Change Healthcare Ransomware Attack Having Massive Impact on Providers
The outage at Change Healthcare that occurred on February 21, 2024, as a result of a Blackcat ransomware attack is taking its toll on the small practices and pharmacies that rely on its systems, many of which have now been offline for 9 days. The outage has meant that doctors have been left unable to check whether patients are eligible for treatment and pharmacies have been unable to fill prescriptions electronically, resulting in delays to patient care and huge backlogs. Clerical staff are overwhelmed and are having to work longer hours and manually call in prescriptions and revenue cycles have ground to a halt.
Smaller practices especially are experiencing major financial difficulties as they have been unable to receive reimbursement from insurance companies which means they have been unable to pay for operational expenses such as medical supplies and payroll. Many practices operate on very thin margins and any extended disruption to their revenue streams could prove to be catastrophic. Some providers are having to make difficult decisions about whether to remain open, while others fear that they may even have to close their practices for good. To make matters worse, no timescale has been provided on how long it will take Change Healthcare to restore access to its systems, and even when they are brought back online providers will continue to struggle.
Following a cyberattack, it is rarely possible to give a concrete timescale for recovery. Systems need to be secured, the incident must be investigated, and systems have to be rebuilt, tested, and brought back online only when it is safe to do so. Change Healthcare explained in a statement that, “Patient care is our top priority and we have multiple workarounds to ensure people have access to the medications and the care they need.” While those processes are in place and working, they are time-consuming and costly and cash reserves are dwindling fast due to the billing disruption.
On February 28, 2024, the Medical Group Management Association (MGMA) wrote to HHS Secretary Xavier Becerra, urging the HHS to use its authority and all the available tools at its disposal to provide support to the physician practices affected by the cyberattack to ensure they can continue to provide care to patients. MGMA said members are now facing substantial billing and cash flow disruptions, have received limited electronic remittance advice from health plans, and are struggling due to a lack of access to crucial data infrastructure to allow them to succeed in their value-based care arrangements. Some members have complained that prior authorization submissions have been rejected or cannot be transmitted and eligibility checks cannot be performed. At pharmacies, patients are facing significant delays in receiving essential medications which has left them with no alternative other than to self-pay. Those without the financial means to do so are having to go without essential medications.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Many practices have been able to use cash reserves to get them through, but a great number of practices simply do not have the available funds as they have already been struggling due to cuts to Medicare reimbursement, staffing shortages, and high inflation. The delay in payment is threatening their ability to operate. While most practices have lines of credit, that credit is essential at the start of the year before they are able to accrue enough revenue to pay salaries and operating expenses. The MGMA said the timing of the cyberattack could not have been any worse. The MGMA said a cyberattack such as this highlights the significant harm that can be caused when there is an extended billing disruption at a very large corporate entity. The MGMA said “Guidance, financial resources, enforcement discretion, and more are needed to avoid escalating an already serious situation.
The American Health Care Association (AHCA) and the National Center for Assisted Living (NCAL) also wrote to HHS Secretary Becerra expressing their concern about the Change Healthcare cyberattack and the impact it is having on their members. AHCA and NCAL requested that the HHS and the Centers for Medicare and Medicaid Services educate the impacted providers about their rights to request an accelerated payment from their Medicare Administrative Contractor (MAC.)
Specifically, they requested the HHS and CMS announce that providers are eligible for advance payments, encourage Medicare Advantage plans to provide some form of advance payment option for affected providers, and instruct the MACs to notify providers if their claims processing capabilities have been impacted, and explain that they have the right to request an accelerated payment and to provide instructions on how the request should be submitted to the MAC.
AHCA and NCAL have also called on the HHS to advise State Health Departments and Survey Agencies about the operational and financial challenges associated with this event to contextualize grievances from residents or family members and reduce unnecessary citations or complaint surveys related to factors outside of the direct control of facilities, and to assess whether the attack is reasonably expected to adversely impact value-based care programs and reimbursement structures to minimize adverse impacts to participating providers.
