deficient security protocols," this second lawsuit alleges.
The company did not comment on the lawsuits, which were filed as class actions.
Compared with pharmacy systems, UnitedHealth Group says it will take longer to bring a full recovery to systems for filing medical claims. About 90% of these claims are "flowing uninterrupted," the company said, but some health care providers say this figure doesn't seem to capture the degree of disruption in Minnesota.
The Minnesota Hospital Association says it's talking with the Walz administration and the state's congressional delegation about whether payments from the government's Medicare and Medicaid programs could be accelerated for cash-strapped health care providers.
While Minneapolis-based Allina Health says it's used manual workarounds to help patients with their insurance coverage and authorizations, it's proven "much more difficult" to get claims submitted to health insurers. Allina runs nine hospitals including Abbott Northwestern in Minneapolis, one of the state's largest medical centers.
"We are experiencing a gap in our ability to bill for most of our hospital services," the health system said in a statement Monday evening.
At Minnesota Voice & Speech Clinic in Hopkins, office manager Marti Priest says the system shutdown has left her practice sitting with about $4,000 worth of claims she still can't submit.
This week, the company that supplies an electronic medical record for her practice has scrambled to create an alternate system for submitting claims to commercial health insurers, Priest said. While she hopes to start using it soon, Priest hasn't yet found a workaround for submitting claims to government-sponsored health plans.
"Have you heard the old saying, 'how many miles does it take to turn an ocean liner?'" Priest said. "This is the ocean liner, and every single provider is trying to stop on a dime and turn."
UnitedHealth Group initially disclosed the incident by saying a "nation-state associated cyber security threat actor" had accessed some information technology systems at Change Healthcare. Last week, the company said the cyberattack was "perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat."
This group is notorious for encrypting data to hold it hostage in order to secure massive cryptocurrency payouts. A federal report in February identified Blackcat among Russian cyber criminal groups, but cybersecurity expert Brett Callow said he didn't consider the gang as being a state-sponsored, nation-state associated or Russian.
Wired magazine reported earlier this week on signs from a Bitcoin account and a cybercriminal underground forum that suggest the alleged hackers might have received a $22 million ransom. UnitedHealth Group would not comment, beyond saying the company is "focused on the investigation."
On Tuesday, Reuters reported on an apparent "exit scam" by the hackers, a strategy where criminals falsely claim their website has been disabled by law enforcement in hopes of avoiding payment to partners in crime.
The biggest cyber-ransom paid to date was about $40 million, said Callow, an analyst with the cybersecurity firm Emsisoft. Massive payments like this are a problem because they encourage the attackers and provide them with resources to scale their operations, he said.
"We know that $22 million was paid into a wallet belonging to ALPHV, and we know that someone claiming to be an affiliate of ALPHV stated that the money was paid by Change," Callow said of the report in Wired magazine. "While this does not prove that Change paid, it certainly points to it."
Aside from the Change Healthcare systems, UnitedHealth Group says its other systems were not hit by the cyberattack including those at its UnitedHealthcare insurance business as well as the Optum division for health care services.
Staff writer Mike Hughlett contributed to this report.
©2024 StarTribune. Visit startribune.com. Distributed by Tribune Content Agency, LLC.
Manchin, Romney Lead Bipartisan Effort To Protect Medicare For Future Generations
President Biden Announces Plan to Lower Housing Costs for Working Families
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News