Payers, providers and pharmacies are scrambling to keep up after a high-profile cyberattack against a UnitedHealth Group subsidiary took down critical systems.
BlackCat, a prominent cybercriminal group behind the attacks on Las Vegas casinos last year, took Change Healthcare’s systems offline last week, reportedly stealing "millions" of records. As the disruption continues, Optum is “actively working to understand the impact to members, patients and customers,” the company said, and deploying “multiple workarounds” to maintain access to medications and services.
On Thursday, STAT News reported that a top UnitedHealth executive suggested the outage caused by the attack could last weeks. In the meantime, the company just announced it has been able to "stand up a new instance" of Change's Rx ePrescribing service, available to all customers as of March 1.
Cyberattacks against the healthcare sector are not new. The healthcare sector has been one of the most commonly-targeted by BlackCat, according to federal agencies. And over the past five years, there has been a 256% increase in large breaches reported to HHS’s Office for Civil Rights. The large breaches reported in 2023 affected more than 134 million individuals.
UnitedHealth Group acquired Change in 2022 after a face-off with the Department of Justice, which attempted to pursue the deal on antitrust grounds. Now, the DOJ is reportedly launching an antitrust probe into UnitedHealth Group.
What is unique about this particular cyberattack is the reach and multitude of offerings from the targeted company, per Molly Smith, group vice president for public policy at the American Hospital Association.
“Sufficient functionality has been lost,” Smith told Fierce Healthcare. “It’s just having widespread impact across the healthcare system simply because Change touches so much of the healthcare system.”
Evolving strategies to maintain operations
While some members are less impacted than others who are “dead in the water,” Smith said, she stressed that nobody was getting out “fully unscathed.”
Last week, the AHA recommended that its members consider disconnecting from Optum’s services until the incident at Change was resolved, warning the disruption could have “significant cascading and disruptive effects” across the sector.
AHA members are currently facing delays in verifying patient insurance coverage, prior authorizations and getting care scheduled, per Smith. In some cases, there are challenges related to the sharing of medical records for care coordination or the inability to bill patients for their cost sharing.
While the biggest determinant of how much a provider is affected is the extent to which they or their partners rely on Change systems, Smith said, “your ability to adjust and put workarounds in place is likely going to vary based on your own organizational resources and capabilities.” An organization that has spare financial resources or already has a relationship with alternative clearinghouses may be in a better position, she explained.
Coming out of COVID-19, half of all U.S. hospitals closed out 2022 with negative operating margins. As a result, Smith said, the Change attack has immediate financial impacts and potentially longer-term impacts for providers.
Due to disruptions to hospitals’ ability to bill and get payments, some AHA members are seeing immediate revenue loss, per Smith. They are also experiencing new labor expenses where manual work is needed, like for calling payers by phone or completing prior authorizations manually. Additional vendor costs are also on the table for those who need to establish new contracts, Smith said.
For now, organizations are moving forward with care even without authorizations if they feel like they need to and manually scheduling care, Smith said. Some AHA members are in discussions with medical supply and drug vendors to entertain delaying payments or a payment plan. Some hospitals are concerned about making payroll. While services today remain operational, that could change “very, very quickly.”
Longer term, the AHA expects revenue disruption that will likely last weeks or months after the disruption is resolved. The organization is concerned about the impact on hospitals’ credit ratings ahead of quarterly financial filings.
In a letter to HHS earlier this week, the Medical Group Management Association said that disruptions to medical groups, particularly smaller providers, include substantial billing and cash flow disruptions, issues with prior authorizations, inability to perform patient eligibility checks, delays in e-prescriptions and more.
Though most practices have a line of credit, MGMA said, many don’t carry reserves given their tax status. “The timing could not be worse,” the letter said.
Smaller providers like group medical practices that are typically structured as a corporation or LLC might have tax obligations that typically make them low on cash at the start of each year, explained Ryan Higgins, partner at McDermott Will & Emery. That puts their ability to make payroll at risk.
Providers are considering drawing on existing lines of credit or establishing new ones, Higgins said, but acknowledged that the ability to make a compelling case might be limited for smaller providers. General credit worthiness, larger staff and longer operating history may be given priority, he said.
However, healthcare organizations that partner with national management services organizations might have a loan agreement that would enable them to make short-term loans to cover cash flow interruptions like this, Higgins suggested.
Meanwhile, a spokesperson for the American Pharmacists Association told Fierce Healthcare “the situation continues to wreak havoc across the pharmacy community.” Some have pivoted to other tech partners for prescription processing, but others have not been able to make the switch, they said.
“For some prescriptions and patients that strictly rely on Change Healthcare, the workaround is a time-consuming manual process, which is unsustainable,” the spokesperson said. “For several manufacturer patient assistance programs that have copay cards, there are no alternatives. Some prescriptions are thousands of dollars without the manufacturers assistance, so these patients may not get their medicines.”
More comprehensive support needed
The main takeaway is for organizations to consider whether they have all the right backups in place, Smith said. That is not always possible, as it can be a costly endeavor, she acknowledged.
“The healthcare system writ large…we’re going to need some real support to get through this,” Smith said.
In addition to flexibility from payers, Smith said, the federal government can help guarantee flexibility around timely filing requirements of claims. “We’re really looking for all stakeholders to be very cognizant of the situation and work collaboratively to implement these solutions,” Smith said. “The longer this goes on the more and more impact it will have.”
“Right now, the goal is getting through this situation and recovering from it,” the spokesperson for the American Pharmacists Association said. “There are certainly lessons learned and safety nets that must be put in place to ensure continuity of care and mitigate impact at the pharmacies.”
The cyberattack is proof that healthcare should be taken more seriously by the government as it continues to consider what counts as ‘critical infrastructure,’ per Higgins.
“This is an example that would tilt toward including healthcare components within what’s conceived of as ‘critical infrastructure,’” he said, adding that right now, this is not clearly and unambiguously the case.
From guidance to financial resources to enforcement discretion, MGMA believes more government involvement is needed. In its letter to HHS, the organization requested that the agency “utilize all the tools at its disposal to mitigate these impacts, so medical groups do not have to take drastic actions to remain in operation.”