The recent cyberattack on Change Healthcare has been called the most pervasive and damaging of its type in U.S. history.1 Change is a third-party healthcare technology company that, by its own account, touches 1 in every 3 patient records and processes 15 billion transactions annually.2 After the attack, Change shut down its systems to prevent further breaches, which left tens of thousands of healthcare providers unable to electronically fill prescriptions, verify insurance eligibility, obtain prior authorizations, or submit reimbursement claims.
For days, pharmacies were effectively paralyzed. In some cases, patients were billed hundreds or even thousands of dollars for medications normally covered by insurance or pharmaceutical discount coupons. Healthcare organizations went for weeks without reimbursement, and some clinicians worked without pay to keep clinic doors open. While unprecedented in scope, the attack on Change is not an anomaly—the number of healthcare system data breaches has risen each year in the United States since 2015, according to a recent report in TheHIPAA Journal.3 Without stronger security measures and more flexible, responsive preparedness plans, providers and patients will continue to be affected at an alarming rate. Addressing these problems will require concerted, coordinated efforts by private companies and the U.S. government.
Change Healthcare’s systems were infected by ransomware, a type of malware that encrypts data to make them inaccessible until a predetermined ransom is paid. Such attacks on healthcare entities not only hamstring patient care, but they also trigger immediate financial fallout, since most healthcare systems are reimbursed on a daily basis. In the days and weeks after the attack on Change, affected hospitals, clinics, and other healthcare systems sought relief in the form of advanced payments from private payers and CMS. However, most payers were slow to respond and offered only short-term, limited assistance wrapped in abundant red tape.4
An example is the Temporary Funding Assistance Program established by Change’s parent company, UnitedHealth Group, to “bridge” short-term cash flow problems due to disrupted services.5 After reading the fine print, the American Hospital Association excoriated the program as providing “not even a band-aid” solution to healthcare systems affected by the attack.2 Only a small fraction of them could even access the program, which also failed to address providers’ inability to quickly and accurately submit claims. Moreover, the program imposed “shockingly onerous” terms—it required repayment within 5 days of notice, enabled immediate fund recoupment, mandated extensive data disclosures, and imposed broad liability waivers and strict damage limitations.2 These are indeed callous terms from a Fortune 5 company that reported $22 billion in profits last year.
In mid-March, several weeks into the attack, officials from the U.S. Department of Health and Human Services (HHS) and the White House met with leaders from hospitals, outpatient clinics, community health centers, pharmacies, long-term care facilities, and infusion centers to discuss the attack and payers’ response.4 At the meeting, healthcare leaders called on UnitedHealth and other payers to step up—specifically, to implement more payment options, expedite communication with hospitals/clinics and pharmacies, and relax requirements for billing and claims processing until Change Healthcare’s systems were fully restored.
Healthcare leaders also have called on Congress to revisit the statutes governing CMS’s ability to provide advance payments to mitigate reimbursement disruptions.1 Although CMS responded to the attack on Change by offering providers payments under its Accelerated and Advanced Payment (AAP) program, the loans were short-term and limited, and interest rates were high after payments were due.6 The statutes responsible for these limitations cannot be circumvented unless a national emergency is declared (as occurred during the acute phase of the COVID pandemic, but not during the attack on Change). Given these shortcomings, healthcare leaders have asked Congress to evaluate how to improve the AAP program’s utility and capacity and to consider emergency-specific policies that waive certain commercial payer requirements, such as those for prior authorization and timely claims filing.
A cybergang known as BlackCat/AlphaV has claimed responsibility for the attack on Change, and a hacker forum has reported that a $22 million extortion payment was made to BlackCat by either Change or UnitedHealth.7 BlackCat subsequently left the dark web but is seen as likely to rebrand and return. As of this writing, Change’s systems and services have been restored, but the process took nearly a month, and the company faces a $14 billion backlog in unprocessed claims.8 The HHS has called the attack “a reminder of the interconnectedness of the domestic health care ecosystem and the urgency of strengthening cybersecurity resiliency across the ecosystem."9
Resiliency is crucial and needs strengthening—some recent healthcare system breaches exploited fundamental security weaknesses.3 However, due to the increasing frequency and sophistication of cyberattacks, not all can be avoided. When attacks occur, public and private payers need to be able to quickly pivot and support healthcare organizations to prevent widespread harm. This is especially crucial because the attack on Change is part of a sea change in cybercrime against U.S. systems. In recent years, groups like BlackCat have abandoned their former reluctance to openly target hospitals and other critical infrastructure.10 In 2023, the healthcare and public health sectors were the most frequent victims of cyberattacks, with a record 725 breaches reported to the HHS Office for Civil Rights; these attacks caused the exposure or impermissible disclosure of more than 133 million patient records.3
Hospitals, clinics, and healthcare systems can and should strengthen existing security measures to protect their data. However without additional funding and technical assistance, many will be unable to fully achieve this goal. Furthermore, Congress, CMS/Medicare, UnitedHealth, and other large healthcare organizations need to take drastic action to improve their ability to respond to large-scale, sophisticated cyberattacks. When attacks occur, CMS and private payers need to be prepared to respond rapidly and effectively, in a manner that supports, rather than impedes, patient care. Failure to do so leaves too many patients where they are today—vulnerable to privacy breaches and serious disruptions in care when cyberattacks occur.
Written by: Ruchika Talwar, MD, Urologic Oncology Fellow and an AUA Holtgrewe Legislative Fellow at Vanderbilt University Medical Center.
References
- Congress urged to help hospitals impacted by Change Healthcare cyberattack. American Hospital Association. March 19, 2024. Accessed April 3, 2024. https://www.aha.org/lettercomment/2024-03-20-congress-urged-help-hospitals-impacted-change-healthcare-cyberattack#:~:text=On%20Feb.,the%20health%20care%20system%20operating
- AHA expresses concerns with UHG program in response to cyberattack on Change Healthcare. American Hospital Association. March 4, 2024. Accessed April 3, 2024. https://www.aha.org/news/headline/2024-03-04-aha-expresses-concerns-uhg-program-response-cyberattack-change-healthcare.
- Security breaches in healthcare in 2023. The HIPAA Journal. January 2024. Accessed April 3, 2024. https://www.hipaajournal.com/wp-content/uploads/2024/01/Security_Breaches_In_Healthcare_in_2023_by_The_HIPAA_Journal.pdf.
- Readout of Biden-Harris administration convening with health care community concerning cyberattack on Change Healthcare. U.S. Department of Health and Human Services. March 12, 2024. Accessed April 3, 2024. https://www.hhs.gov/about/news/2024/03/12/readout-biden-harris-administration-convening-health-care-community-concerning-cyberattack-change-healthcare.html
- Temporary funding assistance program for providers. Optum. Publication date unknown. Accessed April 3, 2024. https://www.optum.com/en/business/providers/health-systems/payments-lending-solutions/optum-pay/temporary-funding-assistance.html?v=optum.com/temporaryfunding
- Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Part A providers and advance payments to Part B suppliers. Centers for Medicare & Medicaid Services. March 9, 2024. Accessed April 3, 2024. https://www.cms.gov/newsroom/fact-sheets/change-healthcare/optum-payment-disruption-chopd-accelerated-payments-part-providers-and-advance
- Satter R. Hacker forum post claims UnitedHealth paid $22 mln ransom in bid to recover data. Reuters. March 5, 2024. Accessed April 3, 2024. https://www.reuters.com/technology/cybersecurity/hacker-forum-post-claims-unitedhealth-paid-22-mln-ransom-bid-recover-data-2024-03-05/
- Leo L. UnitedHealth unit will start processing $14 billion medical claims backlog after hack. Reuters. March 22, 2024. Accessed April 3, 2024. https://www.reuters.com/technology/cybersecurity/unitedhealth-says-several-services-handling-medical-claims-unit-change-will-go-2024-03-22/
- U.S. Department of Health and Human Services. HHS statement regarding the cyberattack on Change Healthcare. March 5, 2024. Accessed April 3, 2024. https://www.hhs.gov/about/news/2024/03/05/hhs-statement-regarding-the-cyberattack-on-change-healthcare.html
- Cybersecurity advisory: #stopransomware: ALPHV Blackcat. Cybersecurity & Infrastructure Security Agency. Updated February 27, 2024. Accessed April 3, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
Published April 2024