Health-care Hack Spreads Pain across Hospitals and Doctors Nationwide

REUTERS/Dado Ruvic/Illustration
Figurines with computers and smartphones are seen in front of the words “Cyber Attack” in this illustration taken, February 19, 2024.

The fallout from the hack of a little-known but pivotal health-care company is inflicting pain on hospitals, doctor offices, pharmacies and millions of patients across the nation, with government and industry officials calling it one of the most serious attacks on the health-care system in U.S. history.

The Feb. 21 cyberattack on Change Healthcare, owned by UnitedHealth Group, has cut off many health-care organizations from the systems they rely on to transmit patients’ health-care claims and get paid. The ensuing outage doesn’t appear to affect any of the systems that provide direct, critical care to patients. But it has laid bare a vulnerability that cuts across the U.S. health-care system, frustrating patients unable to pay for their medications at the pharmacy counter and threatening the financial solvency of some organizations that rely heavily on Change’s platform.

Change Healthcare is a juggernaut in the health-care world, processing 15 billion claims totaling more than $1.5 trillion a year, the company says. It operates the largest electronic “clearinghouse” in the business, acting as a pipeline that connects health-care providers with insurance companies who pay for their services and determine what patients owe. It supported tens of thousands of physicians, dentists, pharmacies and hospitals, handling 50 percent of all medical claims in the United States, the Justice Department wrote in a 2022 lawsuit that unsuccessfully tried to block UnitedHealth from acquiring the company.

Citing internal company documents, prosecutors wrote that Change had concluded that the “health care system … would not work without Change Healthcare.”

The hackers, a ransomware gang once thought to have been crippled by law enforcement, stole data about patients, encrypted company files and demanded money to unlock them. The company shut down most of its network in February as it tries to recover.

Quantifying the impact remains a moving target, with the severity depending on how much organizations relied on Change. But three senior officials at the Department of Health and Human Services described it as serious.

Adding to the urgency was Senate Majority Leader Charles E. Schumer, who sent a letter to the Centers for Medicare and Medicaid Services on Friday, asking it to make accelerated payments to hospitals, pharmacies and other providers who have been impacted by the outage. Patients can’t get information on whether insurance will cover a treatment, while hospitals are struggling to bill patients and receive payments, the New York Democrat wrote.

“The delay in payments is costing hospitals across America millions for every single week this continues, and people are even struggling to get prescriptions filled at their local pharmacy,” Schumer said in a statement Sunday. “That’s why I am calling on CMS to use its authority to cut through the red tape and provide accelerated and advanced payments to impacted health care providers just as they did during covid.”

“We recognize the impact this attack has had on health-care operations,” an HHS spokesperson told The Washington Post, adding that the agency is working with UnitedHealth to avoid disruptions to patient care. The incident underscores the “urgency of strengthening cybersecurity resiliency across the ecosystem,” the spokesperson said.

Molly Smith, group vice president for public policy at the American Hospital Association, said Sunday that as of now: “Our assessment is that this is the most significant attack on the health-care system in U.S. history.”

At one point, Smith said, the association heard from hospitals that were not discharging certain patients because they couldn’t get their medications filled. Much of that disruption is being worked out, as health-care providers resort to submitting claims manually, she added.

Workarounds

Optum, a health-services company that is also owned by UnitedHealth, said it has established a temporary assistance program to extend cash to organizations whose payment systems have been affected – short-term loans that would need to be repaid once Change is back up and running. A senior HHS official said the agency is working with UnitedHealth to make sure the program is effective.

A UnitedHealth spokesperson said it had no updates Sunday but noted it has enlisted consultants and is working with law enforcement. Since the hack, UnitedHealth has said that it has made “multiple workarounds to ensure people have access to the medications and the care they need.”

Simply switching from Change to another vendor is sometimes complex, according to industry officials and pharmacists, due to contractual agreements and technical reasons. In addition to routing claims to insurance companies, Change also scrubs the claim information to make sure the codes and other details are correct. While some rival vendors have created some alternatives, Smith said, they don’t have the same cleanup function that Change provides, and many providers are getting lots of rejections.

“We have very, very imperfect workarounds at this point, which means that the cash flow problems persist,” she said.

Jose Arrieta, former chief information officer of HHS, said the cyberattack was among the most serious in health care in recent years, building on prior breaches.

“The size of the attack doesn’t matter. What matters is the impact,” Arrieta said. “And when you have the wherewithal to target a Fortune 5 company … everybody in the United States, no matter what sector you work in, should take that as a warning.”

At his solo practice in southern New Jersey, Craig Wax said his billing is “backward, upside-down and on fire.” The doctor cares for patients of all ages and accepts multiple types of insurance, relying on a small billing company that uses a software provider dependent on Change’s platform.

“We’re going to dump to paper” – submitting claims on paper forms – “and hope that insurance companies respond to paper claims,” he said.

Some of the most persistent critics of the U.S. health system, like the Association of American Physicians and Surgeons – which opposes programs such as Medicare, the federal government’s health insurance program for older Americans – point to the Change Healthcare hack as another reason to be skeptical of the current payment model.

The group’s executive director, Jane Orient, said the incident “shows the catastrophe that can result from dependence on centralized networks and third-party payment.”

Hospital impact

Midsize to large hospital systems across the country were affected to varying degrees by the cyberattack, hospital groups say.

The Minnesota Hospital Association said the billing systems of some of its members have been hamstrung, unable to process claims and receive reimbursement. The Change Healthcare hack follows another local cyberattack that struck a radiology practice in Minnesota.

“There is a growing concern regarding the prolonged impact on patient care and operational stability,” the association said in an email. “This places a significant burden on the financial sustainability of the health care system.”

In an update to its members that was scheduled to go out Monday, the association representing Massachusetts hospitals said many of its members disconnected from all of Change Healthcare’s systems after they learned of the hack.

Hospitals were scrambling to set up alternative payment pathways with insurance companies in the state, the association said. “It’s yet another layer of financial distress on a system that is already struggling to stay above water,” Karen Granoff, the Massachusetts Hospital Association’s senior director of managed care policy, said in the update.

In the University Hospital system in Cleveland, the outage hobbled patients’ ability to get prescription medications from retail and specialty pharmacies, although the hospital system’s internal pharmacies were not affected, a spokesperson said in an emailed statement.

In Florida, meanwhile, hundreds of millions of dollars in weekly billings have dried up and the damage could soon hit $1 billion, according to Mary C. Mayhew, president and CEO of the Florida Hospital Association.

“These hospitals built their operations around daily payments for the care that they are providing, and that has come to a screeching halt – and we’re now on day 11 since the attack,” she said.

A lack of substantial information from UnitedHealth has made the situation worse, she added, noting that switching to manual submission of claims or finding another clearinghouse are not palatable solutions. The latter could take 90 days, according to one of her member hospitals, she said.

And while larger systems may be able to ride out the crisis by tapping reserves, Mayhew warned that most community hospitals are finding themselves victimized by an attack on a business entity that created vulnerabilities through its marketplace dominance.

“If you are a small or medium-sized hospital that is already dealing with a very small margin and challenging cash flow situation, this is disastrous,” she said.