Last month’s suspected ransomware attack on a major health technology company has sent the health care system reeling — costing providers an estimated $100 million daily as payment disruptions continue, according to an estimate from First Health Advisory, a digital health risk assurance firm.
“This is by far the biggest ever cybersecurity attack on the American healthcare system ever,” Dr. Céline Gounder, a CBS News medical contributor and editor-at-large for public health at KFF Health News, said Tuesday. “This is a system, Change Healthcare, that processes medical payments and touches one out of every three patients in this country. So the magnitude of the scope of this attack is really quite large.”
Change Healthcare is a Tennessee-based company, part of the health services provider Optum, Inc. and owned by the massive conglomerate UnitedHealth Group. It first reported experiencing company-wide connectivity problems in February.
Here’s what else to know:
What is the attack impacting?
Gounder says providers are facing numerous challenges due to the cyberattack, including impacts to a provider’s ability to bill and process things like prior authorizations.
“Can you get those medications? Can you get an estimate, say, on a surgery that you want to schedule? What is that going to look like in terms of your insurance coverage, and so on. All of those kinds of things are being affected,” she said.
It’s also affecting patients’ ability to fill their prescriptions at some hospitals.
“Here, for example, we’re only able to give some patients only two weeks of refill,” Gounder said. “So it means that they may need to come back over and over again. And some patients are even having to pay out of pocket for their refills.”
Is the government doing anything to help?
On March 5, almost two weeks after Change Healthcare first reported what it initially called a cybersecurity “issue,” the U.S. Department of Health and Human Services announced several assistance programs for health providers affected.
“The government is trying to create some supports for health care systems — not directly supporting patients, but the systems,” Gounder explains. “This is because without revenue coming in through the billing process, you don’t have money to make payroll to be able to pay your doctors and your nurses and your janitors and all the staff that you need to run a health care system.”
It’s also interfering with the ability to order needed medications and supplies, she adds.
“So the idea is to try to help support health care systems through this, but especially Medicaid providers, those who have less of a buffer, so to speak, financially — they’re really in deep trouble here,” Gounder said.
HHS Secretary Xavier Becerra, White House domestic policy chief Neera Tanden and other administration officials met Tuesday with United Health CEO Andrew Witty and urged him to take more steps to stabilize the U.S. health system amid the payment crisis, two sources briefed on the meeting told CBS News.
Officials encouraged UnitedHealth and other insurers in attendance to account for premiums that they’re collecting from patients but not paying out to health care providers, as unpaid bills pile up for hospitals, medical practices and pharmacies nationwide.
Doesn’t HIPAA protect health information?
While there are tight controls around patient records, Gounder says there are potential loopholes hackers could exploit. For example, a medical device connected to the hospital’s internet or an HVAC system could be vulnerable.
“Those provide backdoors to enter and hack the internet system of a health care system,” Gounder explains.
–Nicole Sganga contributed reporting.