The Cyberattack Shaking Healthcare to Its Core

By now, you may have heard of or read something about the brutal cyberattack that hit UnitedHealth Group (UHG) subsidiary Change Healthcare. The scope of the breach was massive, and is said to have affected, or outright disrupted, every major facet of the healthcare industry.

So, what happened? What was the government asked to do to help? What does the fallout look like? And what actions has the government actually taken? Here is the Cliffs Notes version.

Change Healthcare, which connects hospitals and pharmacies with insurers, has had most of its systems offline since a Feb. 21 data breach, impeding claims and prescription processing nationwide. UHG has stated that systems will remain down until a later date in March.

According to the American Hospital Association (AHA), this is the most significant and consequential incident of its kind to impact the U.S. healthcare system in history. The AHA noted that Change Healthcare processes 15 billion healthcare transactions annually, and touches one in every three patient records.

The outage has widely affected billing, eligibility checks, prior authorization requests, and prescription fulfillment, and could spur greater emphasis on enhancing protocols – and greater oversight from the federal government.

In the wake of the attack, the feds have become involved.

First, the Centers for Medicare & Medicaid Services (CMS) issued a statement on the attack and guidance to Medicare Advantage (MA) and Part D sponsors to continue providing access to benefits by removing certain requirements – and to offer advanced funding, in some cases. CMS said it is in “communication with UHG” and “meeting with private health plans.”

Senators asked CMS itself to make accelerated and/or advanced payments available to affected providers and to streamline claims processing as well as payments.

The White House’s National Security Council has been asked to look into financial relief for hospitals, using funds from the U.S. Department of Health and Human Services (HHS) and Department of Veterans Affairs (VA).

HHS has been asked to help guarantee flexibility regarding timely filing requirements of claims, to extend timelines for appeals, and to reevaluate what counts as “critical infrastructure,” which would afford healthcare organizations more federal data breach protections.

However, none of these were able to stop or mitigate the staggering fallout from the breach.

Reports suggest that the cyberattack has impacted many insurers’ ability to track medical expenses. At the same time, insurers are observing a significant reduction in claims data following the breach, while UHG is contending with threats of litigation from patients: at least six cases seeking class-action status have been filed since the cyberattack, alleging that Change didn’t have reasonable cybersecurity measures in place.

Providers nationwide have been dealing with service delays, coping with an inability to receive and finalize reimbursements or check insurance eligibility, and hemorrhaging money.

Following all of this, CMS announced new flexibilities and relief efforts for physicians and other providers and suppliers. In particular, they made applications available for accelerated payments for Medicare Part A and B providers, directed Medicare Administrative Contractors (MACs) to expedite actions needed for providers and suppliers to change clearinghouses, urged Medicaid managed care plans to make prospective payments, and provided public information on how to submit requests for accelerated or advance payments.

While it’s still unknown how helpful these federal actions will be, we do know they are a far cry from fixing the underlying problem. The damage from the Change Healthcare data breach is extensive, and so too will be the effort to pick up the pieces.

More generally, it demonstrates how complex, interconnected, and fragile the healthcare ecosystem is. As such, the response could serve as a model for how future cyberattacks on healthcare organizations are handled – and approaches to help prevent them.

Stay vigilant, because government needs all the help it can get.