House subcommittee scrutinizes Change cyberattack

Joe Daniel Price/Getty Images

The House Subcommittee on Health and witnesses slammed insurers Tuesday for continuing to make money during the Change cyberattack crisis, while hospitals and health systems suffer revenue losses and some physician practices are on the brink of bankruptcy.

At least two representatives called out UnitedHealth Group for not attending the hearing on the Change cyberattack. UnitedHealth Group, the parent company of Change, held its Q1 earnings call on Tuesday.

"UnitedHealth Group chose not to make anyone available today," said Rep. Cathy McMorris Rodgers, R-Wash.

Insurers have been inflexible in helping providers get claims paid, witnesses said during "Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack," held by the Subcommittee on Health of the Energy and Commerce Committee. While payers continue to make money off of unpaid claims, providers are struggling, they said.

Many were forced to submit paper claims after the February 21 cyberattack shut down Change's electronic processing system, but insurers made no accommodations to accept anything other than electronic payments, according to Dr. Kimberly Merle Schrier, D-Wash. 

Kittitas Valley Healthcare, a small rural hospital in Washington, has only recouped 50% of their regular March receipts, Schrier said. Nearly two months since the attack they're still submitting claims manually. 

"However I've heard from a couple hospitals, including Kittitas Valley Hospital, that many national commercial payers have refused to provide any flexibility," Schrier said. "This means that while hospitals are forced to file claims by paper, some large insurance plans are still requiring prior authorizations and timely filing, and frankly I don't see a lot of incentive for these plans to not just to sit on the money that they're holding and I remain concerned they're doing that for their bottom line, meanwhile providers and patients are just left hanging."

"We have heard the same," said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. "That other commercial payers are reluctant or simply refusing to provide beneficial terms for advance payments."

UnitedHealth Group has been offering advance payments through a financial assistance program. The Centers for Medicare and Medicaid Services has also made available advance and accelerated payments.

It's not been enough to meet the need, according to orthopedic spine surgeon Dr. Adam Bruggeman. Many providers have chosen to work through Availity for claims processing, he said.

One provider submitted a 600-page paper claim, Riggi said, and that's not the end of the process. Once in the system it has to be edited, often the claim is rejected and additional layers of processing are needed. In the meantime, the insurers sit on the reimbursements, he said.

Hospitals were aware right away of a problem with the claims system because they were disconnected from Change's services, Riggi said.

However, he said by statement, "During the early days and weeks of the event, it was very difficult to obtain clear information from UnitedHealth Group. Initially, there was little communication and a minimization of the impact this event was having on the ability to process medical claims."

When the question arose during the hearing of the cyberattack's impact on patients' personal health information, Riggie said, "We have no confirmation of data stolen."

What's needed:

Schrier said that, as a legislative body, Congress needs to do more to fix the root of the problem.

Riggi said the government needs to provide resources and it needs to go after bad actors overseas. The 2015 Cybersecurity Sharing Act called for automated sharing of malware signatures. 

"We need to have this done on an automated basis," Riggi said.

Scott MacLean, board chair of the College of Healthcare Information Management Executives (CHIME) said the Office of the National Coordinator provides an annual risk assessment. What's needed, he said, are safe harbors for information sharing. Greater transparency is needed.

"Our sector also needs a federally driven playbook," MacLean said. "We need to know who to call during a cyber incident and we must have a clear pathway to the federal front door at HHS (Department of Health and Human Services)."

Reaction:

Riggi submitted this statement: "Since the AHA first learned of the attack, we have remained in communication with UnitedHealth Group leadership to lend our support and share our members' challenges because of the Change Healthcare outage. The AHA issued a survey to all U.S. hospitals on Friday, March 9, 2024. These results reflect responses representing 960 hospitals as of the morning of Tuesday, March 12, 2024.

"According to Kodiak Solutions, a revenue cycle data analytics firm, the value of claims submitted dropped $6.3 billion for their 1,850 hospitals and 250,000 physician clients alone," Riggi said "While much of the claims and payment system functionality has been restored, it remains unclear as to how long it will take for all operations to return to normal. This is because reconnecting is not the only step to recovery. Providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks. Therefore, hospitals, physicians and patients are continuing to experience financial and operational impacts." 

Riggi said, "What we do know, however, is that UnitedHealth Group reported to the Securities and Exchange Commission on March 21 that, 'the company has not determined the incident is reasonably likely to materially impact the company's financial condition or results of operations,' even as it has harmed providers across the country."

Blue Cross Blue Shield Association submitted this statement to the House Energy and Commerce Health Subcommittee: "The Change Healthcare cyberattack caused significant disruption for the entire healthcare industry, including patients, health care providers and health plans that rely on Change Healthcare for claims processing and other functions. The security of patients' data is a critical priority.

"Given these disruptions and to support our patients and provider partners, BCBS Plans across the country took immediate action to support providers in need. This included: Facilitating the transition from Change Healthcare to nearly 50 different alternative clearinghouses and local claims submission portals; Educating and reaching out to providers that had not filed claims nor had been reimbursed so they knew we BCBS was there to help; Providing advanced payments and other flexibilities so providers without reserves or limited cash on hand so they would have the revenue they needed.
 
"Our data shows that these actions have made a difference. With limited exceptions, claims volumes for BCBS Plans across the country are above, at or near normal levels for all lines of business," BCBS said.
 
MGMA submitted a statement for the record to the House Committee on Health: "Given the breadth of services Change Healthcare offers, MGMA members felt myriad negative consequences following the cyberattack. Physician practices diligently instituted workarounds for various processes to remain operational, which required significant labor costs and time to institute, diverting critical resources from patient care.
 
"The cyberattack on Change Healthcare made it evident that there are significant vulnerabilities in our healthcare system, which must be addressed -- especially as the threat of such attacks only continues to rise. MGMA submitted recommendations including: Having safeguards and contingency plans in place for health plans, clearinghouses, and other third-party vendors; Examining whether further authorities and flexibilities should be granted to federal agencies responding to future attacks to support physician practices; A review whether other policies should be introduced such as waiving timely filing requirements for health plans, reducing prior authorization burden and relaxing other requirements.

The president's budget acknowledged the need to bolster cybersecurity resources within the healthcare sector, allocating $800 million to assist "high-need, low-resourced" hospitals to help implement cybersecurity practices, MGMA said. The budget also proposed $500 million for an incentive program for advanced cybersecurity practices for hospitals. Ensuring that all physician practices are afforded resources similar to those proposed for hospitals is critical."

Email the writer: SMorse@himss.org