Hospitals see more problems from ‘unprecedented’ cyberattack of UnitedHealth’s Change Healthcare

Almost a week after a cyberattack of Change Healthcare, hospitals and health systems are seeing more impacts from the disruption.

Health systems are seeing difficulties in a host of areas, including processing claims and determining if a patient’s insurance will cover treatments, the American Hospital Association says. Hospitals have been anxious about the toll of the attack on their operations, since the attack was first disclosed Feb. 21. Change Healthcare’s systems remained down Tuesday.

In a letter to the U.S. Department of Health and Human Services, Rick Pollack, president and CEO of the American Hospital Association, outlined some of the looming financial consequences from the cyberattack of Change Healthcare.

“This unprecedented attack against one of America’s largest health care companies has already imposed significant consequences on hospitals and the communities they serve,” Pollack wrote. “Although the full scope of the impact is still unclear, Change Healthcare’s vast nationwide reach suggests that it could be massive.”

Pollack said hospitals may need more assistance from the government, and also called for more clarity from Change and its parent company, United HealthGroup, about the scope of the problems and when services will be restored.

“Change Healthcare’s downed systems also will have an immediate adverse impact on hospitals’ finances and the work they do every day to care for patients and communities,” Pollack wrote in the letter. “Their interrupted technology controls providers’ ability to process claims for payment, patient billing and patient cost estimation services. Any prolonged disruption of Change Healthcare’s systems will negatively impact many hospitals’ ability to offer the full set of health care services to their communities.”

• Read more: Emerging cybersecurity threats in healthcare: Special Report

Disrupted claims and clinical support

UnitedHealth Group, the parent company of Optum, which includes Change Healthcare, said in an SEC filing the incident was discovered Feb. 21. Optum said Friday it had disconnected Change Healthcare’s systems. “We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue,” Optum has said.

Optum posted another update Tuesday saying the organization continues to work on the problem, mirroring messages published in recent days. The message didn’t offer estimates on when services could be restored. UnitedHealth has said it is working with law enforcement and security experts.

Change Healthcare provides a host of services to hospitals and health systems, including pharmacy solutions, revenue cycle management, data analysis, patient engagement and clinical support. Citing information released by Change Healthcare, the AHA says the company processes 15 billion health care transactions annually and touches 1 in every 3 patient records.

The hospital association says disruptions have included clinical decision support and pharmacy operations, in addition to verifying eligibility for insurance.

Change Healthcare also operates portals to check on prior authorization for insurers’ approval of treatments. Pollack wrote in the letter that Change says the portals are active, but hospitals are having problems.

“Our members are reporting that a substantial portion of their claims still cannot be processed, nor can they complete eligibility checks necessary to determine whether a patient’s insurance covers a prospective treatment,” Pollack wrote.

While many of these services are done electronically, hospital staff are also turning to managing some tasks manually, which is adding costs to providers, Pollack wrote.

In the letter to the health department, Pollack wrote, “It is particularly concerning that while Change Healthcare’s systems remain disconnected, it and its parent entities benefit financially, including by accruing interest on potentially billions of dollars that belong to health care providers.”

• Read more: The 11 biggest health data breaches of 2023

Seeking ‘greater transparency’

The hospital association is anxious to get more information on the attack and when systems could be restored. The AHA has asked federal officials to ensure open communication from Change Healthcare to providers.

“We are in communication with their leadership and have asked for certain support, including greater transparency about the nature and scope of the attack, an anticipated timeline for resolution, and temporary access to advanced payments to help providers weather the period while normal claims processing functions are down,” Pollack wrote.

The AHA is also asking the government to provide guidance on getting accelerated payments from Medicare during the disruption. The association is asking federal officials to advise surveyors about the potential for delays in care that are beyond the control of hospitals, and said hospitals shouldn’t be cited as a result of those disruptions.

Some military hospitals around the world have been affected by the attack. The Naval Hospital at Camp Pendleton posted a message on its website that said the attack on Change Healthcare “has affected military clinics and hospitals worldwide.” Military pharmacies are being impacted as well.

Retail pharmacies, including CVS and Walgreens, have seen disruptions, CNBC and Kiplinger report.

‘Healthcare is a target’

Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, tells Chief Healthcare Executive® that the attack on Change Healthcare underscores the dangers of cyberattacks to health organizations.

“Healthcare is a target because they have a high need or availability of their systems to provide care,” Steinhauer says. “And they also have very sensitive data. And so both of those things provide leverage to potential attackers looking to extort the victim in the case of a ransomware incident.”

• Read more: Paying the ransom: Hospitals face hard choices in cyberattacks

Health systems of all sizes have suffered breaches of their systems in cyberattacks. More than 100 million Americans were affected by breaches of private health information in 2023. In addition to being costly, cyberattacks threaten patient safety, forcing hospitals to divert patients to other providers. Neighboring hospitals can see the impact of ransomware attacks with a higher volume of patients, researchers say.

Organizations need to make sure they’ve patched any vulnerabilities in their systems, Steinhauer says. They need to have updated software and should be using multi-factor authentication, such as entering a password and then using a code from an app to enter a system.

He also says the incident underscores the need for organizations to have strong response plans, including contingencies for responding to attacks late at night or on a weekend or holiday.

“Attackers follow our holiday calendar,” Steinhauer says. “They know when we're asleep, they know when we're celebrating Christmas, and they plan their attacks around those times on purpose.”

At some point after services are restored, Steinhauer says he hopes Change Healthcare will provide more insight into the attack, so hospitals and other organizations can learn some lessons and address potential vulnerabilities to guard against other attacks.

“A good organization will admit if there were shortcomings in their processes,” Steinhauer says.