As the cyberattack enters its ninth day and continues to disrupt operations at health care organizations across the United States, it is unclear when systems will return to normal. In the meantime, it has created chaos for organizations that rely on Change Healthcare’s tools for payment, revenue cycle management, and medication fulfillment.
Change Healthcare has confirmed that Blackcat, which the Department of Justice describes as the second most prolific ransomware group in the world, is responsible for the cybersecurity attack that has crippled its systems since February 21.
Blackcat steals sensitive data and then seeks a ransom in exchange for decrypting the system and not publishing the stolen data. The attack has disrupted the health care technology company’s ability to process transactions, including payments and requests for insurance authorizations.
“Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need. Based on our ongoing investigation, there is no indication that Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue,” the company stated in its status update today.
RELATED: Hacking at UnitedHealth unit cripples a swath of the US health system: What to know
The American Hospital Association (AHA) suspects the impact of the attack could be massive because Change Healthcare processes 15 billion health care transactions each year and touches one in every three patient records. Although Change Healthcare says that its prior authorization portals are active, AHA members report that many of their claims can’t be processed and they can’t complete eligibility checks to determine whether a patient’s insurance covers a prospective treatment.
In a February 26 letter to the Department of Health and Human Services (HHS), AHA said any prolonged disruption to the company’s systems will impact hospitals’ ability to offer their full set of services to patients and they may be unable to pay clinician salaries, acquire necessary medicines and supplies, and pay for physical security, dietary, and environmental services.
The health care industry trade group called on HHS to facilitate communications and transparency from Change Healthcare to the provider community, offer guidance to providers on how they can request Medicare payments, extend filing requirements under federally regulated health plans, provide flexibility to e-prescribing regulations, and evaluate how the attack may impact value-based purchasing programs.
In a LinkedIn post on Thursday, Ana Handshuh, principal, CAT5 Strategies, urged health plans to consider the AHA recommendations and rally for support from the Centers for Medicare & Medicaid Services (CMS). She said the agency needs to offer guidance for handling plan processes affected by system disruptions; evaluate potential impacts of medication-access and care-access issues as well as potential disruption to HEDIS® collection efforts on Star ratings for 2025 and 2026 Stars; and consider extending the risk adjustment data submission window currently available through March 1.
“Let’s stand united in advocating for the necessary assistance to safeguard patient care and mitigate financial strain on health plans,” Handshuh wrote. “Together, we can navigate through this challenging time.”
In an insights article, McDermott Will & Emery offered the following suggestions for organizations impacted by the incident:
- Review Health-ISAC recommendations for maintaining network connectivity with UnitedHealth Group, Optum, and United Healthcare, and monitoring of compromised systems and/or preventing unauthorized access
- Develop security- and incident-related questions or criteria for Change Healthcare to reestablish connectivity with its systems
- Review CISA recommendations to reduce the likelihood and impact of Blackcat ransomware and data extortion incidents
- Monitor Healthcare Financial Management Association recommendations and updates for processing potential claims and payment-related cashflow interruptions
- Monitor HHS channels for information related to AHA’s request that HHS offer guidance on how providers can access Medicare advance or accelerated payments to smooth cashflow issues
- Notify cyber carriers and other applicable insurers of any business interruptions and potential security incidents
- Review HIPAA compliance programs, including written policies and procedures and security risk analyses, to prepare for potential breach notifications, regulatory investigations, and/or privacy-related civil litigation
Consulting firm Kaufman Hall also suggests provider organizations maintain accurate information for claims they have to hold and ensure they have a queue ready to reconcile incoming payments once data becomes available. “Organizations should be mindful that, once connectivity with Change is reestablished, it may take some time to clear the backlog of unprocessed claims,” wrote Geoff Stenger and Zech Decker, who both serve as senior vice president at Kaufman Hall. In addition, they suggest provider organizations establish a framework to reconnect with Change Healthcare once it recovers from the cyberattack.
Just added!
Join RISE National for a special session on how to react to the cyber crisis with speakers Ana Handshuh, principal, CAT5 Strategies; Melissa Newton Smith, founder, senior advisor, Newton Smith Group; and Rex Wallace, founder & principal, Rex Wallace Consulting. The general session on Monday, March 18 will explore urgent strategies and proactive measures to safeguard patient care, mitigate financial strain, and ensure operational resilience in the face of cyber threats. Click here for more information. RISE National 2024 will take place March 17-19 in Nashville.