3rd Party Risk Management
,
Cybercrime
,
Fraud Management & Cybercrime
But Hospital Lobby Group Contends Funding Is ‘Onerous’ and ‘Exceedingly’ Limited
Two weeks into a major cyberattack-induced outage at its Change Healthcare business, UnitedHealth Group is offering short-term financial aid to some healthcare providers whose cash flows may be running short because of the disruption in insurance payments.
See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors
The company’s temporary, interest-free, fee-free funding assistance is being offered through its Optum Financial Services unit for certain provider organizations affected by the Change Healthcare system outage.
“We understand the urgency of resuming payment operations and continuing the flow of payments through the healthcare ecosystem,” UnitedHealth said Monday.
“While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”
Once standard payment operations resume, “the funds will simply need to be repaid,” UnitedHealth said.
The program is not for providers who have had claims submission disruptions but rather for those whose payment distribution by payers has been affected, UnitedHealth Group said.
“The payments infrastructure we’re using to facilitate this program is the same capability we used to help the federal government administer the CARES Act funding support to providers at the height of the pandemic,” it said. “We have the full horsepower of UnitedHealth Group working expeditiously to solve this matter.”
Some experts said UnitedHealth Group’s aid program is an unusual way to address the fallout from cyber incidents.
“This is a novel approach,” said attorney Rachel Rose. In similar cases she has been involved in, “neither the claims submissions nor the anticipated funds were addressed,” she said.
“The affected persons were left to contact their insurance companies, banks, etc. in order to bridge the cash flow gap,” Rose said.
The move by UnitedHealth to offer financial assistance might also help the company with potential lawsuits by entities affected by decreased revenues or other quantifiable damages that come into play. “It is a pre-emptive way to mitigate damages,” Rose said.
Narrow Scope?
Not everyone is impressed by what UnitedHealth is offering.
The American Hospital Association in a statement Monday criticized the offer of financial assistance and said the program is available to “an exceedingly small number” of hospitals and health systems.
The program “falls far short of plugging the gaping holes in funding caused by the Change Healthcare outage,” the AHA said. “Specifically, this program seeks to address only one of the two major problems facing health care claims processing: payers’ inability to pay via Change Healthcare,” AHA said.
“It wholly ignores the second and equally problematic issue facing providers: the inability to accurately and in a timely way send claims to payers. In other words, this ‘assistance program’ provides very limited relief for providers who cannot bill payers due to the ongoing disruption of Change Healthcare’s pervasive clearinghouse and claims submission systems,” the AHA said.
It also called the terms and conditions of the financial assistance agreement “shockingly onerous.”
Process Workarounds
UnitedHealth, the parent company of Change Healthcare, said in its status update Monday that the company is working on “multiple approaches” to restore the IT environment affected by the Change Healthcare cyberattack detected on Feb. 21 (see: Groups Warn Health Sector of Change Healthcare Cyber Fallout).
The company said it continues “to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action.”
In the meantime, the company said, “an online environment, e-prescribe, is now active to help reduce workload associated with pharmacy workarounds.” Those workarounds include manual processes to submit information, check eligibility, look at claim status to make claims, clear prior authorizations and fill prescriptions.
“As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds,” UnitedHealth said.
As of Monday, more than 100 of Change Healthcare’s IT products were still offline. That includes clinical, revenue cycle management, and an array of other applications affecting a wide range of healthcare sector entities including hospitals, pharmacies, dental practices and insurers.
“We are working quickly – around the clock – and safely to restore systems and services,” UnitedHealth said. “We will not take shortcuts or any additional risk when it comes to safeguarding our information, customer and consumer information, or the connectivity back to our systems.”
Optum, a unit of UnitedHealth Group that acquired Change Healthcare in 2022 for $7.8 billion, said Change Healthcare processes 15 billion healthcare transactions annually. The company said Change Healthcare’s clinical connectivity solutions “touch” 1 in 3 patient records in the U.S. (see: The Widespread Effect of the Change Healthcare Mega Hack).
Last week, the company confirmed that it had been experiencing a cybersecurity incident perpetrated by cybercrime threat actors claiming to BlackCat. The Russian-speaking ransomware group, which also goes by AlphV, last week posted on the dark web that it had exfiltrated 6 terabytes of “highly selective data” from Change Healthcare pertaining to “all” of the company’s clients (see: BlackCat Pounced on Health Sector After Federal Takedown).
UnitedHealth said its privacy and security teams are “working to understand” whether patient, member or customer information was compromised in the incident.
UnitedHealth also said it has “a high level of confidence” that the incident involves only Change Healthcare IT systems and that the hack didn’t affect Optum, UnitedHealthcare and UnitedHealth Group systems.
Mandiant and Palo Alto Networks are working with UnitedHealth in the investigation and recovery, and Microsoft and Amazon Web Services are engaged for “additional scanning” of the company’s cloud environment, UnitedHealth said.
“There is no evidence of cross-contamination or that this has moved beyond those boundaries,” UnitedHealth said.
Pharmacy Disruptions
Pharmacies, from large retail chains to those in military hospitals and clinics, are among the healthcare sector entities most affected during the outage (see: Change Healthcare Outage Hits Military Pharmacies Worldwide).
“All pharmacy management systems can process offline claims and we are working with pharmacies to ensure they know how to fill prescriptions for consumers during this outage,” UnitedHealth said. “Along with offline processing, many large retail pharmacies have the ability to direct their claims through the Relay Health network, a backup to help avoid claim delays.”
As pharmacies continue to institute workarounds, data suggests pharmacy claims “are flowing at near-normal levels,” UnitedHealth said.
“We continue to bring back the online Change Healthcare pharmacy network in a separate environment. We were already processing part of our Change pharmacy transactions in a separate environment in the cloud prior to this disruption,” UnitedHealth said.
“Now, we are scaling that environment and driving comprehensive connections with pharmacies and payers, so we feel confident about announcing the timeline for this pharmacy switch launch early next week. Bringing this network up will enable pharmacy claim submissions.”
UnitedHealth Group did not immediately respond to Information Security Media Group’s request for additional details about the financial assistance program and the Change Healthcare cyberattack.
Cyber Insurance Considerations
Attorney Peter Halprin, a partner of the law firm Haynes Boone, said the Change Healthcare attack underscores the importance of entities that are dependent on third-party services obtaining insurance that extends to revenue losses associated with service-provider outages.
“Given the potential financial implications of such attacks, companies should consider the bottom-line protection provided by cyber insurance,” he said. In particular, such policies “can provide broad business interruption coverage.”