Change Healthcare pays $22 million ransom to Blackcat for cyber attack

The American Medical Association (AMA) and American Hospital Association (AHA) are firing back in the face of prior authorization and claims payment issues caused by the recent cyberattack on Change Healthcare.

Earlier this month Change Healthcare, owned by Optum and UnitedHealth Group (UHG), announced connectivity issues which turned out to be a cyberattack. Within the same week, the U.S. Justice Department announced an antitrust investigation into UnitedHealth regarding its relationship between its insurance unit and health-services arm.

Blackcat claimed responsibility for the cyberattack, claiming to have stolen an enormous amount of data that included the social security numbers and contact information including emails of patients, physicians, and military personnel. According to several reports, Change Healthcare paid $22 million in ransom, and there have been unofficial reports of healthcare practices receiving emails as early as January of this year leading to some speculation of the actual timeline of the event.

In the face of the shutdown, UHG offered workarounds for claims filing, however part of the criticism from providers was that the solutions offered required manual entry of claims. Given that some providers bill out thousands of claims per day, the workaround was not realistic. On March 8th, UHG reported that the electronic prescribing for pharmacy was fully functional, however for physician and hospital claims systems will not be functional until sometime after the week of March 18th.

While UHG is offering a temporary funding assistance program has been offered to providers that qualify, however according to a recent Fierce Healthcare report providers are seeing record losses and are also concerned about authorization issues, future denials and backlog as a result of the cyberattack.

On March 13th, the AHA issued a letter to the Senate Finance Committee calling for financial assistance highlighting the fact that the financial assistance being offered by UHG was only a 30-day payment amount and a 90 day repayment amount. Additionally, the AHA letter addressed the fact that potential excessive denials due to inability to file claims timely or obtain an authorization needed to be directly addressed as well.

Early on March 10th, the Health and Human Services (HHS) issued a statement urging UHG to take responsibility to make sure no provider is financially compromised by the cyberattack. HHS also chastised UHG’s lack of response by urging the organization to “communicate more frequently and more transparently”. HHS called for UHG to ensure ease of access by ways of less restrictive terms, and to provide Medicaid agencies with a list of impacted providers. HHS called for other insurance companies to relax prior authorization requirements, and ease administrative burdens by simplifying electronic data interchange requirements and timelines and by accepting paper claims.

On March 13th, HHS announced an official investigation into the Change Healthcare cyberattack, stating that poses a national threat to critical patient care and essential operations. According to the letter, the focus of the investigation is to determine whether a breach of protected health information occurred, and if Change Healthcare and UHC complied with HIPAA regulations. One important notification included in the letter was a reminder to business associates of Change Healthcare that they have regulatory obligations as well to timely report breaches of their information to HHS.

According to the AHA letter, Change Healthcare processes around 15 billion health care transactions ever year, touching approximately 1 in every 3 patient records. Of nearly 1,000 hospitals responding to a recent survey, 74 percent stated they had experienced a delay in patient care due to authorization issues. Ninety-four percent of hospitals from the same survey reported financial impacts, with over half reporting those impacts to be significant or serious.

According to statistics from Kodiak Solutions, cash value of claims dropped by 25 percent the first week of the attack, and 63 percent by the third week this month. The estimated cash flow is $1.84 billion within the first week, and $2.53 billion currently.

According to a March 12th report from the Massachusetts Health and Hospital Association, the Change cyberattack is costing the state’s hospitals at least $24 million per day. The total is a critical factor as 71 percent of hospitals in the state are currently experiencing negative operating margins.

Earlier this week, National Law Review reported that at least six class action lawsuits have been filed against Change and its affiliates. HealthcareDive has reported that four of the lawsuits were filed in Tennessee where Change is based, and two were filed in Minnesota where is UHG is located. The basis of the lawsuits contend that Change did not implement adequate cybersecurity measures to prevent the breach from happening.

According to SEC filings, UHG’s revenues grew $47.5 billion with double-digit group at both Optum and UnitedHealthcare. UHG’s 2023 earnings from operations totaled $32.4 billion. Workers’ Compensation