A month later, Change Healthcare cyberattack becoming ‘extremely dire’ for affected practices

The major computer attack against Change Healthcare that started Feb. 21 still is rippling through the American health care system.

This week, Change Healthcare corporate parent UnitedHealth Group began releasing medical claims preparation software, which the company called “an important step in the resumption of services,” with rollout this week. The company also was making available third party documentation and an Assurance Security Environment Statement, accessible by email.

‘Extremely dire’

The situation has grown “extremely dire for practices and organizations that have been affected,” said a joint letter from Rep. Mariannette Miller-Meeks, MD (R-Iowa), and Rep. Robin L. Kelly (D-Illinois). Problems include billing and cash flow disruptions, prior authorization delays, and remittal issues for electronic prescriptions, they said.

In a letter to U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra, the representatives, with 94 other co-signers, said HHS must use its existing authorities to ensure money should be flowing for services rendered under traditional Medicare, Medicare Advantage and Medicaid. HHS also should continue talks with Change Healthcare and affiliates UnitedHealth Group and Optum to offer financial and other assistance to affected organizations.

“Smaller physician practices already operate under slim financial margins, especially with the recent cuts in Medicare reimbursement,” said the letter, which was announced by the American Medical Association. “These challenges are also more acutely felt by practices in rural and underserved areas. While smaller practices potentially face possible closure, larger practices still face an inability to meet payroll.”

Meanwhile, patients are paying for medications and supplies with no known solution to make them whole, and those on fixed incomes may face challenges paying other bills in coming weeks, the representatives said. They also face risks of identity theft and targeted scams because protected health information was stolen.

Effects on hospitals

On March 19, American Hospital Association (AHA) President and CEO Richard J. Pollack wrote to leaders of the House Ways & Means Committee explaining how UnitedHealth Group’s plans are good, but hospitals need money now.

“We appreciate the information that UnitedHealth Group laid out early this month regarding an aspirational timeline of potential technical relief for this historic cyberattack on the U.S. health care system,” Pollack said. “However, nothing in the announcement materially changes the chronic cash flow implications and uncertainty that our nation’s hospitals and physicians are experiencing as a result.”

It could take weeks or months to make whole payers and providers as they work through a backlog of unprocessed and rejected claims delayed by the disruptions of the cyberattack, he said.

“All of this means that it will be a long time before hospitals and health systems can have the confidence that they will be paid for care they have already provided,” he said.

Pollack called for more assistance from HHS and Congress.

Meanwhile, mandatory cybersecurity requirements for hospitals may be well-intentioned, but misguided. No one is immune to cyberattacks, Pollack said, and cutting Medicare funding or fining hospitals for not meeting requirements will only hurt hospitals’ ability to bolster cybersecurity.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” his letter said. “Many recent cyberattacks against hospitals and the health care system, including the current Change Healthcare cyberattack, have originated from third-party technology and other vendors.”

White House response

On March 18, the U.S. Department of Health and Human Services convened health insurers to discuss a survey of payers about actions they were taking to help physicians and other providers resolve issues from the cyberattack.

HHS Secretary Xavier Becerra and White House Domestic Policy Adviser Neera Tanden discussed moves to improve claims processing. They also urged more support to physicians and other providers still in need, especially those in rural and underserved areas, rural hospitals and smaller institutions, according to HHS’ official meeting readout.

Because of the interconnections among the U.S. health care system, Anne Neuberger, White House deputy national security adviser for cyber and emerging technologies, urged insurers to adopt HHS’ voluntary health care and public health cyber performance goals. She also encouraged UnitedHealth Group to communicate about efforts to secure claims systems because many payers and providers will require third party certification of Change Healthcare’s cybersecurity before reconnecting, the official readout said.