When a hacker group launched a ransomware attack this year on Change Healthcare, a UnitedHealth Group (UHG) clearinghouse, the healthcare behemoth disconnected and turned off compromised systems to stop the damage.
Overnight, provider and facility reimbursements ceased, and other essential revenue cycle functions went offline. Few backup systems were available, leaving health information (HI) professionals unable to manage their usual responsibilities.
As the nation's largest electronic data interchange, Change Healthcare processes about half of all medical claims and transmits the associated payer payments to providers. The exchange is also instrumental in verifying patients' health insurance coverage, generating patient cost estimates, and completing prior authorizations.
UHG has published recovery process updates via its website, including a recently announced credit monitoring program for patients concerned their personal data was exposed.
The Journal of AHIMA reached out to UHG and Change Healthcare for comment, but they did not respond by press time.
Months after the cyberattack, as some health entities are still reeling, revenue cycle leaders are sharing their experiences and encouraging HI professionals to stay current on cybersecurity trends and best practices.
Financial Fallout
The cyberattack's financial repercussions have been far-reaching. An American Hospital Association survey revealed that nearly all hospitals, a staggering 94 percent, experienced disruptions in cash flow in the tumultuous weeks following the breach. Over half of respondents said the attack led to "significant or serious" financial challenges, including difficulties meeting payroll and purchasing medical supplies.
Optum, the UHG subsidiary under which Change Healthcare operates, launched a temporary loan program in March. Within a month, advances approached $5 billion, according to status updates on UHG's website.
Despite these efforts, a recent American Medical Association survey found that 85 percent of respondents still had claim payment disruptions, and 79 percent could not receive electronic remittance advice. In June, AHIMA and several provider-based organizations urged US Department of Health and Human Services Secretary Xavier Becerra to exercise the agency's powers to prevent such catastrophic infrastructure failures during future attacks.
Myriam Torres, chief revenue officer at Jackson Health System in Miami-Dade County, FL, told NPR in March that the public hospital system could lose $30 million in payments if the clearinghouse was down for one month. Change Healthcare restored claims processing functionality in late March, approximately five weeks after the system outage.
Months later, frustrations are mounting. Torres says revenue cycle employees must use tedious manual methods because some systems, like Medicaid eligibility, are not functioning as expected.
"We still have three payers not providing electronic remits; without the electronic files, our denial process is manual," compounding delays, she says. "Medicaid pending gross [accounts receivable] has increased by $37 million, [with an] estimated $5.4 million net, due to Change Healthcare staff's inability to work on their system. Denial recovery rates have dropped over 20 percent from the prior fiscal year."
Although the health system has a service contract with Change Healthcare, Torres says it does not use any of the vendor's tools or applications. Concerned about further data integrity issues, Jackson Health has even provided computer equipment to the Change Healthcare team working on its systems.
Mobilizing Resources
While the security breach initially impacted many providers, some have since resolved their outstanding claims, often through an intense investment of time and personnel.
When a healthcare organization could not file professional fee claims, it contacted Paul Strafer, RHIA, CHPS, CCS. It usually relied on resources from Change Healthcare to code these claims, says Strafer, vice president of client success for the medical coding and billing company Pena4, based in Whitehall, PA. "With no coding getting done, no bills were getting out of the door and no cash in [their] pocket."
After mobilizing and training a team of 10 employees, Strafer and the group dove in. "We worked non-stop for close to two weeks to clear the backlog, releasing over 2,000 accounts and bringing [them] back up to speed," he says.
Other facilities grappled with even more daunting numbers. Jason Considine, HFMA CRCR, chief commercial officer at Experian Health, a revenue cycle management company headquartered in Franklin, TN, says that the cyberattack had Indiana University (IU) Health's revenue cycle operations "completely frozen." The health system maintains the largest network of physicians in the state and has more than 2,700 available beds.
With Experian Health's assistance, he says, "IU Health was able to accelerate $632 million in claims transmissions in the first five days of business and process $1.1 billion of claims backlog by the end of March."
Lessons Learned
The work isn't over for revenue cycle departments, even those that have already dealt with delayed claims and returned to normal operations. Strafer says the lingering fear of "when, not if," the next attack will occur is difficult to shake.
"The cyber terrorists were successful and received payment," he explains, alluding to the $22 million Bitcoin ransom UHG paid to the hackers to regain control of its systems. "This has opened the door for many more cyber criminals to prey upon other healthcare institutions."
US Senator Mark Warner (D-VA) introduced the Health Care Cybersecurity Improvement Act in March. If passed, the legislation could incentivize providers and their vendors to meet minimum cybersecurity standards by promising advance and accelerated payments to alleviate the financial fallout should a future cyber incident occur.
Regardless, Torres encourages revenue cycle leaders to develop a backup plan. "Have more than one vendor contracted, and cross-train your teams to quickly take over any functions needed," she says.
For example, revenue cycle employees at Jackson Health know how to perform follow-up functions previously completed only by Change Healthcare. The organization also had two contracts for denial inventory, so after the system outage, all new placements were shifted to the backup vendor.
Lining up contingency plans and vendors can make all the difference. Considine says that some providers opted to try to quickly onboard a new clearinghouse in the days and weeks following the breach, often to no avail. "They faced another roadblock [because] payers weren't equipped to handle the massive influx of enrollment paperwork," he says, further bogging down an already overwhelmed system.
Considering how the breach nearly halted revenue cycle operations nationwide, Considine anticipates additional changes. He says payers may implement streamlined provider enrollment processes and diversified reimbursement options that move away from payer exclusivity. Multiple clearinghouses could help institutions weather specific system outages.
Strafer hopes this serves as a wake-up call to HI professionals to become more knowledgeable about internet security and cyber threats. "The way we keep things secure and safe is not the same as it was 10 years ago," he says.
Steph Weber is a Midwest-based freelance journalist specializing in healthcare and law.
Take the CE Quiz