Change Healthcare's parent company discovered that a cyber threat actor breached part of its network, according to an SEC filing.
UnitedHealth Group Inc. headquarters in Minnetonka, Minn. Mike Bradley / Bloomberg via Getty Images file
March 1, 2024, 12:39 PM UTC / Source : CNBCSmall private practices and health-care providers are facing mounting financial pressures as crucial reimbursement systems remain down for the ninth day, following the cyberattack on Change Healthcare.
Change Healthcare offers tools for payment and revenue cycle management that help facilitate transactions between providers and most major insurance companies. Its parent company UnitedHealth Group discovered that a cyber threat actor breached part of the unit’s information technology network on Feb. 21, according to a filing with the U.S. Securities and Exchange Commission.
As a result, the company isolated and disconnected the impacted systems “immediately upon detection” of the threat, the filing said.
The fallout has caused a ripple of disruption across the U.S. health-care system.
Doctors told CNBC the outage has left them unable to check patients’ eligibility for treatment or fill prescriptions electronically, which has created more administrative responsibility for workers that are already overwhelmed by clerical work. Perhaps more importantly, providers have been unable to receive reimbursements from insurers, effectively grinding many health systems’ revenue cycles to a halt.
Smaller and mid-sized practices that rely on reimbursement cash flow to operate are making tough decisions about how to stay afloat. If the outage drags on for too long, experts say some practices may have to close their doors for good.
Dr. Purvi Parikh, an allergist and immunologist with a private practice in New York City, told CNBC that the breach has been a “mess” and a “big stressor.” Like many others, she said her practice hasn’t been able to receive reimbursements from insurers for patient visits, which makes it difficult for the practice to pay for operational expenses like payroll and medical supplies.
Switching to a new platform could take weeks, Parikh said, so there’s no immediate workaround available. As of Thursday, Change Healthcare has not shared any updates about when it expects its systems to be back online.
“The most frustrating part is that nobody has any answers or solutions,” Parikh said. “We’re kind of just stuck.”
Change Healthcare on Thursday said that ransomware group Blackcat is behind the attack. Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to a December release from the U.S. Department of Justice.
The company said it is working with law enforcement and third party consultants like Mandiant, which is owned by Google, and cybersecurity software vendor Palo Alto Networks to assess the breach.
“Patient care is our top priority and we have multiple workarounds to ensure people have access to the medications and the care they need,” Change Healthcare said in a statement to CNBC.
Dr. Kiranjit Khalsa, an allergist and immunologist who runs an independent practice in Scottsdale, Arizona, said her staff has been working longer hours to try and accommodate the extra work as a result of the breach, as well as manually calling in prescriptions.
She said the problems around reimbursement have been the “biggest burden,” since she is worried about how she can continue to support her patients and employees. Khalsa is considering cutting back hours for staff and even closing the clinic for a few days.
“I worry about providing for them,” Khalsa told CNBC in an interview. “I also worry about: Where am I going to get this money if it does not come through? Do I need to take a loan out to keep the clinic afloat?”
Even when Change Healthcare’s systems do come back online, there are a lot of unanswered questions about what will happen next, according to Dr. Dan Inder Sraow, an interventional cardiologist who owns a private practice around Phoenix, Arizona. He said it’s not clear whether Change Healthcare will take on the responsibility of processing all the claims or if he’ll need to hire additional staff to help.
“I don’t think that people are aware that the actual people providing the services are not able to extract revenue for those services,” Dr. Sraow told CNBC. “We don’t know how long that’s going to be, and that’s such a dangerous, dangerous thing.”
Dr. Jesse Ehrenfeld, president of the American Medical Association, said he has spent days fielding calls from concerned colleagues.
He said he spoke with one doctor who runs an oncology practice and only has up to two weeks’ worth of cash on hand. If the outage drags out, the practice won’t be able to buy the chemotherapy that its patients depend on for treatment.
Since many providers are operating on razor-thin margins, Ehrenfeld said there is a possibility that some will go out of business.
“We have so many practices that are on the fringe, particularly smaller practices, where they are just scraping by,” Ehrenfeld told CNBC in an interview. “Any aberration in the system where, ‘Oh, you don’t get checks for two weeks,’ obviously is a situation that does put practices at risk.”
In 2022, Change Healthcare merged with the provider Optum, which services more than 100 million patients in the U.S. and is owned by UnitedHealth, the country’s biggest health-care company by market cap.
The American Medical Association vocally opposed the merger, writing in a letter to the DOJ that the union could stifle competition, give UnitedHealth access to large data stores and potentially disrupt patient care.
The merger ultimately went through, but the DOJ has recently launched an antitrust investigation into UnitedHealth, according to a Wall Street Journal report Tuesday.
“It’s just sort of like a perfect storm of regulatory issues [and] lack of competition — and unfortunately, the people who are really going to suffer are patients and individuals who work in the healthcare system,” said Dr. Ravi Parikh, a retina specialist that owns and operates a practice in New York City.
The cyberattack has left Parikh’s clinic without a way to receive reimbursements for the expensive medications it administers. He said he has been thinking about contingency plans, such as seeking out cheaper medications and asking some patients to pay upfront, but his focus is on providing the best care possible.
“The health care system could eventually come to a halt because a lot of clinics and pharmacies might not be viable,” Parikh said