A cyberattack that has shut down the nation’s largest healthcare billing clearinghouse and impacted dozens of related services for 10 days is delaying payments, threatening major cash flow issues for post-acute providers and limiting access to some patients’ medications, experts are warning.
The target was Change Healthcare, which filters claims, processes prescriptions, handles prior-authorization requests, and provides more than 100 other data and clinical support services. The company, acquired by UnitedHealth Group’s Optum in 2022, says it supports more than 14 billion clinical, financial and operational transactions annually.
Its users include 67,000 pharmacies, and much of the early outage attention focused on prescription and pharmacy billing when the attack was identified on Feb. 21. Change reported earlier this week that the outage had forced about 90% of US pharmacies to use a “modified” electronic claims process or switch to manual submissions.
But as the outage surpassed the one-week mark, concerns about late payments and cash flows across multiple sectors are still growing. Some fear the Change Healthcare systems may be down for at least a month.
Billing complications are already playing out all over the country, with providers who are losing money — or at least will be waiting on it — having to shell out additional pay for billers or fund contracts with replacement vendors.
The American Health Care Association/National Center for Assisted Living Thursday evening said it had sent a letter to federal officials seeking specific and quick relief, including the issuance of Medicare accelerated payments and help getting Medicare Advantage plans to provide similar advanced options.
One provider’s nightmare
Change Healthcare typically processes 90% of skilled nursing and home care billing claims submitted by RiverSpring Living in New York, including for all Medicare, Medicaid and managed care beneficiaries.
Billing staff there first noticed a problem just as news was breaking about the attack on Change Healthcare a little over a week ago. What was first thought to be a possible technical glitch quickly snowballed into a nightmare for the organization’s financial and IT teams. The situation has required a huge increase in billing hours, including the addition of new data entry staff.
“Instead of pressing one button to submit all of our claims to Medicare, a biller has to sit there for four or five hours and key in one claim at a time for 100 residents. That was done during the first week because that was the week we were billing Medicare. That’s something: We didn’t miss a billing cycle with Medicare,” Chief Information Officer David Finkelstein told McKnight’s Long-Term Care News Thursday. “But we introduced a manual data entry potential problem and a reconciliation problem between the automated claims and the manual claims.”
Those won’t be fully sorted until weeks after the Change systems come back online, which Finkelstein is hearing may not be for 30 to 45 days after the attack, depending on how much damage the hackers have done.
For now, though, there are more immediate concerns at RiverSpring. The community has more than 400 patients whose care is covered by Medicaid, for whom claims are submitted weekly. Because of the added time for manual entry, the community missed last week’s submissions.
“We missed that first week so we know six weeks from now, we won’t be paid for that particular cycle,” Finkelstein said. “We are working with our EMR vendor to look at different clearinghouses … but that’s a slow process and that takes some time. We have really used all of our financial resources to grab people and start keying claims so we don’t miss the next billing.”
Nationwide concerns grow
Nicole Fallon, vice president of integrated services and managed care for LeadingAge told members on a call Wednesday that the prolonged outage is “having far-reaching impacts throughout the healthcare community.”
“It impacts Medicaid. It impacts Medicare. It impacts Medicare Advantage, managed care,” she said. “I’ve heard different accounts, but as many as 50% to 70% of all US health claims are going through that system.”
Optum had disconnected some 112 systems from its internal networks, attempting to secure data. But that means providers’ and payers’ access to critical tools remains offline.
Late Thursday morning, Change confirmed the ongoing issues were connected to a “cybercrime” perpetrated by a group claiming to be ALPHV/Blackcat. The federal government issued a Joint Cybersecurity Advisory on that group in December, and updated its warning on possible further attempts by Blackcat against other healthcare organizations.
Optum has issued multiple daily updates, saying each day that it predicted the outage to last “at least through the day.” Thursday morning’s latest update vowed a proactive and aggressive approach to service restoration, with no specific target date or time.
“We are actively working to understand the impact to members, patients and customers,” the company said. “Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need.”
That language offered little relief to some IT professionals in the long-term care sector who are speculating that a full recovery could take weeks or even months, Fallon said. A UnitedHealth Group executive appeared to back up that estimate Thursday.
Advocating for recourse
Some healthcare technology experts had predicted a major crisis given the consolidation among clearinghouses.
“All of the trade associations, especially the ones I’m very active in … opposed the acquisition and merger between UnitedHealthcare and Optum,” Finkelstein noted. “We felt that there’s too much of a monopoly and too much of a single point of failure to the healthcare system. Unfortunately that’s being proven out.”
RiverSpring Living is working with its state and national associations to seek some sort of financial relief, most likely in the form of PIP, or payments in advance. They could be based on the percentage of a provider’s typical billings for a given patient load and help prevent complete financial uncertainty moving forward.
So far, CMS has issued no guidance on the ongoing delays or how billing practices and statutory filing requirements might be accounted for, and it’s unclear what the work-arounds might be, Fallon said.
AHCA’s Thursday letter to Health and Human Services Secretary Xavier Becerra called on the department and Centers for Medicare & Medicaid Services to trigger relief mechanisms because of “pervasive” financial impacts.
“Timely payments are essential for facilities to maintain daily operations and to keep their doors open for residents and patients, and we request your support for providers to access accelerated payments,” wrote President and CEO Mark Parkinson. “Accelerated payments have been an extremely useful life preserver for many providers in times of financial difficulties, including during the recent COVID-19 public health emergency.”
Regardless of any temporary relief, one thing that looks fairly certain to Finkelstein: The outage may significantly change Change Healthcare’s grip on the industry. As providers migrate now to new platforms, he expects many will likely spread their billing submissions across multiple platforms as a form of protection from future outages.
Many in the long-term care pharmacy business have switched billing platforms by now, but they may have “filled the prescriptions as normal without interrupting services and collected the claims for re-adjudication when the system returned,” said Chad Worz, PharmD, chief executive at the American Society of Consultant Pharmacists.
“The risk to the pharmacies is that they may have filled a prescription that was not covered or for a patient that was not eligible,” he told McKnight’s Thursday. “For LTC pharmacies, many could re-route their prescription claims through another ‘switch’ and many have done that returning their billing systems to normal – however, for any claim they filled during the outage, they risk not being reimbursed and, in some cases, especially in skilled nursing residents, those claims could be expensive medications in the thousands of dollars.”
Worz called on CMS to strengthen its emphasis and guidance on cyber security and emergency procedures to ensure proper implementation.
Patient protection
While UnitedHealth insists that its core products are safe from the cyberattack, some security experts have recommended that providers remain disconnected from ancillary product lines and services as a precaution. The fear is that hackers could access patient information in violation of the Health Insurance Portability and Accountability Act.
Significant questions remained Thursday about the breach’s impact on patients.
Blackcat claimed Wednesday to have stolen data including medical records, Social Security numbers, and information on active military personnel served at military healthcare facilities. The claim was removed from the group’s website by that night. If the claims are valid, the danger could go far beyond billing offices.
“The latest information that I saw was the ransom group got six terabytes of data,” Finkelstein said. “So for the next two to three to four years, all of our patients and residents — not only us but for other providers — will have to do credit monitoring. We’ll have to really carefully look at their financial records, and that group of people, the seniors that we treat are the most vulnerable. They’re the ones that really don’t understand some of this and they’re the ones that are going to need help from family members or facilities like ours to help them navigate all the actual and fraudulent claims of people wanting to ‘help them’ resolve this.”
