EXPLAINER: What to Know About the Change Healthcare Cyberattack

[ad_1]

The ramifications of a cyberattack on a critical health care technology company are still being felt in the U.S.

The attack also prompted high-level calls for action from the likes of Senate Majority Leader Chuck Schumer of New York and leading medical organizations. The American Medical Association called on the Department of Health and Human Services to “use all its available authorities to ensure that physician practices can continue to function, and patients can continue to receive the care that they need.”

“This massive breach and its wide-ranging repercussions have hit physician practices across the country, risking patients’ access to their doctors and straining viability of medical practices themselves,” the AMA’s president, Dr. Jesse Ehrenfeld, said in a March 4 statement. “This is an immense crisis demanding immediate attention.”

Similarly, the American Hospital Association told HHS in late February that hospitals and health systems may require “immediate federal support” amid the fallout, noting the vast reach of Change Healthcare’s systems and warning that a prolonged disruption “will negatively impact many hospitals’ ability to offer the full set of health care services to their communities.”

AHA President and CEO Rick Pollack called the cyberattack “the most serious incident of its kind leveled against a U.S. health care organization.”

What Is Change Healthcare?

Change Healthcare, which is owned by UnitedHealth Group, manages health care technology pipelines connected to tasks such as processing insurance claims and billing, reportedly handling 15 billion transactions annually.

As noted by The Washington Post, the Justice Department in a 2022 lawsuit cited United as stating that 50% of U.S. medical claims go through Change’s “electronic data interchange clearinghouse.”

What Happened?

“On Feb. 21, 2024, we discovered a threat actor gained access to one of our Change Healthcare environments,” UnitedHealth Group said. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

A specific timeline for restoration of services was not provided in the initial wake of the attack. But in a March 7 statement, UnitedHealth Group said electronic prescribing for pharmacy services was “fully functional with claim submission and payment transmission” available as of that date.

The company said its electronic payment platform would be reestablished beginning March 15, and that it expected to start testing and establishing claims network connectivity on March 18, with service restored through the week.

“As workarounds continue to be deployed, our latest data shows 90% of claims are flowing uninterrupted,” the company said, though it acknowledged “there are still a number of providers who are not able to submit claims or receive payment.”

Meanwhile, a temporary funding assistance program for providers has been set up through Optum, which is also owned by UnitedHealth Group. UnitedHealth Group said in its March 7 update that “further funding solutions” involving advance payments would be offered to provider partners of UnitedHealthcare, its health benefits business, and that the Optum program would be expanded “to include providers who have exhausted all available connection options, and who work with a payer who has opted not to advance funds to providers during the period when Change Healthcare systems remain down.”

“This expansion is a funding mechanism of last resort, especially for small and regional providers, and will be evaluated on a case-by-case basis,” the statement said.

What’s the Impact of the Health Care Hack?

Many physician practices have not been able to submit claims, according to the AMA, and “a considerable proportion of revenue cycle processes have ground to a halt.” The group in a March 1 letter to HHS identified top concerns among practices since the incident, including the interruption of administrative and billing processes, practices having to take on “enormous” administrative burdens and significant data privacy fears.

The outage cost some health care providers over $100 million a day, according to an estimate from First Health Advisory, a digital health risk assurance firm. Schumer, in a March 1 letter to the federal Centers for Medicare & Medicaid Services, said Change Healthcare had suspended more than 100 services and that hospitals and other providers were facing adverse impacts on their financial solvency.

“Hospitals are struggling to process claims, bill patients, and receive electronic payments, leaving them financially vulnerable,” Schumer said. “Many hospitals are approaching a financial cliff where they will no longer be able to rely on their cash on hand.”

Schumer asked CMS to make accelerated and advanced payments available for affected providers, akin to what was offered during the COVID-19 pandemic. On March 5, federal officials said hospitals could submit requests for accelerated payments to Medicare administrators “for individual consideration,” and urged Medicare Advantage organizations, as well as Medicaid managed care plans, to relax prior authorization requirements for care and to consider offering advance funding to providers.

The Department of Health and Human Services Office of Civil Rights also announced on March 13 that it would be investigating whether “a breach of protected health information occurred” in the attack and examining compliance by Change Healthcare and United HealthGroup with the Health Insurance Portability and Accountability Act.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” Melanie Fontes Rainer, the office’s director, wrote in a “Dear Colleague” letter.

Who Is Responsible for the Hack?

Change Healthcare said the group identified itself as ALPHV/BlackCat.

According to a report from Wired, the group of hackers recently received a $22 million transaction that looks like it could be a large ransom payment related to the attack. A spokesperson affiliated with Change Healthcare declined to answer whether a ransom has been paid, according to Wired.

In December, the Justice Department announced it had targeted ALPHV in a disruption campaign.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa Monaco said in a statement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online.”

[ad_2]

This article was originally published by a www.usnews.com . Read the Original article here.

More Articles

Sign Up For A FREE Wellness Coaching Session!