One of the most serious cyberattacks to ever hit the health care system is causing major disruptions in care at hospitals of all sizes in Georgia and across the country.
Anna Adams, a spokeswoman for the Georgia Hospital Association, said the hack was “very serious” with far-reaching impacts at what appears to be quickly growing into a crisis.
The American Hospital Association called it “the most significant cyberattack on the U.S. health care system in American history.”
Credit: TNS
Credit: TNS
Change Healthcare, a subsidiary of UnitedHealth Group, announced it had been hacked on Feb. 21. Change Healthcare is a company that plays a huge role in the U.S. health system, managing health care technology pipelines and processing 14 billion transactions a year. The effects of the hack have rippled across the country. According to the American Hospital Association, patients have struggled to get access to care and billions in payments to providers have been halted, threatening the financial viability of hospitals, health systems, physician offices and other providers.
The attack has also threatened the security of patients’ information and is delaying some prescriptions and paychecks for medical workers.
Change Healthcare announced Thursday that ransomware group ALPHV, or Blackcat, had claimed responsibility for the attack. Change Healthcare didn’t respond to a question about whether it paid or negotiated a ransom.
The company said its investigation determined that Change Healthcare, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected.
Health officials say the severity of the situation continues to grow as days go by with Change Healthcare’s services still not restored.
“Hospitals, health systems and other providers are experiencing extraordinary reductions in cash flow, threatening their ability to make payroll and to acquire the medical supplies needed to provide care. The urgency of this matter grows by the day,” the American Hospital Association said in a letter sent Monday to congressional leaders.
The letter called for the federal government to step in with urgent aid. “UnitedHealth Group’s ‘Temporary Funding Assistance Program’ that it stood up as part of its response on March 1 will not come close to meeting the needs of our members as they struggle to meet the financial demands of payroll, supplies” and more, the letter read.
Adams said hospitals are having issues with processing claims and checking insurance coverage for care. Without the ability to check for prior authorizations, Adams said major medical procedures could be put on hold if there is not enough cash flow to pay staff.
Most nonprofit hospitals and health systems have cash on hand to cover at least 100 to 150 days of expenses, according to an analysis by KFF. About 9% had fewer days of cash on hand. That means this hack could quickly become devastating for some systems, especially for rural hospitals, which operate with slimmer margins.
Adams said the hack has already resulted in $10 million lost in cash flow at a major hospital system in Georgia, which she declined to name without permission, and at least one smaller hospital has lost $1 million in cash flow.
In a statement from Emory Healthcare, the hospital system said after it learned of the attack, their digital cybersecurity teams “immediately disconnected from Change Healthcare to minimize any potential threat to our systems.” Officials are unaware of any data breach in the Emory Healthcare system and will continue to monitor the situation.
The statement said the hospital system has been doing more manual processing and workarounds to manage insurance verifications and co-pay calculations. They are also having to print some prescriptions that were previously handled electronically.
Jim Matney, CEO of Colquitt Regional Medical Center, a 99-bed hospital located in southwest Georgia, said the hospital has been unable to file claims for $1.2 million due to the hack, but he said the interruption of services has not yet impacted the system’s ability to provide care or pay staff. He said the hospital, which is located in Moultrie, has about 100 days of operational cash on hand.
“Let’s just call it a big nightmare of situation, he said. “And I don’t blame anybody because you know except for the Grace of God we can all go through this.”
Matney said Change initially said the system would be back on by the end of the month. “Now they don’t have a date when their system will come back,” he said.
The Atlanta Journal-Constitution reached out to other hospital systems including Piedmont Healthcare and Wellstar Health System but did not receive an immediate response by deadline.
Cybersecurity experts say ransomware attacks have increased substantially in recent years, especially in the healthcare sector. This one comes on the heels of an attack last month on a children’s hospital in Chicago, which had to take phone, email and medical records systems offline.
Adams said the Georgia Hospital Association is encouraging insurance companies to waive or extend timely claim filing requirements as well as urging them to make interim payments to hospitals that can show a hardship due to the reduction in cash flow.
Matney said both of these measures are critically important.
U.S. Senate Majority Leader Chuck Schumer, D-N.Y., wrote Friday to Centers for Medicare and Medicaid Services asking the agency to make accelerated and advanced payments available to hospitals, pharmacies and other providers impacted by the cyberattack and to direct Medicare Administrative Contractors to streamline claims processing and payments.
“Hospitals are struggling to process claims, bill patients, and receive electronic payments, leaving them financially vulnerable,” Schumer wrote. “Many hospitals are approaching a financial cliff where they will no longer be able to rely on their cash on hand. The longer this disruption persists, the more difficult it will be for hospitals to continue to provide comprehensive healthcare services to patients.”
The Associated Press contributed to this article.
About the Author