AMA fears Change cyberattack may shut small medical practices

The ongoing impact of the February 21 Change Healthcare cyberattack and subsequent system outage threatens the sustainability of physician practices across the country, possibly resulting in closures, which could destabilize patient care in some areas, according to informal survey findings from the American Medical Association.

Practices of 10 physicians or less – the bulk of 1,400 survey respondents, or 78% – appear to be particularly hard hit, AMA said in an announcement last week, noting that, despite the challenges, practices show resilience, with only 15% indicating that their practices reduced hours since the disruption started.

However, AMA is concerned that many will not be able to go much longer and highlighted the serious impacts on patient care that respondents reported in the survey.

Why it matters
The presumed ALPHV ransomware attack on Change Healthcare first affected pharmacies and access to drug treatments nationwide, but it did not take long for healthcare organizations to feel financial strain.

With the revenue cycle blasted by Change’s knockout, most practices that state medical associations and national medical specialty societies reached out to on AMA’s behalf between March 26 and April 3, experienced service disruptions – 77% of them, in fact.

More lost revenue from unpaid claims – 80% – and even more committed additional staff time and resources to what respondents deemed a substantial use of workarounds – 85%.

The survey was conducted after UnitedHealth Group said that claims processes would resume the weekend of March 23, AMA said. While some Change claims processing systems have been restored, many services are only partially operational, with many others still being resorted, according to UHG’s online Change Healthcare cyber-response update page.

The high level of disruption has led to severe consequences for physician practices, AMA said the findings show.

“The survey is also a reminder of the fragility of physician practices,” the organization said. It noted that claims payment and other financial impacts persist, despite new arrangements with alternative clearinghouses, because the event has been costly for small practices.

“We couldn’t afford the cost of doing this.” one respondent told AMA. “Other clearinghouses are taking advantage of this and small practices like mine who are already suffering without funds coming in can’t afford to pay three times as much to take the time to switch clearinghouses.”

Another respondent broke down the numbers on a workaround:

“Approximately $10,000 just for the set-up of a ‘back-up’ clearinghouse,” they said. “Additionally, one of our payers has changed clearinghouses, and they have told us that we are going to have an additional 2% charge on all claims, which will cost the organization approximately $1,000,000.”

Physician practices reported taking advanced payments, temporary funding assistance and loans, including from the Centers for Medicare & Medicaid Services – 12% – UnitedHealth Group/Optum – 25% – other health plans and state Medicaid programs – 4.5% and .7%, respectively.

Of serious concern, patient care has also suffered, respondents reported, with AMA highlighting the risks to patient access.

“Many respondents are concerned about the negative impact this attack has had on patient care,” the association said.

In addition to procedure delays, appointments canceled due to lost insurance-verification access and the inability to get medications that led to at least one patient’s disease flaring “significantly,” one respondent said that the disruption has “severely affected our ability to manage pain care with our cancer patients.”

The larger trend
While more effort is needed to avoid the cyberattack chain reactions like those that occurred after the Change Healthcare cyberattack, the American Hospital Association recently shared concerns with the House Committee on Energy and Commerce’s Subcommittee on Health about imposing fines or cutting Medicare payments that “would unfairly penalize hospitals and not improve the cybersecurity of the entire healthcare sector.”

AHA told lawmakers Wednesday at the Fiscal Year 2025 Department of Health and Human Services Budget hearing that levying potential penalties on hospitals and other healthcare organizations could diminish an organization’s resources needed for cyber defense.

“The cybersecurity proposal put forward in the President’s FY 2025 budget that would penalize hospitals is misguided and will not improve the overall cybersecurity posture of the healthcare sector,” AHA said in its testimony.

On the record
“These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians,” said AMA president Dr. Jesse M. Ehrenfeld, in a statement. “The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open.” Healthcare IT News