Change Healthcare System Hack
By now, you may have heard of the Change Healthcare cyberattack that took place on February 21, 2024. We wanted to update you, our clients, with information and provide proactive steps to take.
Background
For those who are unaware of what I am referring to, let me provide a quick overview.
First, Change Healthcare is a health-tech company that provides thousands of pharmacies and healthcare insurance providers in the U.S. with tools that allow them to process claims and other essential payment and revenue management. Many electronic health records systems (EHRs) and platforms such as Alma and Headway, use Change healthcare systems.
Change Healthcare is owned by United Healthcare and Optum, which is the current administrator for Maryland Medicaid.
On February 21, 2024, a cyberattack was launched by the ALPHV/Blackcat ransomware group against Change Healthcare’s systems, allowing them to breach their networks.
As soon as the attack was detected, Change Healthcare immediately disconnected its systems to isolate the attacks, prevent further breaches, and to protect other systems, companies, and consumers from harm.
What is ALPHV/Blackcat?
Blackcat is a cybercriminal organization that uses ransomware to encrypt sensitive data with the aim of extorting significant financial gain from its victims.
Blackcat has launched previous attacks on nearly 70 companies; the healthcare industry has been the most common target. The targeted victims are left with no other option but to pay the ransom or risk losing their data permanently.
Ransomware is a type of malicious software or malware that prevents a user from accessing computer files, systems, or networks until a ransom is paid for their return.
In a recent statement, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and HHS issued a joint advisory implying that the group is not done targeting the healthcare sector. (You can find the statement here: CYBERSECURITY ADVISORY--CISA)
How Does This Affect Mental Health Practices?
The attack on Change Healthcare has had a widespread impact on the healthcare sector.
Impact on Pharmacies.
One of the biggest impacts is that pharmacies across the country, particularly Walgreens and CVS, have been unable to fulfill prescriptions for patients.
It is important also to note that Tricare is affected as well, and military pharmacies worldwide are currently having issues filling prescriptions, potentially interfering with medication needs for hundreds of thousands of service people and their families.
Impact on Health Insurance Providers.
Many of the insurance providers have stopped processing claims altogether or are requiring direct filing with them. Here is a helpful list of payers impacted: Payers Impacted Due to Change Healthcare Security Incident
Impact on Practitioners and Practices
What this means for mental health practices is that all of the EHR billing systems used by mental health practices have been directly affected by the Change Healthcare cyberattack in some way.
Electronic claim submission (including EDI-to-paper claims), ERAs, and real-time eligibility (RTE) checks are all down during this outage.
For mental health practices that bill insurance through an EHR, the most immediate impact is likely to be felt in that claims they have submitted through their EHRs since February 21, 2024, are not being paid out.
As of now, many practices and practitioners may not yet feel the impact of this attack as the typical one-to-three-week lag between submitting insurance claims and receiving payments. Therefore, many practices are still receiving reimbursement from claims submitted weeks ago.
However, as claims continue to sit unprocessed since February 21, 2024 in EHR billing systems that use Change Healthcare, we anticipate that there will be significant delays in reimbursement until the system is restored to full functioning. It is extremely important for practitioners who submit claims for insurance to understand the following:
In your system right now, you likely have claims that you have submitted and claims that are being paid out. The cyberattack likely will not impact claims already processed and being readied to be paid.
The impact you may experience will come from the claims submitted that have not yet been paid. Submitted does not mean the same thing as paid, so those claims may be outstanding and remain unpaid for some time period in the near future until the system is restored to full functionality.
This means you will likely not be paid for the moment on those claims and may not be paid the funds you normally anticipate to cover your business costs, including payroll and expenses. And you need to be prepared for that.
It is important to note that at this time, Simple Practice may only be partially unaffected, as it uses which uses the Eligible clearinghouse (similar to Change Healthcare, but a different company and system entirely) and thus may be able to process claims. However, it is our belief that in a very short time, practitioners using Simple Practice may also experience delays in being paid on some of their submitted claims.
It is important also to note that your submitted-but-unpaid claims will eventually be paid. It is just not clear yet when that might happen in the immediate future.
So, What is the Status Now?
As of now, unfortunately, nothing is resolved. As of this email, neither Change Healthcare, United Healthcare, nor Optum have offered any timeline for when systems will return to normal functioning. Here is information to know:
Recent reports now indicate that there was a payment of $22 million dollars in bitcoin to Blackcat.
Blackcat remains operational and it is entirely possible may launch further attacks on the healthcare system in the near future.
There are no real updates to give to practices right now about timelines, because there is no available timeframe for when things may be restored to normal and the system back up and running.
As of this newsletter, neither Change Healthcare, United Healthcare, nor Optum have offered any timeline for when systems will return to normal functioning. However, statements released affirm that they are working on getting things resolved.
What Can Practitioners Do?
Recommendation #1:
The first thing practices should do is go into their system and review what claims are outstanding. Determine which are being readied for payment and which claims are submitted and not paid. This will tell you how much is outstanding and how much of an anticipated shortfall your practice may experience in the short term.
Recommendation #2:
Going forward, you should seek to submit claims directly to the insurance providers you are paneled with.
This may be a time-consuming process, as it will mean having your billing manager/team and/or you and some of your staff complete and submit your billing manually.
This seems to be a workaround yielding results and getting the claims paid.
Plan to have a staff member(s) be assigned to handle these for you going forward until the system can be restored.
Recommendation #3:
This is the least ideal of our recommendations, but in the event your practice starts to really feel the pinch or struggle to pay expenses and costs (including payroll):
For the time being, review your costs and expenses. Work with your accountant to see if there are things you can trim for the moment.
If you have cash reserves, be prepared to use them if needed. You can replenish them later.
If possible, contact vendors and 3rd parties you contract services with to determine if you can extend payment terms, and have flexibility on timelines for paying them.
We welcome you to reach out to us if you want further information or have concerns or issues related to your own circumstances, and/or want to set up a consultation to discuss things.
DISCLAIMER:
This article is legal information and is not provided as a source for legal advice. It is made available by Mayer Law, LLC for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By reading this blog, you understand that no attorney-client relationship is established between you and Mayer Law, LLC. This blog should not be used as a substitute for competent legal advice; you should consult with an attorney before relying on this information.