Fraud Management & Cybercrime , Healthcare , Industry Specific
Change Healthcare Attack 'Devastating' to Doc Practices
AMA Survey Finds 80% of Practices Lost Revenue From Unpaid ClaimsThe IT services disruptions resulting from the Change Healthcare cyberattack is continuing to have a "devastating" effect on physician practices - especially smaller ones - threatening the financial viability of many and posing serious implications to patient care, said the American Medical Association in a new report.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
AMA said an "informal survey" of state medical associations and national medical specialty societies had about 1,400 respondents - mostly from within medical practices with under 99 physicians, with the majority having 10 or fewer doctors. The survey was conducted from March 26 and April 3.
The AMA found the inability for doctor practices to electronically verify patients' benefits eligibility, process claims, conduct other revenue management activities, as well as other critical functions during the Change Healthcare IT outage, which started on Feb. 21, has created a snowball effect on the practices - even as the company has been bringing IT services back online in recent weeks.
AMA said 80% of doctor practices surveyed have lost revenue from unpaid claims; 85% have had to commit additional staff time and resources to complete revenue cycle tasks; and 51% have lost revenue from the inability to charge patient co-pays or remaining obligations.
As a result, 55% of respondents said they had to use personal funds to cover practice expenses, 44% were unable to purchase supplies, and 31% could not make payroll.
Change Healthcare, and its parent company, UnitedHealth Group, are already facing more than two dozen proposed federal class action lawsuits related to the attack.
About half of those are lawsuits by individuals who allege they are at risk for identity theft and fraud due to their data being compromised in the attack. UnitedHealth Group has not yet publicly disclosed the extent of a possible breach, although has admitted that data was "taken" by attackers in the incident (see: Change Healthcare Attack Recovery Woes, Lawsuits Pile Up).
The other lawsuits are filed by healthcare practices that claim their businesses have suffered financially from the Change Healthcare IT disruption and the inability to process claims and conduct other functions.
One such lawsuit, filed Tuesday in a Tennessee federal court by Eye Surgeons of Central New York P.C., alleges the Change Healthcare disruption is threatening to potentially put that practice and many others out of business.
"For weeks, healthcare practices like plaintiff have received little, if any, reimbursement from insurers for patient visits," the lawsuit alleges.
"Without normal cash flow from these reimbursements, small and mid-sized practices may be unable to sustain operations, as they cannot afford employee payroll, rent/mortgage, payroll, expenses and/or medical supplies."
Liverpool, New York-based Eye Surgeons of Central New York, which has one ophthalmologist and two optometrists, in its lawsuit said the practice has continued to treat patients during the Change Healthcare outage, "without any certainty about when payment would be received."
The practice in court documents said that for over two decades, it has contracted with Management Plus EMR for billing services, which uses the Change Platform to submit bills/reimbursement forms to insurers on behalf of its clients like Eye Surgeons of New York.
As of April 3, Eye Surgeons of New York estimated losses of more than $483,000 based on outstanding medical bills that were not processed because of the Change Healthcare outage.
"Due to the inability to submit bills and get paid for services rendered to its patients after the Change Platform was disabled, plaintiff experienced a backlog of unpaid revenues, which has impacted its ability to operate and treat its patients," the complaint alleges.
The AMA survey found that 36% of respondents reported suspension in claims payment; 32% being unable to submit claims; and 22% being unable to verify eligibility for benefits. "Practices of 10 physicians or less appear to be particularly hard hit," the AMA said.
"The disruption caused by this cyberattack is causing tremendous financial strain,” said Dr. Jesse Ehrenfeld, AMA president in a statement.
"Practices will close because of this incident, and patients will lose access to their physicians," he said.
"The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open."
UnitedHealth Group said that to date, it has provided about $4.7 billion in temporary financial assistance to healthcare providers affected by the incident.
Meanwhile, behind the scenes, the Change Healthcare attack saga continues to grow more complicated.
This week, a second cybercriminal gang - RansomHub - on its dark web leak site threatened to sell 4 terabytes of Change Healthcare data stolen in the attack by another group's affiliate - AlphV/BlackCat - to the "highest bidder" unless UnitedHealth Group pays a ransom.
UnitedHealth Group had reportedly paid BlackCat a $22 million ransom for a decryptor key and to prevent a data leak in the aftermath of the Feb. 21 attack. But the BlackCat affiliate who claimed to steal the data alleges that BlackCat/AlphV administrators cheated them out of their share of the UnitedHealth Group ransom.
The latest ransom demand by RansomHub is believed to be related to the disgruntled BlackCat affiliate and their attempt to still score a bounty from the attack.
UnitedHealth Group did not immediately respond to Information Security Media Group's request for comment.