A medical tech company that handles billions of records was hacked. What you should know.
Ken AlltuckerU.S. health officials urged insurance companies to take immediate steps to ease a digital logjam after a massive data hack that snarled administrative functions for hospitals, doctors, pharmacies and millions of patients.
The U.S. Department of Health and Human Services asked insurers Tuesday to waive prior authorizations and Medicare's contractors to accept paper bills from doctors and hospitals. These temporary measures aim to address administrative problems that have emerged from the data hack of an influential company owned by UnitedHealth Group.
On Feb. 21, Change Healthcare, a property of UnitedHealth Group, disclosed that hackers had disrupted operations for the company that processes 15 billion health-related transactions a year. Change Healthcare operates a digital "clearinghouse" that connects doctors, hospitals and other health providers with insurance companies that pay for medical care and authorize medical services. Since news of the hack became public last month, doctors and hospitals have been unable to bill for some services and patients have had trouble picking up prescriptions.
Last Thursday, UnitedHealth Group said a ransomware group known as ALPHV or Blackcat was responsible for the attack that disrupted billing and care authorization systems nationwide.
In a statement Tuesday, HHS said it expected UnitedHealth to do "everything in its power to ensure continuity of operations" for doctors, hospitals and other health providers. HHS also pushed companies that serve patients enrolled in Medicare, the federal health program for adults 65 and older, to address problems prompted by the cyberattack.
Among those steps:
∎ The federal government has advised Medicare health plans to remove or relax requirements that patients or doctors obtain prior authorization before undergoing a medical test or procedure. Insurers have also been asked to halt "timely filing" rules that address when health providers must submit payment claims. Private Medicare plans also should offer "advance funding" to medical providers impacted by the data hack.
∎ HHS has asked private contactors who serve Medicare to accept paper claims from medical providers. Hospitals, doctors and other health providers have sometimes reverted to paper claims as a workaround when a data breach or cyberattack disrupts computer systems.
∎ HHS also invited hospitals facing "significant cash flow problems" since the hack to ask for accelerated payments from Medicare contractors. The federal agency also advised hospitals and doctors to switch to a different payment clearinghouse and contact a private Medicare contractor in their region.
The HHS steps were announced one day after the American Medical Association, an influential doctors group, asked the Biden administration to provide emergency financial relief to doctors affected by the cyberattack.
On Tuesday, American Medical Association President Jesse M. Ehrenfeld said the federal government's actions are a "welcome first step" but urged the agency overseeing Medicare to "recognize that physicians are experiencing financial struggles that threaten the viability of many medical practices."
The American Hospital Association on Monday blasted the plan by UnitedHealth to provide temporary financial assistance to hospitals harmed by the data attack. The trade group said the health insurance giant's funding proposal offered "one-sided contractual terms" and limited eligibility.
The cyberattack this year is by no means an anomaly.
Last year, about 1 in 3 Americans were affected by health-related data breaches. The number of attacks has surged in recent years. They are often carried out by organized hackers operating overseas who target the computer systems of health providers and the vendors and companies that serve them. Most of the largest hacks have targeted vendors who bill, mail or provide other services for hospitals, doctors and other health providers.
Last year, data breaches exposed a record 133 million health records. Most of these heists were carried out by hackers who have targeted health providers and their vendors. Last year an average of two health data hacks or thefts of at least 500 records were carried out daily in the United States.
Ken Alltucker is on X, formerly Twitter, at @kalltucker, or can be emailed at alltuck@usatoday.com.