Ransomware, Governance, Risk and Compliance, Government Regulations

Change Healthcare ransomware attack disrupting industry nationwide

stethoscope on technology background

The reports keep coming in from across the country on how the Change Healthcare ransomware attack that first came to light on Feb. 21 has been impacting the healthcare sector.

The case has been called the most severe cyberattack on the healthcare sector in history and has had a great impact since Change Healthcare, owned by UnitedHealth Group, processes 15 billion healthcare transactions annually, affecting 1 in 3 patient records.

An American Hospital Association survey reported on March 15 that almost 60% of respondents say the revenue impact is $1 million per day or higher, and 44% said the adverse effects on revenue will continue for two to four more months.

Here are a few examples of how the incident has impacted patients, providers and local clinics:

  • The New Mexico Cancer Center told KRQE in Albuquerque, New Mexico. that it owes $2 million to its supplier of chemotherapy medication and grows concerned that unless the crisis gets resolved soon the supplier will cut them off.
  • A therapist in the Research Triangle Park area told ABC 11 in Raleigh-Durham, North Carolina, that she hasn’t received payments on nearly $200,000 for services rendered since the Change Healthcare incident first broke.
  • The CEO of Pulse Wellness Cooperative told KOIN 6 in Portland, Oregon, that Feb. 19 was the last day her employees were paid — and that she’s been looking into taking out credit cards or selling her house to meet payroll.
  • A Naperville, Illinois, man told CBS Chicago late last month that he had to pay out-of-pocket for medication for diabetes and congestive heart issues and was told Medicaid wouldn’t cover the costs. Not being able to pay for the meds, he wound up in the hospital.

Public does not have the full scope

Distressing though all these incidents are, Mary Mayhew, president and CEO of the Florida Hospital Association, explained that the public doesn’t know the full scope of the cyberattack since various reports from patients, providers and local clinics appear like isolated incidents.

“This was not an attack on some back-office administrative function,” said Mayhew. “This was a coordinated attack on our infrastructure. If this were an attack on a pipeline, the electronic grid, or our aviation towers, the public — and our elected officials — would have understood the situation better. What people do understand is if our providers can’t get paid for healthcare services, they can’t meet payroll.”

That’s what Health and Human Services (HHS) Secretary Xavier Becerra told the House Ways and Means Committee in a March 20 hearing on the fiscal 2025 budget for HHS.

Becerra explained that HHS has worked closely with UnitedHealth’s Change Healthcare since it went down on Feb. 21, as well as with most of insurers, culminating in HHS issuing $2.5 billion in payments in advance so providers can reconcile payments later.

“We want to keep them afloat so they can meet their payroll," said Becerra. "That means that nearly 6,000 providers have received payments as a result of Medicare and Medicaid action payments even though the bills have not come through the door. We will also insist that the insurance companies make it available to the providers."

Ahead of Wednesday’s hearing, UnitedHealth Group said on March 18 that it paid $2 billion so far in financial advances for struggling providers and has been testing medical claims software to resume payments.

CNN also reported March 19 that 95% of Change Healthcare’s health insurance claims are now being processed, according to a senior administration official who spoke to reporters in an update on the federal response to the cyberattack.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.