Hospitals, providers still scrambling to get paid after Change Healthcare cyberattack

The Feb. 21 cyberattack against Change Healthcare, a UnitedHealth Group technology unit that handles orders and patient payments, continues to reverberate throughout the U.S. health-care industry.

Providers are struggling to get paid, with several smaller ones reporting that they are running low on cash. Large hospital chains also are locked out of processing payments, with some absorbing the upfront costs of being unable to collect, according to the American Hospital Association.

“Their interrupted technology controls providers’ ability to process claims for payment, patient billing and patient cost-estimation services,” the AHA wrote in a letter to HHS Secretary Xavier Becerra. “Any prolonged disruption of Change Healthcare’s systems will negatively impact many hospitals’ ability to offer the full set of health-care services to their communities.”

Jenna Wolfson, a clinical social worker in Felton, Calif., said $4,000 in claims already are in limbo. “I’m not getting paid,” she said. “This could be catastrophic for me and other small- business mental health practitioners.”

Although the early impact may hit small offices harder, providers of all sizes will feel the strain if the outage persists. “Larger, more well-resourced hospitals that have alternate technologies and sufficient cash reserves will be able to sustain the outage initially and on a longer basis,” John Riggi, the AHA’s cybersecurity advisor, told Reuters.

Organizations that suffer high-impact ransomware attacks can take as long as 30 days to restore core services and weeks longer to bring back less-important functions. “It really depends on the damage that’s been done and the resources they have available to put toward recovery,” said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.

The AHA, which represents nearly 5,000 member hospitals, health systems and other health care organizations, said that if hospitals and health systems remain deprived of this source of income, they may face challenges in meeting payroll for clinicians and other care team members; procuring essential medicines and supplies; and compensating for vital contract work in areas such as physical security, dietary and environmental services.

Related: Hacking at UnitedHealth’s Change Healthcare is still crippling the U.S. health system

“In addition, replacing previously electronic processes with manual processes will add considerable administrative costs on providers, as well as divert team members from other tasks,” the AHA letter to HHS said. “It is particularly concerning that while Change Healthcare’s systems remain disconnected, it and its parent entities benefit financially, including by accruing interest on potentially billions of dollars that belong to health-care providers.”

This breach underscores the dangers that cyberattacks present to health organizations, Steinhauer said.

“Health care is a target, because they have a high need or availability of their systems to provide care,” he said. “And they also have very sensitive data. And so both of those things provide leverage to potential attackers looking to extort the victim in the case of a ransomware incident.”