Industry in need of ‘immediate relief’ following cyberattack on Change Healthcare, hospital group says
The American Hospital Association is accusing the parent company of Change Healthcare — which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide — of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.
On Friday, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online Friday afternoon.
Since the incident began on February 21, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.
UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Richard Pollack it “is not even a band-aid on the payment problems.”
Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies.
“Second, the terms and conditions of the agreement are shockingly onerous,” Pollack said — requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.
“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As Pollack pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.
As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On Monday during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting — Rome Health in central New York — is reportedly incurring $2.3 million a week in losses from the cyberattack.
“We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”
On Sunday night, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.
The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on March 1. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.
In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."
Additional reporting by Jonathan Greig.
Correction: An earlier version of this article incorrectly identified the president of the American Hospital Association as Dirk McMahon. The group's president is Richard Pollack.
James Reddick
has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.