A week after a cyberattack disrupted insurance processing at pharmacies across the US, health care professionals from Maryland to New York tell CNN that the hack continues to upend their businesses, potentially cutting into revenue.
Raeya Disney, a psychotherapist who treats trauma victims in Maryland, said she worries she is “at risk of having to give up my office space” if the billing outage continues much longer.
“I’ve begun manually billing and I’m praying that I will be paid,” Disney told CNN.
Purvi Parikh, an allergist with a private practice in New York, said the hacking incident “just puts a lot more burden on physician practices, hospitals, pharmacies that now are scrambling to figure out the alternatives of how to get claims submitted or fill prescriptions.”
Parikh hasn’t been able to submit claims to insurance carriers for a week, she said.
It’s all part of the fallout from a cyberattack that a week ago hit Change Healthcare, a unit of health IT giant UnitedHealth that processes prescriptions to insurance for tens of thousands of pharmacies nationwide.
Lack of payment isn’t sustainable
Carter Groome, chief executive of First Health Advisory, a cybersecurity firm whose clients include big health care organizations, estimated that some health care providers are losing more than $100 million per day because of the outage.
“That’s just not sustainable in an industry with not a lot of cash on hand,” Groome told CNN.
“This is our Colonial Pipeline,” he said, referring to a 2021 ransomware on one of America’s biggest pipelines that disrupted fuel shipments for days and cemented ransomware as a national security concern in the minds of senior US officials.
In the wake of the hack, Elevance Health, which owns Anthem Blue Cross and Blue Shield and insures millions of Americans, has severed network connections to Change Healthcare “out of an abundance of caution,” Elevance spokesperson Leslie Porras told CNN in an email.
“The ability for our members to access medical care, services or fill their prescriptions remains unaffected,” Porras said.
As of Wednesday morning, Change Health Care said the company’s affected network was still offline. Tyler Mason, a company spokesperson, said that insurance claims submissions have returned to “pre-disruption levels” because health care providers are using “alternative clearing houses” to submit claims.
Mason said that doctors and patients can use these workarounds to address the problems described by Parikh and Disney.
“Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need,” Mason said in an email. “As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds.”
But confusion among some health care professionals about how to adapt to the situation remains.
Amy Cizik, a health care researcher in Utah, has been trying to get her pharmacy in Salt Lake City to process her insurance for days. Her 16-year-old daughter has a rare genetic syndrome and takes multiple medications to manage the conditions that come with the syndrome, Cizik told CNN.
“She needs the drug to function at school, to function well in our household,” Cizik said.
With medication running out, Cizik said she spent an hour on the phone Tuesday trying to resolve the situation. The pharmacy transferred her to the insurance provider, which transferred her to another firm that handles prescription drug benefits on behalf of insurers.
No one could resolve the issue, she said.
“As somebody who has a child with chronic illness with multiple prescriptions who works a fulltime job, me caring for her is a whole other job that I do,” she said. “And this is just adding to that.”
Cizik said the pharmacy was finally able to process her insurance on Wednesday morning, narrowly avoiding having to pay $1,000 over the counter for the medication.
‘A systemic attack’
Senior US cyber officials have been concerned about the cyberattack from the moment that news of the hack broke. Officials from the FBI and departments of Health and Human Service (HHS) and Homeland Security have held regular calls for days to try to get a handle on the problem, CNN previously reported.
Andrea Palm, the deputy HHS secretary, told CNN on Tuesday that the department continues to be in close touch with Change Healthcare as the company tries to restore its network.
Forensic evidence recovered in the investigation indicates that a prolific ransomware gang was responsible for the hack, according to private briefings Change Healthcare executives have given to other health care executives, two people familiar with the conversations told CNN.
The ransomware gang, which includes Russian-speaking cybercriminals, rents out their so-called malicious software, known as ALPHV or BlackCat. Hackers using the malware have claimed a slew of attacks on US universities, health care providers and hotels in the last 18 months. On Wednesday, the ransomware gang claimed responsibility for hacking Change Healthcare, listing the company as a victim on its dark-web site.
Reuters first reported on the connection between ALPHV ransomware and the Change Healthcare hack.
The Justice Department in December announced an operation targeting the ALPHV gang, including the seizure of some of its computer infrastructure. But well-oiled cybercriminal groups often bounce back from US law enforcement crackdowns.
As of Tuesday afternoon, the American Hospital Association (AHA), an industry group that represents thousands of hospitals and health care clinics across the US, was still receiving reports from members that the cyberattack was interfering with the processing of insurance claims, John Riggi, AHA’s national advisor for cybersecurity and risk, told CNN.
“This was a systemic attack,” Riggi said. “This was an attack not only on Change Healthcare. This was an attack on the entire health care sector.”