CA doctors face uncertainty after Change Health Care cyber attack

For the past month, Sacramento dermatologist Dr. Margaret Parsons has been unable to submit insurance claims to receive payment for services rendered.

All of her private practice’s billing is done through Change Healthcare, the nation’s largest insurance claims network and the subject of a Feb. 21 cyberattack that has not yet been fully resolved.

Change Healthcare, a subsidiary of UnitedHealth Group, processes about half of the nation’s medical claims. Four weeks after the cyberattack, some providers in California and elsewhere are still waiting on claims and refunds. In the meantime, they are busy paying bills and ordering medical supplies.

This cybersecurity breach disrupted payment and prescription drug processing for tens of thousands of hospitals, physician organizations, dentists, and pharmacies. The American Hospital Association called it “the most significant cyberattack on the U.S. health care system in U.S. history.”

Although the attacker’s exact point of entry is unknown, ransomware attacks typically involve someone clicking on a malicious link within an email. It demonstrated the vulnerability of the financial infrastructure that supports the medical system. And providers are learning that the fallout can last for a long time.

Parsons’ four-physician private practice sees about 100 to 125 patients a day. Business is healthy, she said, but cash flow is drying up. If you submit a claim using e-billing, you will typically receive your refund within two weeks. Her office recently crunched the numbers and she expects to be able to practice for at least a few weeks.

But it’s been a stressful month, she said. Until recently, she considered filing insurance claims the old-fashioned way: paper. She said she decided to wait because paper billing takes twice as long and is prone to data entry errors. At one point, she even wondered if she needed to borrow money to pay her rent and staff.

“Calculate your bank balance, weekly bills, payroll, and start counting hard. Look at your credit line and decide whether to call your bank or not,” she said.

She said she recently had some relief because her office signed a contract with an alternative insurance claims system. The system is expected to be launched soon. She also applied for access to advance payments from Medicare through a temporary program set up to give health care providers some relief. Medicare is a federal public insurance program for the elderly and disabled. This option gives her some breathing room and she’s optimistic she’ll be able to file a claim again soon.

“We’re looking forward to next week at this point,” she said.

change health care performs more than 100 health system operational functions, including payment and prescription drug processing.

Change Healthcare announced Monday that it plans to resume processing claims for thousands of doctors over the next few days, but like Parsons, some doctors were still unable to process claims as of Tuesday. .

“On March 15, the company restored the Change Healthcare electronic payments platform and is proceeding with its rollout to payers,” the company said in an update shared with CalMatters. “On March 7, the company restored 99% of its Change Healthcare pharmacy network services and continues to work on remaining issues.”

Aftermath of a prolonged cyber attack

Dr. Abid Mogannam, a vascular surgeon who serves patients in Alameda and Contra Costa counties, said about 30% of his claims are made through Change Healthcare. Mr Mogannam said that would mean 30 per cent of his private practice salaries would be delayed.

“That’s important to us. If we encounter an unfortunate practice that only contracts with payers that are affected by this, we will be forced to make difficult decisions, including closure, bankruptcy, temporary office closures, and limited patient access.” “It’s possible,” he said.

He said this new fiscal pressure, on top of rising costs due to inflation, comes at a time when small businesses are recovering from the COVID-19 pandemic. “The last few years have been challenging,” Mogannam said. Because of the current changing health care landscape, “it will take many months for us to be complete,” he said.

Last week, the California Department of Managed Care urged health insurance plans to accept paper claims and remove or relax requirements for claim submission deadlines.US Department of Health and Human Services Guidance issued Medicare providers should relax or remove claims submission requirements and encourage state Medicaid providers to do the same, after which officials began extending them Loans to Medicare Providers.

“The disruption caused by this unprecedented cyberattack threatens the very existence of many healthcare organizations, especially those that are small and serve rural and underserved communities. It’s putting us at risk,” said Tanya Spirtos, president of the California Medical Association. blog post. “This is an urgent crisis that requires immediate action.”

Payments to hacker groups

The attacker remains at large as medical workers scramble to pay salaries and order medical supplies.next Estimated $22 million worth of Bitcoin paymentsthe ALPHV/Blackcat hacker group that claimed responsibility for the attack is said to have deceived the co-conspirators and disbanded a few days later.

ALPHV/Blackcat is a transnational gang that emerged in 2021 and is the second most prolific ransomware-as-a-service author in the world. The Federal Bureau of Investigation believes that more than 1,000 entities of local governments and critical infrastructure providers in the United States have fallen victim to ransomware attacks since 2021.

According to a study, vulnerabilities that emerged in late 2023 are having a disproportionate impact on the healthcare industry. Cyber ​​security advisory The announcement was made by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services. Although investigation is ongoing, details of this vulnerability have not yet been disclosed.

In addition to the United States, law enforcement agencies from Australia, Denmark, Germany, Spain, and the United Kingdom joined in a joint campaign to stop ALPHV/Black Cat operations in December 2023.

in recommendation In the report, published a week before the Change Healthcare attack, the U.S. government promised a reward of up to $15 million for information leading to the conviction of members of the ALPHV/Blackcat ransomware gang.

The attack on Change Healthcare was particularly painful for Riaz Lakhani. Lakhani, who works in cybersecurity for the Campbell-based company Barracuda Networks, said his wife owns a dental practice. He said he is considering dipping into her personal savings to keep her dental practice afloat.

Riaz said this attack shows that single points of failure and large billing companies like Change Healthcare are attractive incentives for attackers looking to get their hands on large amounts of data. said.

He said the incident raises questions about whether Change Healthcare had a proper disaster recovery program and whether hackers would try to sell medical data on the dark web. “There is,” he said.

It’s also unclear whether UnitedHealth Group’s 2022 acquisition of Change Healthcare introduced the vulnerability or whether the hackers will try to sell data obtained in the attack, Riaz said. Last week, the U.S. Department of Health and Human Services Office for Civil Rights started an investigation Investigate whether a breach of protected health information has occurred or a violation of federal health privacy laws.

Cyber ​​attacks on hospitals and schools

Amy Chan, a senior researcher and former director of the R Street Institute, said that once the attack is over, much will be made to think retrospectively about how the largest cyberattack on the health care system in U.S. history could have been prevented. He said that it would be possible. JP Morgan’s cybersecurity practice is based in San Francisco. This attack demonstrates the appeal of targeting public institutions such as schools, local governments, and hospitals. These institutions tend to have relatively limited cybersecurity budgets and provide essential services, making them prime targets.Cybersecurity experts call them Targets are plentiful, resources are scarce..

The Change Healthcare attack also illustrates the consequences of consolidating key technologies across a small number of companies. The attack is similar to the 2021 Colonial Pipeline cyberattack that shut down multiple gas pipelines and caused fuel shortages along the U.S. East Coast.

“Because of this presence that you probably never heard of until it actually happened, and because of this presence that is having far-reaching effects that really endanger lives, especially in medical settings, we’re seeing the same, if not more, You’re seeing kind of a knock-on effect. There’s a risk,” Chan said.

New Zealand-based cybersecurity company Emsisoft has noticed increased cybersecurity across the United States. Attacks on hospitals increase 2023 has increased compared to 2022 and 2021. Attacks on school districts have also increased during this period. Last fall, researchers estimated that: Ransomware attack kills dozens of Medicare patients in the US From 2016 to 2021.

Parsons, a Sacramento dermatologist who will have to operate on a tight budget until her practice reopens, said she is more concerned about her colleagues in higher-cost practices such as oncology.

“We’ll be fine,” she said. “But when you think about the other kinds of habits that are being affected, it’s very real.”