Doctors across the US are stretching to keep their practices afloat as a debilitating cyberattack on a once little-known company at the center of the health-care system continues to cause havoc.
The Feb. 21 attack against Change Healthcare, a subsidiary of the largest US health insurer by market value, UnitedHealth Group Inc., has seized the health-care system for three weeks and counting, halting the normal flow of billions of dollars in payments between doctors, hospitals, pharmacies and insurers. The paralysis is tilting some clinics into financial peril.
“I can’t believe we’re in this mess,” said Kathy Oubre, chief executive officer of Pontchartrain Cancer Center in southeast Louisiana. “It’s going to take us months to dig out.”
Among the hardest-hit are smaller centers that give patients chemotherapy or infuse medication for other illnesses, and count on timely insurance payments to cover their drug purchases. Several cancer practices said that they’re concerned about their ability to pay for drugs as cash flows dry up. Some said that pharmaceutical wholesalers have been allowing them to delay payments — a sign that the effects of the hack are seeping into new corners of the $4.5 trillion US health-care industry. Change has said it processes $2 trillion in health-care claims each year.
The Pontchartrain Cancer Center is bringing in just 40% of its typical payments, Oubre said. The group, which treats about 6,000 patients a year, is applying for relief from Medicare, but if the problem persists for four to six more weeks, it may need to ask its owners to personally guarantee a loan — or turn some patients away, she said.
The financial pressure on health clinics is growing as expenses and unpaid bills accumulate. At a community health center in east Texas and Arkansas, the billing team is working weekends and the clinic is mailing paper claims to health insurers, running up a tab for printing and postage. Some physicians in New Mexico are forgoing their paychecks to help make ends meet.
“Practices by and large are still not getting paid, and it is a disaster,” said Jesse Ehrenfeld, president of the American Medical Association and an anesthesiologist in Milwaukee.
Money meanwhile is piling up at insurers who continue to collect premiums but aren’t receiving claims that used to travel on Change Healthcare’s networks. That’s up to 20% of inbound claims for Humana Inc., which provides medical benefits for almost 17 million people. Some insurers can’t send payments because they relied on Change for that, too.
Biden administration leaders asked UnitedHealth CEO Andrew Witty and leaders of other health insurers to make more emergency funding available to providers during a meeting on Tuesday, according to a statement from the Department of Health and Human Services, echoing requests the agency made in a letter over the weekend.
A representative for UnitedHealth declined to comment on the meeting. Shares of the company had declined 6.3% since the hack last month through Tuesday’s close.
UnitedHealth Group CEO Andrew Witty Photographer: Steven Ferdman/Getty Images
UnitedHealth said last week that some services for pharmacies have been restored. Its payments platform should return on Friday, the company said, and testing on the medical-claims network will begin next week. Yet with backlogs of billions of dollars in claims payments growing, no one knows how long it will take for things to fully get back to normal.
“I can’t make an estimate,” UnitedHealth Chief Operating Officer Dirk McMahon, who is leading the company’s response, said in a March 7 interview.
Precarious Practices
While larger hospitals are expected to withstand the crisis, the outlook is less clear for smaller medical practices with weak finances that rely on Change’s services, according to Moody’s. Much of the response so far has relied on insurers and vendors agreeing to waive the normal ways they do business to keep practices running.
Still, improvised solutions in some cases have provided only limited lifelines for strapped providers. Barbara McAneny, the CEO of New Mexico Oncology Hematology Consultants, a 27-physician group, said she asked drug distributor Cencora Inc. for 60 more days to pay her drug bills. Cencora offered to extend her due date by two weeks without late fees, she said.
“That’s not sufficient,” McAneny said. “I’m not going to get paid in two weeks.”
McKesson Corp., a Cencora competitor, has also been giving medical practices greater flexibility to pay their drug invoices, according to practice executives and communications reviewed by Bloomberg News.
Cencora is giving some independent providers and pharmacies more time to pay their bills, and allowing them to order more drugs than usual, spokesperson Mike Iorfino said. The flexibilities will be in place through March 31. He didn’t comment on McAneny’s situation. McKesson didn’t respond to requests for comment.
The pharmaceutical industry is also taking note. Bristol Myers Squibb Co. is “working to offer a temporary adjustment in payment terms” for cancer medicines and blood disorder drugs, a spokesperson said.
Central Hub
Cyberattacks happen all the time in health care. Hackers pilfer records to sell on the dark web. Ransomware gangs lock up hospital computers. Most breaches don’t make headlines, yet the BlackCat hacker group that UnitedHealth said breached Change Healthcare’s networks landed on a critical nexus that links the people who provide medical care with the entities that pay for it.
UnitedHealth touted Change’s extensive reach — to more than 200 million people a year — when the insurer announced its purchase of the company for $7.8 billion in 2021. US officials estimate billions of dollars in payments are being affected by the disruption to Change’s networks each week, according to a senior Biden administration official, who asked not to be named describing private assessments.
The wide-reaching impact of the Change hack “is proof positive” that significant single points of failure exist in US cyber critical infrastructure, said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, a think tank focused on national security. The US must identify those weak points and help them establish minimum standards of cybersecurity, Montgomery said in an interview.
Leading up to Change’s outage were decades of acquisitions that built a complex apparatus reaching into every corner of the US health-care system.
Mostly invisible until the hack, Change Healthcare was designed to replace mountains of health-care paperwork with more efficient electronic transactions. Its predecessor, Emdeon, launched in the mid-1990s and rode the tech bubble to an initial public offering. At one point, it operated the WebMD website.
Private equity giant Blackstone Inc. bought the company for $3 billion in 2011 and in 2017 combined it with some technology assets that belonged to McKesson. The drug wholesaler took a majority stake in the new entity, by then branded Change Healthcare, a name one former executive said evoked the company’s aspiration to cut down on waste and administrative friction.
Change made more than a dozen acquisitions between 2008 and 2018, according to data compiled by Bloomberg. In that period, new companies weren’t well-integrated, former employees said. One former executive said Change could address any problems payers or providers had, but outdated technology sometimes impeded sales. Another former employee said there was little coherent strategy behind Change’s acquisitions. Waves of layoffs contributed to a toxic culture, the former employee said.
A representative for UnitedHealth didn’t respond to a request for comment about the former employees’ accounts.
Change went public again in 2019. UnitedHealth said it would buy Change in early 2021, drawing an antitrust challenge from the US Department of Justice. Regulators said the deal would put too much data about customers and competitors in the hands of UnitedHealth.
After a two-week trial in Washington, a federal judge disagreed and allowed the acquisition to proceed.
Shifting Gears
Following the Change hack, UnitedHealth offered workarounds, including some run by its own Optum subsidiary. The largest competing clearinghouse, Availity, opened a free service that was adopted by more than 300,000 new providers and dozens of health systems and payers. Claims traveling on its network jumped 40% over typical levels, CEO Russ Thomas said.
Yet companies that had relied on Change’s services couldn’t just flip a switch. Changing payment clearinghouses normally requires months of planning, and even practices that have alternatives have been processing less than their usual amount of business, with inbound claims diminished. One health-insurance executive said inbound claims were still down 20% to 30%, and payments to the company’s providers remained frozen.
US officials have repeatedly urged UnitedHealth to communicate more transparently, speed up its fixes and provide more flexibility to its customers, according to three Biden administration officials familiar with the matter, who asked not to be named as the details are private. Top Biden health authorities told insurers to loosen rules that can keep patients from getting care while Change systems are down.
Over the weekend, Medicare said it plans to let cash-strapped providers seek advance payments, but they won’t be automatic advances like the agency made during Covid disruptions. Officials also encouraged private insurers to float funds to providers while claims are bottlenecked.
UnitedHealth has announced two programs intended to supply financial lifelines to providers facing cash crunches, and said last week it would act as a funder “of last resort” on a case-by-case basis. The company called on other insurers to offer relief, but none of its largest rivals have publicly said they will.
At Tuesday’s meeting, US officials said further guidance would be forthcoming on how states can support Medicaid providers.
UnitedHealth committed on a recent call with clients to release a forensic report being done by Alphabet Inc.’s Mandiant subsidiary, according to a health-insurance executive who asked not to be named discussing private information. UnitedHealth representatives didn’t respond to questions about the Mandiant report.
Wired reported that the hackers received a $22 million bitcoin payment, and posts on ransomware forums indicate that four terabytes of data may have been stolen, according to the Krebs on Security website. UnitedHealth hasn’t said whether it paid a ransom or what data was compromised. If health information is breached, companies have 60 days to report it to the government.
Top photo: The UnitedHealth app on a smartphone arranged in New York, US, on Friday, July 7, 2023. UnitedHealth Group Inc. is scheduled to release earnings figures on July 14.
Was this article valuable?
Here are more articles you may enjoy.
Report: Claims Handlers Embracing Technology 
Zurich, Philadelphia, Others Ordered to Pay $345M to Cover Abuse Charges at Georgia School 
UnitedHealth Data Leak May Affect ‘Substantial’ Swath of U.S. 
Supplemental Claims Don’t Need to Include Damage Estimates, Fed Appeals Court Says 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.