Find out if new regulations could be in store. On Feb. 21, 2024, Change Healthcare fell victim to a ransomware attack believed to have been executed by AlphV/Blackcat. The resulting network outage of Change Healthcare’s systems has caused rippling effects throughout the healthcare industry. As healthcare organizations endure another month of financial disruption from this ransomware attack, Tech and Innovation in Healthcare examined the lasting impacts of the incident. Have Your Providers Been Affected? The disruption has severely impacted healthcare providers. A recent poll of 10,000 AAPC members shows that more than 80 percent of respondents have been impacted by the attack. The largest group of respondents — 36 percent — rated the severity of the attack’s impact at a 10, on a scale of 1 to 10.
The most impacted area was claims submission at 82 percent, the poll indicates. But payment of prior submitted claims (68 percent) and eligibility (58 percent) also head up the list. Reach Out to Request Advanced Payments The ransomware attack has impacted healthcare finances significantly since February 21. According to a March 2024 survey released by the American Hospital Association (AHA), 94 percent of hospitals are reporting monetary impact, “with more than half reporting ‘significant or serious’ impact.” Simultaneously, nearly 60 percent attest that the revenue impact is $1 million or more per day. Through several initiatives, UnitedHealth Group (UHG) has advanced more than $2 billion to providers affected by the cyberattack. The company also “suspended prior authorizations for most outpatient services and utilization review of inpatient admissions for Medicare Advantage plans,” according to a March 18, 2024 press release. On the same day, UHG started releasing medical claims preparation software in an effort to resume operations in full capacity. “We continue to make significant progress in restoring the services impacted by this cyberattack,” said Andrew Witty, CEO of UnitedHealth Group, in the release. The Centers for Medicare & Medicaid Services (CMS) also recognized the strain of the outage on healthcare providers and took steps to offer assistance. On March 5, the Department of Health and Human Services (HHS) announced that CMS is encouraging organizations to submit requests for accelerated Medicare Part A payments to their Medicare Administrative Contractors (MACs) for consideration on an individual basis. A few days later on March 9, CMS issued a press release announcing it would consider “applications for advance payments for Part B suppliers.” With Change Healthcare/Optum suggesting systems will be tested starting the week of March 18, you may want to act quickly on the accelerated and advanced payments (AAPs) to alleviate cash flow issues, say attorneys Anna Grizzle, Angela Humphreys, and Elaine Naughton with law firm Bass, Berry & Sims. “While there is no specified deadline, CMS will not issue accelerated and advance payments once the disruption to claims servicing is remediated, regardless of when a request is received,” they advise. “Further, CMS reserves the right to conduct post-payment audits related to any accelerated or advance payments issued under this program,” Grizzle, Humphreys, and Naughton note in online legal analysis. Prepare for Federal Investigations Since the cyberattack affected practices and patients on a grand scale, it shouldn’t be a surprise that Change Healthcare is facing lawsuits and investigations. HHS opened an investigation into the attack on March 13. “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, [Office for Civil Rights] OCR is initiating an investigation into this incident,” wrote Melanie Fontes Rainer, director of OCR in an open letter. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” Fontes Rainer continued. Change Healthcare shouldn’t only be concerned about the feds investigating the company’s role in the attack. Multiple class-action lawsuits have been filed by providers who have been unable to access the company’s services during the outage. For example, on March 18, 2024, Gibbs Law Group filed a class-action lawsuit against Change Healthcare on behalf of providers following the cyberattack. “Given their role providing critical infrastructure in the nationwide delivery of healthcare, [Change Healthcare] knew they needed to implement incredibly robust cybersecurity controls to prevent disruptions,” attorneys Rosemary M. Rivas, David M. Berger, and Rosanne L. Mah wrote in the class-action complaint. “Instead, [Change Healthcare] neglected to implement the robust cybersecurity controls that such critical infrastructure demands,” the attorneys continued. Recognize the Need for Regulations Government officials are responding to the outage with concern. Lawmakers are worried that the incident could lead to additional or more devastating attacks on the healthcare industry. On March 14, the U.S. Senate Ways and Means Committee held a hearing with HHS Secretary Xavier Becerra. Chair Ron Wyden (D-Ore.) urged Becerra to have HHS adopt cybersecurity standards for healthcare providers. “Private-sector opposition to effective cybersecurity rules is the number one reason our critical infrastructure, particularly in the healthcare sector, is so woefully unprepared for even unsophisticated cyberattacks,” Wyden also told Politico. “As these companies have become so large, it is creating a systemic cybersecurity risk.”