The cyberattack on payments processor Change Healthcare has left crucial reimbursement systems down for nine days since its discovery, and it could take weeks before full service is restored. Rick Pollack, CEO of the American Hospital Association (AHA), called it “the most serious incident of its kind leveled against a U.S. health care organization.”
United HealthCare, Change Healthcare’s parent company, reported on February 21 that a hacker had breached its IT network. Change Healthcare promptly shut down the affected systems. Since then, providers have been struggling to receive reimbursements from insurance companies.
According to the AHA, hospitals are having issues with processing claims, billing patients, and checking insurance coverage for care. They may soon face challenges in paying their workers and making routine purchases. Change Healthcare officials said the outage could last for weeks, according to a recording obtained by the healthcare news site STAT.
Change Healthcare processes 15 billion healthcare transactions, including eligibility verifications and pharmacy operations, along with claims transmittals and payments. A spokesperson for Change Healthcare said that more than 90% of the 70,000 U.S. pharmacies using its payment processor have resorted to alternative methods for handling payments.
Assistance for Affected Users
Pollack said the AHA has issued a series of Cybersecurity Advisories to provide users with guidance about the cyberattack. A webpage devoted to the incident offers updated information for hospitals, pharmacies, and other users of the Change Healthcare system.
The AHA has also asked the Department of Health and Human Services to “minimize the fallout from the cyberattack” by helping with Medicare processes. Pollack said they have requested “guidance to providers about how they may request Medicare advanced and accelerated payments; provide flexibility with respect to e-prescribing regulations; and provide an extension to the timely filing requirements under federally regulated health plans.”
Change Healthcare has said that ransomware group Blackcat claimed credit for the attack. Also known as Noberus and ALPHV, Blackcat steals sensitive data from institutions and threatens to publish it unless a ransom is paid.
Despite the severity of this attack, ransomware payments have actually been declining in recent years. The percentage of ransomware victims who paid ransom demands dropped to 29% in Q4 2023, according to data by Coveware. The report also found that the average ransom payment in Q4 2023 decreased by 33% to $568,705 compared to the previous quarter.
