The Largest US Healthcare Payment System, Still Paralyzed After Serious Cyberattack

Various US medical care providers, from primary care physicians to urgent care chains, encounter major financial difficulties after a cyberattack on the country’s largest medical billing and payment system, operated by Change Healthcare, a unit of UnitedHealth Group.

The hacking shut down the nation’s biggest health care payment system, and financial chaos ensued, affecting everything from large hospitals to single-doctor practices, with patients and medical specialists being caught in this web.

From Ohio to Florida, from Pennsylvania to New Mexico, urgent care chains, cancer centers, and independent medical practitioners had to adapt and find desperate solutions to cover rent, salaries or even ensure function or treatments for their patients following this massive cyberattack for periods up to two months. 
We could give many more examples of the severe cash flow difficulties that medical care providers  — from large hospital networks to the smallest of clinics — had to face in the aftermath of a cyberattack which started February 21st and was stopped early March, but  paralyzed the largest U.S. billing and payment system in the country.
“The cyberattack against Change Healthcare that began on Feb. 21 is the most serious incident of its kind leveled against a U.S. health care organization,” according to the American Hospital Association (AHA).

The attack forced the shutdown of parts of the electronic system operated by Change Healthcare

The Nashville-based healthcare technology company said it continues to work with law enforcement and cyber security consultants to get their systems back to normal following the cyberattack, but it does not know how long it will take to get fully resolved.

The attack forced the shutdown of parts of the electronic system operated by Change Healthcare, a sizable unit of UnitedHealth Group, leaving hundreds, if not thousands, of providers without the ability to obtain insurance approval for services ranging from a drug prescription to a mastectomy — or to be paid for those services.

In recent days, the chaotic nature of this sprawling breakdown in daily, often invisible transactions led top lawmakers, powerful hospital industry executives and patient groups to appeal to the U.S. government for help. Subsequently, the Health and Human Services Department announced that it would take steps to try to alleviate the financial pressures on some of those affected. Hospitals and doctors who receive Medicare reimbursements would mainly benefit from the new measures. 

U.S. health officials said they would allow providers to apply to Medicare for accelerated payments, similar to the advanced funding made available during the pandemic, to tide them over. They also urged health insurers to waive or relax the much-criticized rules imposing prior authorization that have become impediments to receiving care. And they recommended that insurers offering private Medicare plans also supply advanced funding.

H.H.S. said it was trying to coordinate efforts to avoid disruptions, but it remained unclear whether these initial government efforts would bridge the gaps left by the still-offline mega-operations of Change Healthcare, which acts as a digital clearinghouse linking doctors, hospitals and pharmacies to insurers. It handles as many as one of every three patient records in the country.

The hospital industry described measures as inadequate

Despite these efforts, it is not yet clear whether these measures will fully resolve the operational and financial issues caused by the still-offline services of Change Healthcare, which is a key digital intermediary in the healthcare system.

The hospital industry was critical of the response, describing the measures as inadequate.

Beyond the news of the damage caused by another health care cyberattack, the shutdown of parts of Change Healthcare cast renewed attention on the consolidation of medical companies, doctors’ groups and other entities under UnitedHealth Group. The acquisition of Change by United in a $13 billion deal in 2022 was initially challenged by federal prosecutors but went through after the government lost its case.

So far, United has not provided any timetable for reconnecting this critical network. “Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need,” United said in an update on its website.

But on March 1, a bitcoin address connected to the alleged hackers, a group known as AlphV or BlackCat, received a $22 million transaction that some security firms say was probably a ransom payment made by United to the group, according to a news article in Wired. United did not comment, neither did the security firm that initially spotted the payment.

The healthcare industry, one of the main targets for cyberattacks

The healthcare industry is one of the biggest and most lucrative targets for malicious cyberattacks. Since 2009, over 3.000 data breaches have resulted in upwards of 267 million compromised medical records. There were 642 breaches of 500 or more records in 2020 alone, with these attacks being cited as the top health tech hazard for 2022.

Back in 2018, American Medical Collection Agency’s online payment portal, which handled billing and collection services for laboratories like Quest Diagnostics and Lab Corp, was hacked.

Over 26 million people were affected, and the company was forced to move its payment portal to a third-party vendor.

Following this last attack, the U.S. Food and Drug Administration (FDA) team has issued new and enhanced cyber-security guidelines for internet-connected devices used by healthcare providers and hospitals.

The new set of protocol recommendations follows a series of guidelines the FDA has published over the years to help protect healthcare facilities, providers, and patients from growing cyber-security threats directed at medical devices.