Kaiser Health News
Biden Team, UnitedHealth Struggle to Restore Paralyzed Billing Systems After Cyberattack
Darius Tahir and Bernard J. Wolfson and Daniel Chang
Fri, 08 Mar 2024 10:00:00 +0000
Margaret Parsons, one of three dermatologists at a 20-person practice in Sacramento, California, is in a bind.
Since a Feb. 21 cyberattack on a previously obscure medical payment processing company, Change Healthcare, Parsons said, she and her colleagues haven’t been able to electronically bill for their services.
She heard Noridian Healthcare Solutions, California’s Medicare payment processor, was not accepting paper claims as of earlier this week, she said. And paper claims can take 3-6 months to result in payment anyway, she estimated.
“We will be in trouble in very short order, and are very stressed,” she said in an interview with KFF Health News.
A California Medical Association spokesperson said March 7 that the Centers for Medicare & Medicaid Services had agreed in a meeting to encourage payment processors like Noridian to accept paper claims. A Noridian spokesperson referred questions to CMS.
The American Hospital Association calls the suspected ransomware attack on Change Healthcare, a unit of insurance giant UnitedHealth Group’s Optum division, “the most significant and consequential incident of its kind against the U.S. health care system in history.” While doctors’ practices, hospital systems, and pharmacies struggle to find workarounds, the attack is exposing the health system’s broad vulnerability to hackers, as well as shortcomings in the Biden administration’s response.
To date, government has relied on more voluntary standards to protect the health care system’s networks, Beau Woods, a co-founder of the cyber advocacy group I Am The Cavalry, said. But “the purely optional, do-this-out-of-the-goodness-of-your-heart model clearly is not working,” he said. The federal government needs to devote greater funding, and more focus, to the problem, he said.
The crisis will take time to resolve. Comparing the Change attack to others against parts of the health care system, “we have seen it generally takes a minimum of 30 days to restore core systems,” said John Riggi, the hospital association’s national adviser on cybersecurity.
In a March 7 statement, UnitedHealth Group said two services — related to electronic payments and medical claims — would be restored later in the month. “While we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established,” the company said.
“We’re determined to make this right as fast as possible,” said company CEO Andrew Witty.
Providers and patients are meanwhile paying the price. Reports of people paying out-of-pocket to fill vital prescriptions have been common. Independent physician practices are particularly vulnerable.
“How can you pay staff, supplies, malpractice insurance — all this — without revenue?” said Stephen Sisselman, an independent primary care physician on Long Island in New York. “It’s impossible.”
Jackson Health System, in Miami-Dade County, Florida, may miss out on as much as $30 million in payments if the outage lasts a month, said Myriam Torres, its chief revenue officer. Some insurers have offered to mail paper checks.
Relief programs announced by both UnitedHealth and the federal government have been criticized by health providers, especially hospitals. Sisselman said Optum offered his practice, which he said has revenue of hundreds of thousands of dollars a month, a loan of $540 a week. Other providers and hospitals interviewed by KFF Health News said their offers from the insurer were similarly paltry.
In its March 7 statement, the company said it would offer new financing options to providers.
Providers Pressure Government to Act
On March 5, almost two weeks after Change first reported what it initially called a cybersecurity “issue,” the Health and Human Services Department announced several assistance programs for health providers.
One recommendation is for insurers to advance payments for Medicare claims — similar to a program that aided health systems early in the pandemic. But physicians and others are worried that would help only hospitals, not independent practices or providers.
Anders Gilberg, a lobbyist with the Medical Group Management Association, which represents physician practices, posted on X, formerly known as Twitter, that the government “must require its contractors to extend the availability of accelerated payments to physician practices in a similar manner to which they are being offered to hospitals.”
HHS spokesperson Jeff Nesbit said the administration “recognizes the impact” of the attack and is “actively looking at their authority to help support these critical providers at this time and working with states to do the same.” He said Medicare is pressing UnitedHealth Group to “offer better options for interim payments to providers.”
Another idea from the federal government is to encourage providers to switch vendors away from Change. Sisselman said he hoped to start submitting claims through a new vendor within 24 to 48 hours. But it’s not a practicable solution for everyone.
Torres said suggestions from UnitedHealth and regulators that providers change clearinghouses, file paper claims, or expedite payments are not helping.
“It’s highly unrealistic,” she said of the advice. “If you’ve got their claims processing tool, there’s nothing you can do.”
Mary Mayhew, president of the Florida Hospital Association, said her members have built up sophisticated systems reliant on Change Healthcare. Switching processes could take 90 days — during which they’ll be without cash flow, she said. “It’s not like flipping a switch.”
Nesbit acknowledged switching clearinghouses is difficult, “but the first priority should be resuming full claims flow,” he said. Medicare has directed its contractors and advised insurers to ease such changes, he added.
Health care leaders including state Medicaid directors have called on the Biden administration to treat the Change attack similarly to the pandemic — a threat to the health system so severe that it demands extraordinary flexibility on the part of government insurance programs and regulators.
Beyond the money matters — critical as they are — providers and others say they lack basic information about the attack. UnitedHealth Group and the American Hospital Association have held calls and published releases about the incident; nevertheless, many still feel they’re in the dark.
Riggi of the AHA wants more information from UnitedHealth Group. He said it’s reasonable for the conglomerate to keep some information closely held, for example if it’s not verified or to assist law enforcement. But hospitals would like to know how the breach was perpetrated so they can reinforce their own defenses.
“The sector is clamoring for more information, ultimately to protect their own organizations,” he said.
Rumors have proliferated.
“It gets a little rough: Any given day you’re going to have to pick and choose who to believe,” Saad Chaudhry, an executive at Maryland hospital system Luminis Health, told KFF Health News. “Do you believe these thieves? Do you believe the organization itself, that has everything riding on their public image, who have incentives to minimize this kind of thing?”
What Happens Next?
Wired Magazine reported that someone paid the ransomware gang believed to be behind the attack $22 million in bitcoin. If that was indeed a ransom intended to resolve some aspect of the breach, it’s a bonanza for hackers.
Cybersecurity experts say some hospitals that have suffered attacks have faced ransom demands for as little as $10,000 and as much as $10 million. A large payment to the Change hackers could incentivize more attacks.
“When there’s gold in the hills, there’s a gold rush,” said Josh Corman, another co-founder of I Am The Cavalry and a former federal cybersecurity official.
Longer-term, the attack intensifies questions about how the private companies that comprise the U.S. health system and the government that regulates them are defending against cyberthreats. Attacks have been common: Thieves and hackers, often believed to be sponsored or harbored by countries like Russia and North Korea, have knocked down systems in the United Kingdom’s National Health Service, pharma giants like Merck, and numerous hospitals.
The FBI reported 249 ransomware attacks against health care and public health organizations in 2023, but Corman believes the number is higher.
But federal efforts to protect the health system are a patchwork, according to cybersecurity experts. While it’s not yet clear how Change was hacked, experts have warned a breach can occur through a phishing link in an email or more exotic pathways. That means regulators need to consider hardening all kinds of products.
One example of the slow-at-best efforts to mend these defenses concerns medical devices. Devices with outdated software could provide a pathway for hackers to get into a hospital network or simply degrade its functioning.
The FDA recently gained more authority to assess medical devices’ digital defenses and issue safety communications about them. But that doesn’t mean vulnerable machines will be removed from hospitals. Products often linger because they’re expensive to take out of service or replace.
Senator Mark Warner (D-Va.) has previously proposed a “Cash for Clunkers”-type program to pay hospitals to update the cybersecurity of their old medical devices, but it was “never seriously pursued,” Warner spokesperson Rachel Cohen said. Riggi said such a program might make sense, depending on how it’s implemented.
Weaknesses in the system are widespread and often don’t occur to policymakers immediately. Even something as prosaic as a heating and air conditioning system can, if connected to a hospital’s internet network, be hacked and allow the institution to be breached.
But erecting more defenses requires more people and resources — which often aren’t available. In 2017, Woods and Corman assisted on an HHS report surveying the digital readiness of the health care sector. As part of their research, they found a slice of wealthier hospitals had the information technology staff and resources to defend their systems — but the vast majority had no dedicated security staff. Corman calls them “target-rich but cyber-poor.”
“The desire is there. They understand the importance,” Riggi said. “The issue is the resources.”
HHS has proposed requiring minimum cyberdefenses for hospitals to participate in Medicare, a vital source of revenue for the entire industry. But Riggi says the AHA won’t support it.
“We oppose unfunded mandates and oppose the use of such a harsh penalty,” he said.
——————————
By: Darius Tahir and Bernard J. Wolfson and Daniel Chang
Title: Biden Team, UnitedHealth Struggle to Restore Paralyzed Billing Systems After Cyberattack
Sourced From: kffhealthnews.org/news/article/unitedhealth-change-healthcare-hack-cyber-cybersecurity-ransomware/
Published Date: Fri, 08 Mar 2024 10:00:00 +0000
Did you miss our previous article…
https://www.biloxinewsevents.com/the-state-of-the-union-is-busy/
Kaiser Health News
LGBTQ+ People Relive Old Traumas as They Age on Their Own
SUMMARY: Bill Hall, a 71-year-old HIV survivor, has endured numerous health challenges, including depression, heart disease, and cancer since contracting the virus in 1986. His struggles are compounded by trauma from childhood, where he faced bullying and abuse in a government boarding school. LGBTQ+ seniors like Hall often face isolation, with many living alone and lacking social support. By 2030, the number of LGBTQ+ seniors is projected to double, increasing their vulnerability to health issues and mental struggles. Many have experienced profound loss from the AIDS crisis, leading to ongoing emotional challenges. Support services remain critical for this aging population.
The post LGBTQ+ People Relive Old Traumas as They Age on Their Own appeared first on kffhealthnews.org
Kaiser Health News
Caseworkers Coax Homeless People out of Las Vegas’ Tunnels for Treatment
SUMMARY: In Las Vegas, case manager Bryon Johnson searches the underground tunnels for homeless individuals like Jay Flanders, who suffers from health issues and substance abuse. Escaping rising housing costs and law enforcement, around 1,200 to 1,500 people live in these tunnels, which provide shelter from extreme weather but pose significant health risks, especially during monsoon season. Outreach workers emphasize the dangers of drug addiction and untreated health conditions, urging residents to seek medical care above ground. As housing costs soar, many homeless individuals, including tourists, end up in these perilous conditions, seeking cover from societal judgment and harsh weather.
The post Caseworkers Coax Homeless People out of Las Vegas’ Tunnels for Treatment appeared first on kffhealthnews.org
Kaiser Health News
In Settling Fraud Case, New York Medicare Advantage Insurer, CEO Will Pay up to $100M
SUMMARY: Independent Health Association of Buffalo and Betsy Gaffney, CEO of medical analytics firm DxID, have agreed to a settlement of up to $100 million to resolve Justice Department allegations of fraudulent Medicare billing for exaggerated or non-existent health conditions. Independent Health will pay up to $98 million, while Gaffney will contribute $2 million. Neither party admitted wrongdoing. The case was triggered by whistleblower Teresa Ross, highlighting issues of “upcoding” in Medicare Advantage plans. Ross, having faced repercussions for her allegations, will receive at least $8.2 million from the settlement. This case underscores the challenges of regulating billing practices in the Medicare system.
The post In Settling Fraud Case, New York Medicare Advantage Insurer, CEO Will Pay up to $100M appeared first on kffhealthnews.org
-
Local News4 days ago
Hard Rock Hotel & Casino Biloxi Honors Veterans with Wreath-Laying Ceremony and Holiday Giving Initiative
-
News from the South - North Carolina News Feed4 days ago
Social Security benefits boosted for millions in bill headed to Biden’s desk • NC Newsline
-
Mississippi Today7 days ago
Mississippi PERS Board endorses plan decreasing pension benefits for new hires
-
Local News4 days ago
MDOT suspends work, urges safe driving for holiday travel
-
Mississippi News Video6 days ago
12/19- Friday will be breezy…but FREEZING by this weekend
-
News from the South - Missouri News Feed5 days ago
Could prime Albert Pujols fetch $1 billion in today's MLB free agency?
-
Local News6 days ago
Trump calls for abolishing the debt ceiling
-
News from the South - Texas News Feed6 days ago
Amazon workers strike at facilities around the country as Teamsters seek contract