For a month now Sacramento dermatologist Dr. Margaret Parsons has been unable to submit insurance claims to get paid for services provided.

All of her private practice’s claims go through Change Healthcare, the country’s largest network for insurance billing and the subject of a Feb. 21 cyberattack that has yet to be fully resolved.

Change Healthcare, a subsidiary of UnitedHealth Group, processes roughly half of all medical claims nationwide. Four weeks since the cyberattack, some providers in California and elsewhere are still waiting to file claims and get reimbursed. In the meantime, they’re scrambling to pay bills and order medical supplies.

The cybersecurity breach interrupted payments and prescription drugs processing for tens of thousands of hospitals, physician groups, dentists and pharmacies. The American Hospital Association called it “the most significant cyberattack on the U.S. health care system in American history.”

The precise entry point for attackers is unknown but typically ransomware attacks involve someone clicking a malicious link in an email. It showed the vulnerability of the financial infrastructure underpinning the health care system. And, providers are learning, the fallout can be long-lasting.

Parsons’ four-doctor private practice sees about 100 to 125 patients a day. It’s a healthy business, but cash flow is drying up, she said. With electronic billing, she files her claims and is typically reimbursed within two weeks. Her office ran the numbers recently, and she expects her practice will be OK for at least a couple of weeks.

But it’s been a stressful month, she said. Until recently she was considering filing insurance claims the old-school way, through paper. She opted to wait that out because paper claims take twice as long and are more prone to data entry errors, she said. At one point she also questioned whether she’d need to borrow money to pay rent and her staff.

“You calculate the bank balance, the weekly bills, the payroll, and you start counting hard. You look at your line of credit and you decide if you’re calling your bank,” she said.

She said she recently got some peace of mind after her office contracted with an alternate insurance claims system, which she expects to be up soon. She also has applied to access advanced payments from Medicare via a temporary program set up to grant providers some relief. Medicare is the federal public insurance program for seniors and people with disabilities. That option gives her some breathing room and she’s optimistic that she will soon be able to submit claims again.

“At this point we’re hopeful for next week,” she said.

“You calculate the bank balance, the weekly bills, the payroll, and you start counting hard. You look at your line of credit and you decide if you’re calling your bank.”
— Dr. Margaret Parsons, dermatologist, Dermatology Consultants of Sacramento

Change Healthcare carries out more than 100 health care system operations functions including payments and prescription drug processing.

On Monday, Change Healthcare said it plans to restore claims processing for thousands of physicians in the coming days, but like Parsons, some were still unable to process claims as of Tuesday.

“On March 15, the company restored Change Healthcare’s electronic payments platform and is proceeding with payer implementations,” the company said in an update shared with CalMatters. “On March 7, the company restored 99% of Change Healthcare pharmacy network services, and continues to work on remaining issues.”

Lingering cyberattack fallout

Dr. Abid Mogannam, a vascular surgeon who serves patients in Alameda and Contra Costa counties, said about 30% of his claims go through Change Healthcare. Mogannam said that means 30% of his practice’s pay will be delayed.

“It’s significant for us. If you happen to be the unlucky practice that contracts exclusively with payers that are affected by this, you may be having to make difficult decisions like closure, bankruptcy, closing offices temporarily and limiting access to patients,” he said.

This new financial pressure, he said, came on top of rising costs due to inflation and just as small practices are recovering from the COVID-19 pandemic. “It’s been a trying couple of years,” Mogannam said. Now with the Change Healthcare situation, “We won’t be made whole for months,” he said.

Last week, the California Department of Managed Health Care urged health insurance plans to accept paper claims and remove or relax claim filing timeline requirements. The U.S. Department of Health and Human Services issued guidance that Medicare providers should relax or remove claim filing requirements and encouraged state Medicaid providers to do the same, then the agency started extending loans to Medicare providers.

“The disruption caused by this unprecedented cyber assault jeopardizes the very existence of many practices, especially smaller ones and those serving rural and underserved communities,” said California Medical Association president Tanya Spirtos in a blog post. “This is an urgent crisis that requires immediate action.”

Payment to hacker group

As health care providers scramble to pay salary and order medical supplies, the perpetrators of the attack remain at large. Following a Bitcoin payment worth an estimated $22 million, the ALPHV/Blackcat hacker group that claimed responsibility for the attack cheated co-conspirators and allegedly disbanded days later.

ALPHV/Blackcat is a multinational gang that emerged in 2021 and is maker of the second most prolific strain of ransomware-as-a-service in the world. Since 2021, the Federal Bureau of Investigation believes more than 1,000 entities in the U.S. from municipal governments and critical infrastructure providers have fallen victim to ransomware attacks.

A vulnerability that emerged in late 2023 is disproportionately impacting the health care industry, according to a cybersecurity advisory released by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services. An investigation is underway and more specifics about the vulnerability have not been revealed.

Law enforcement agencies from the U.S. as well as Australia, Denmark, Germany, Spain, and the United Kingdom took part in a joint campaign to disrupt ALPHV/Blackcat activity in December 2023.

In an advisory issued less than a week before the Change Healthcare attack, the U.S. government promised rewards up to $15 million for information leading to conviction of members of the ALPHV/Blackcat ransomware gang.

“The disruption caused by this unprecedented cyber assault jeopardizes the very existence of many practices, especially smaller ones and those serving rural and underserved communities.”
— Tanya Spirtos, president, California Medical Association

The attack on Change Healthcare has hit home especially hard for Riaz Lakhani. Lakhani runs cybersecurity for the Campbell-based firm Barracuda Networks said his wife has a dentistry practice. He said they have considered dipping into personal savings to keep her dentistry practice solvent.

Riaz says the attack demonstrates that a single point of failure or large billing company like Change Healthcare is an attractive incentive for attackers interested in getting their hands on a massive amount of data.

He said the incident brings to question whether Change Healthcare had an adequate disaster recovery program and whether hackers will attempt to sell data obtained during the attack on the dark web where health care data, where “health care data is just worth more.”

It’s also unclear if the 2022 acquisition of Change Healthcare by UnitedHealth Group introduced vulnerabilities, or whether hackers will attempt to sell data obtained from the attack, Riaz said. Last week, the U.S. Department of Health and Human Services Office for Civil Rights opened an investigation into whether a breach of protected health information occurred or violation of federal health care privacy law.

Cyber attacks on hospitals, schools

When the attack is over, there’s going to be a lot of retrospective thinking about how the largest cyber attack on the health care system in U.S. history could have been prevented, said Amy Chang, a senior fellow at the R Street Institute and former head of cybersecurity operations at JP Morgan based in San Francisco. The attack illustrates the appeal of targeting public-facing institutions like schools, local governments, and hospitals: They make prime targets because they tend to have relatively limited cybersecurity budgets and they provide essential services. Cybersecurity experts refer to them as target rich, resource poor.

The Change Healthcare attack also shows the consequences of consolidating key technologies with a handful of corporations. The attack is similar to the Colonial Pipeline cyber attack of 2021, which shut down multiple gas pipelines and triggered fuel shortages along the east coast of the United States.

“You’re seeing the same kind of cascading effects, if not even more due to this entity that you probably had never even heard of before it actually occurred having these far-reaching ramifications that especially in the healthcare setting end up truly putting lives at risk,” Chang said.

New Zealand-based cybersecurity firm Emsisoft found that across the US, cybersecurity attacks on hospitals went up in 2023 compared to 2022 and 2021. Attacks on school districts are also on the rise during that time period. Last fall, researchers estimated that ransomware attacks in the U.S. killed dozens of Medicare patients from 2016 to 2021.

Parsons, the Sacramento dermatologist, says that while her practice will have to run a tight budget until she can start billing again, she worries more for colleagues that practice a more expensive type of medicine, like oncology.

“We will be OK,” she said. “But when you think about the other types of practices that are being affected, it’s very real.”

###

CalMatters.org is a nonprofit, nonpartisan media venture explaining California policies and politics.