Healthcare providers hit by frozen payments in ransomware outage

By Thomson Reuters Feb 29, 2024 | 5:09 AM

By Raphael Satter, Christopher Bing and Patrick Wingrove

WASHINGTON (Reuters) – Healthcare providers across the United States are struggling to get paid following the week-long ransomware outage at a key tech unit of UnitedHealth Group, with some smaller providers saying they are already running low on cash.

Large hospital chains are also locked out of processing payments with some absorbing the upfront costs of being unable to collect, according to the American Hospital Association (AHA), which represents nearly 5,000 hospitals, healthcare systems, networks and other providers.

Reuters could not gauge the full magnitude of the problem, but six small businesses across the United States – five therapists and one laboratory – said they were unable to process claims and were racking up thousands of dollars in overdue payments.

The problems began last week after hackers gained access to UnitedHealth’s Change Healthcare unit, a vital lynchpin in the complex U.S. system for making and clearing insurance claims. It also affected electronic pharmacy refills and insurance transactions, particularly among independents, with some reverting to paper transactions.

“We are 100 percent down when it comes to billing right now,” said Phil Seubring, legal director at Forensic Fluids, a Kalamazoo, Michigan lab that does drug testing for doctors’ offices.

“I’m not getting paid,” said Jenna Wolfson, a Felton, California-based clinical social worker who provides therapy to about 30 clients a week. She said she had about $4,000 in claims in limbo. “This could be catastrophic for me and other small business mental health practitioners.”

The early impact may hit small offices harder, but providers of all sizes will feel the strain if the outage persists, John Riggi, AHA cybersecurity adviser and a former section chief for the FBI’s cyber division, told Reuters.

“Larger, more well-resourced hospitals that have alternate technologies and sufficient cash reserves will be able to sustain the outage initially and on a longer basis,” he said.

Organizations that suffer high-impact ransomware attacks can take as long as 30 days to restore core services and weeks longer to bring back less important functions, Riggi said.

It was unclear whether other clearing houses could take on additional claims traffic, and hospitals were anxiously waiting for Change to introduce new workarounds, Riggi added.

Other ransomware attacks last year, including on Clorox and MGM Resorts International shut down key systems, hitting customers and wreaking havoc with suppliers. They took weeks to resolve and hurt both companies financially.

“It really depends on the damage that’s been done… and the resources they have available to put towards recovery,” said Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance.

UnitedHealth said it understood the impact the hack has had on payments but did not immediately respond to requests for comment on how it is affecting hospitals with the issue now a week old.

“While ordinary people can still receive medical care and appointments go on as planned, thousands, if not hundreds of thousands, of providers will see their cash flow grind to a halt,” said Dana Hughes, whose family runs a physical therapy practice in Corvallis, Oregon.

She said she was unable to file claims after her software vendor disconnected from Change Healthcare.

“Workarounds are not readily available, and will involve lengthier processing time,” she said. Going with an alternate clearinghouse would cost her $300-$500, plus time.

A United Health spokesperson on Tuesday said claims submissions had returned to pre-disruption levels, noting that many providers can also use alternative clearing houses to submit claims.

UnitedHealth initially blamed a “suspected nation-state associated cybersecurity threat actor” for the disruption, but sources told Reuters a criminal gang dubbed “Blackcat” or “ALPHV” was responsible.

(Reporting by Raphael Satter and Christopher Bing in Washington, and Patrick Wingrove in New York; additional reporting by Sriparna Roy in Bengaluru; Editing by Caroline Humer and Bill Berkrot)