The fallout from the hack of a little-known but important healthcare company is causing pain in hospitals, doctor's offices, pharmacies and millions of patients across the country. Government and industry officials are calling the attack one of the most serious attacks on the health care system in U.S. history.
The Feb. 21 cyberattack on Change Healthcare, owned by UnitedHealth Group, cut off many healthcare organizations from the systems they rely on to submit patients' healthcare claims and receive payments. The resulting outage appears to have no impact on any of the systems that provide direct, intensive care to patients. But it has exposed a vulnerability that runs through the entire U.S. health care system, frustrating patients who can't pay for their medications at the pharmacy counter and threatening the financial solvency of some organizations that rely heavily on Change's platform.
Change Healthcare is a giant in the world of healthcare, processing 15 billion claims totaling more than $1.5 trillion annually, the company said. It operates the industry's largest electronic “clearinghouse” and acts as a pipeline connecting health care providers with insurance companies that pay for their services and determine what patients owe. It supported tens of thousands of doctors, dentists, pharmacies and hospitals and processed 50 percent of all medical claims in the United States, the Justice Department wrote in a 2022 lawsuit that unsuccessfully tried to stop UnitedHealth from acquiring the company.
Citing internal company documents, prosecutors wrote that Change concluded that “the health care system…would not function without Change Healthcare.”
The hackers, a ransomware gang once thought to have been crippled by law enforcement, stole patient data, encrypted company files and demanded money to unlock them. The company shut down most of its network in February to recover.
The US prescription drug market is in turmoil due to ransomware attacks
Quantifying the impact remains a moving target, with the severity depending on how committed organizations are to change. But three senior officials at the Department of Health and Human Services called it serious.
Adding to the urgency, Senate Majority Leader Charles E. Schumer sent a letter Friday to the Centers for Medicare and Medicaid Services urging them to make accelerated payments to hospitals, pharmacies and other providers, who were affected by the failure. Patients can't get information about whether insurance will cover treatment, while hospitals struggle to bill patients and receive payments, the New York Democrat wrote.
“Delinquency is costing hospitals across America millions every week, and people are even struggling to get prescriptions filled at their local pharmacy,” Schumer said in a statement on Sunday. “That’s why I’m calling on CMS to use its authority to cut red tape and provide affected health care providers with expedited and advanced payments, just as they did during the coronavirus crisis.”
“We recognize the impact this attack has had on healthcare operations,” an HHS spokesperson told The Washington Post, adding that the agency is working with UnitedHealth to avoid disruptions to patient care. The incident highlights the “urgency to strengthen cybersecurity resilience across the ecosystem,” the spokesperson said.
Molly Smith, group vice president of public policy at the American Hospital Association, said Sunday: “In our assessment, this is the most significant attack on the health care system in U.S. history.”
At some point, Smith said, the association heard of hospitals that weren't discharging certain patients because they couldn't refill their medications. Much of this disruption is being resolved as healthcare providers resort to manual submission of claims, she added.
Optum, a health services company also owned by UnitedHealth, said it had set up a temporary relief program to provide cash to organizations whose payment systems were affected – short-term loans that would have to be repaid once Change is up and running again. A senior HHS official said the agency is working with UnitedHealth to ensure the program is effective.
A spokesman for UnitedHealth said there were no updates Sunday but noted it had brought in consultants and was working with law enforcement. Since the hack, UnitedHealth says it has implemented “multiple workarounds to ensure people have access to the medications and care they need.”
Simply switching from Change to another provider is sometimes complex due to contractual agreements and technical reasons, according to industry representatives and pharmacists. In addition to routing claims to insurance companies, Change also sanitizes claim information to ensure codes and other details are correct. Although some competing providers have created some alternatives, Smith says they don't have the same cleanup functionality as Change, and many providers receive numerous rejections.
“At this point we have very, very incomplete workarounds, which means the cash flow issues continue,” she said.
Jose Arrieta, HHS's former chief information officer, said the cyberattack was among the most serious in the health sector in recent years and follows previous breaches.
“The size of the attack doesn’t matter. What matters is the impact,” Arrieta said. “And if you have the wherewithal to target a Fortune 5 Companies…everyone in the United States, no matter what industry you work in, should take this as a warning.”
While training solo in southern New Jersey, Craig Wax said his billing was “backwards, upside down and on fire.” The doctor serves patients of all ages and accepts multiple types of insurance. He relies on a small billing company that uses a software provider based on Change's platform.
“We’re going to go paperless” — submitting claims on paper forms — “and hope insurance companies respond to paper claims,” he said.
Some of the most persistent critics of the U.S. health care system, such as the Association of American Physicians and Surgeons — which opposes programs like Medicare, the federal government's health insurance program for older Americans — point to the Change Healthcare hack as further reason for skepticism of the current payment model.
The group's chief executive, Jane Orient, said the incident “shows the disaster that can result from reliance on centralized networks and third-party payments.”
Medium to large hospital systems across the country were affected by the cyberattack to varying degrees, according to hospital groups.
The Minnesota Hospital Association said some of its members' billing systems were crippled, unable to process claims and receive reimbursements. The Change Healthcare hack follows another local cyberattack that hit a radiology practice in Minnesota.
“There is growing concern about the ongoing impact on patient care and operational stability,” the association said in an email. “This places a significant burden on the financial sustainability of the health system.”
In an update to its members scheduled to be released Monday, the association, which represents hospitals in Massachusetts, said many of its members had disconnected from all Change Healthcare systems after learning of the hack.
Hospitals are working to establish alternative payment channels with insurance companies in the state, the association said. “It’s another financial emergency in a system already struggling to stay afloat,” Karen Granoff, senior director of managed care policy for the Massachusetts Hospital Association, said in the update.
At the University Hospital system in Cleveland, the outage affected patients' ability to obtain prescription medications at retail and specialty pharmacies, although the hospital system's in-house pharmacies were not affected, a spokesman said in an emailed statement.
According to Mary C. Mayhew, president and CEO of the Florida Hospital Association, hundreds of millions of dollars in weekly billings have now dried up in Florida and the damage could soon reach $1 billion.
“These hospitals were basing their operations on daily payments for the care they provided, and that suddenly came to a halt – and we are now on day 11 since the attack,” she said.
A lack of substantive information from UnitedHealth made the situation worse, she added, noting that switching to manual claims submission or finding another clearinghouse were not acceptable solutions. The latter could take 90 days, she said, according to one of her member hospitals.
And while larger systems may be able to weather the crisis by tapping into reserves, Mayhew warned that most community hospitals are falling victim to an attack on a business entity which has created vulnerabilities through its market dominance.
“If you're a small or medium-sized hospital that's already struggling with a very thin margin and a difficult cash flow situation, that's disastrous,” she said.