Change Healthcare cyberattack continues to affect doctors: ‘Practices will close’

Doctors continue to struggle financially due to the Change Healthcare cyberattack.

More than a third of physician practices (36%) have seen the suspension of claim payments, according to a survey by the American Medical Association. Four out of five (80%) said they lost revenue from unpaid claims, and more than half (55%) used personal funds to cover expenses, the AMA said.

In addition, 32% have said they can’t submit claims, and 22% said they can’t verify if patients are eligible for benefits. The AMA conducted what it called an “informal survey” between March 26 through April 3, with more than 1,400 respondents.

Jesse M. Ehrenfeld, MD, president of the AMA, said the cyberattack has caused “tremendous financial strain” for physician practices.

“These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians,” Ehrenfeld said in a statement. “The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open.”

Physician practices, medical groups, and hospitals and health systems have all been taking a financial hit from the Change Healthcare cyberattack. A subsidiary of UnitedHealth Group, Change Healthcare processes claims, billing, prescriptions and other services for providers nationwide. The company handles roughly one out of every three patient records, healthcare groups note.

Nearly all hospitals (94%) said they have suffered a financial impact from the Change Healthcare attack, according to a survey by the American Hospital Association. Nearly 60% of the hospitals said the impact on their revenue has been $1 million per day or greater.

Rick Pollack, president and CEO of the American Hospital Association, said earlier this month that hospitals continue to struggle with disruptions stemming from the cyberattack. Speaking at the Hospital + Healthcare Association of Pennsylvania Leadership Summit, Pollack said it’s unclear which hospitals may be directly affected by the loss of patient information, or how many records may have been taken.

Organizations are required to notify patients about health data breaches. While it’s unclear which hospitals are affected, Pollack said the notification requirements belong to Change Healthcare or UnitedHealth.

“It's their responsibility to inform patients, not our responsibility,” Pollack said.

UnitedHealth Group has made about $4.7 billion in payments to providers. The company has said it will continue to offer assistance to providers until there is a full system recovery. In a court filing this month, Change Healthcare said it has “worked tirelessly” to restore systems and support providers and consumers.

UnitedHealth Group has said the attack was launched by the “Blackcat” ransomware gang, which has targeted healthcare organizations in the past, federal authorities say.

Two dozen lawsuits have already been filed as of early April, almost evenly split between patients and providers, according to a court filing by Change Healthcare. The company has moved to have the cases consolidated in Nashville.

The U.S. Department of Health & Human Services said last month it has launched an investigation of Change Healthcare and UnitedHealth Group to determine if there was a violation of federal privacy regulations. The department cited the “unprecedented magnitude of this cyberattack.”

Cybersecurity experts have said the Change Healthcare attack illustrates that any healthcare organization is vulnerable to breaches.

K. Craig Kent, CEO of UVA Health, told Chief Healthcare Executive® in a March interview that the attack is a vivid example of the dangers health systems face from cyberattacks. Kent said he is confident UVA Health will weather the storm, but he said cybersecurity must be a top priority for hospitals and health systems.

“It's absolutely fascinating to see how one security breach can affect healthcare across the United States. It's fascinating, and it's scary,” Kent said.

“I'm sure this is just the beginning of the challenges that we'll have over the next decade, related to cybersecurity and the interconnectedness of us and other health systems and all the companies that support us.”