Change Healthcare's systems are still offline following the ransomware attack on February 21.

AMA, AHA tell US government to do better by providers affected by Change Healthcare hack

March 08, 2024
by John R. Fischer, Senior Reporter
The American Medical Association and the American Hospital Association say that the U.S. government’s acceleration of Medicare and Medicaid payments does not go far enough to assist providers and other healthcare entities affected by the ransomware attack on UnitedHealth Group subsidiary Change Healthcare.

Change, a provider of revenue management systems, revealed on February 21 that hackers affiliated with the BlackCat ransomware group caused “enterprisewide” connectivity issues that are still being felt weeks later with providers unable to submit claims and process reimbursements to pay expenses and employees, and pharmacists in all 50 states having trouble confirming insurance coverage and copayments to fill prescriptions, reported Cyber Daily. The company has taken its information technology systems offline, and there is no timeline yet for when its systems will be back up.

Additionally, according to Wired, a partner of BlackCat says that Change recently paid $22 million (350 bitcoin) as a ransom to retrieve protected information but that the ransomware group, which has shut down its site, still has the sensitive information along with data on healthcare partners that it obtained when it breached Change’s network, including Medicare and a host of other major insurance and pharmacy networks, reported Wired. Change has not confirmed or denied this claim.

To help cushion the impact on healthcare entities, the government says facilities may submit accelerated payment requests to their respective Medicare Administrative Contractor (MAC). It is also urging and providing guidance to Medicare Advantage (MA) organizations and Part D sponsors for “removing or relaxing prior authorization, other utilization management, and timely filing requirements” while the systems are offline, and encouraging Medicaid and CHIP managed care plans to do the same.

Additionally, it is advising these programs to issue waivers, exceptions, or extensions, and to accept paper claims. But both the AMA and the AHA say these measures fail to protect individual physician practices and adequately address the effects of what the AHA is calling “the most significant and consequential incident of its kind against the U.S. healthcare system in history."

"The magnitude of this moment deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it. The measures announced today do not do that and are not an adequate whole of government response," Rick Pollack, president and CEO of the AHA, said in a statement.

With encouragement from the AMA and the AHA, Congress has urged CMS to issue advanced payments to providers, as it did during the pandemic, to ease cash deficits. Both associations say that small hospitals, which are already struggling amid labor costs and shortages, are unable to pay office bills or their employees, straining their financial woes further. While large hospitals can absorb the loss of reimbursement for now, many have been forced to take down their payment and billing management systems.

UnitedHealth Group, which is the largest health insurance company by revenue, says there is no indication that the attack affected Optum, UnitedHealthcare, and UnitedHealth Group systems. Change Healthcare has implemented a Temporary Funding Assistance Program to provide short-term cash payments to providers most impacted and has created a temporary version of its Rx ePrescribing service to help drugstores, hospital pharmacies, and other affected providers fill orders. UnitedHealth Group has also provided “effective electronic workarounds” for providers and pharmacists.