By Marti Webb Slay
In February of this year, Change Healthcare was hacked, and local hospitals and practices are still feeling the results of the cyberattack.
UnitedHealth Group website, which owns Change Healthcare responded with a statement: “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. Our security team, along with law enforcement and independent experts, began working to address the matter.”
“Most people don’t realize how huge these healthcare technology companies are,” said Bailey Porter, healthcare advisor with Carr, Riggs & Ingram. “Change Healthcare is a really large part of Electronic Data Interchange (EDI) gateways. Practices are sending their claims to clearinghouses that are then being sent through EDI gateways, before they get to the payers. The payers contract with the gateways. So you can have a clearinghouse that isn’t Change Healthcare, but they are using a Change Healthcare EDI gateway, which is how so many people, including one in three patients, were affected. There are a ton of clearinghouses, but very few gateways to get the information from the clearinghouse to the payer.”
Some practices were more affected than others. If a payer used Change Healthcare as their clearinghouse and their gateway, they had more delays and issues than those who only used the Change gateway, because many clearinghouses were able to adapt. Porter saw that variety of problems in her own local clients. “Some practices couldn’t send out claims at all,” she said. “Some clearinghouses provided workarounds. A lot of practices started using their payer portals and submitting claims through that, which was time consuming. Each practice was affected differently, depending on how involved they were with Change Healthcare. We had everything from submitting paper claims to switching clearinghouses. It depended on the practice, and everyone was a little different.
“The business side of practices were most affected. The physicians and nurses were able to still provide care, but with the delay in submitting claims and getting a response from claims, there were a few physicians, especially smaller practices, that were starting to dip into their own savings to make up for delayed revenue. UnitedHealth was offering advance payments for those practices that were really affected and not receiving any payments.
“Although the situation has improved and I think things will be back to normal in a few months, my clients are still having delays getting reimbursed.”
As for the data breach, UnitedHealth has this statement:
“A review of the data is underway by a leading forensics expert. At this time, we know that the data had some quantity of personal health information and personally identifiable information. We are working to determine the quantity of impacted data, and we are committed to providing notifications to impacted individuals when determinations are made — and will work with the Office for Civil Rights and our customers in doing so.
“This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems. We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data.
“Rather than waiting to complete this review, we are providing free credit monitoring and identity theft protections for two years, along with a dedicated call center staffed by clinicians to provide support services. Anyone concerned their data may have been impacted should visit changecybersupport.com for more information. We are committed to providing appropriate support to people whose data is found to have been compromised.”
“This situation shows how fragile our healthcare infrastructure is” Porter said, “And even if you are a large conglomerate in the healthcare space, you can still be affected. Because of the size of this, I don’t know that there is anything any one practice could do to protect themselves against another similar event, except investing in your own security and making sure your employees and providers are trained in what to look out for. Make sure you are changing your passwords and that you have firewalls and encrypted emails. Make sure you aren’t sending patient information over unsecure networks. Stay up to date with regulations. With Congress getting involved, we’re likely to see more regulations to prevent this from happening again. But the hackers are only going to get more efficient and be able to get into systems more easily. Make sure your systems are updated and upgraded to protect your practice.”