After a massive cyberattack took a major player in the healthcare payment industry offline, crippling the ability of medical providers across the country to get paid and disrupting some patients’ ability to fill prescriptions, it’s still unclear how many patients’ personal data may have been compromised.
Change Healthcare, which processes 14 billion payment and insurance transactions annually, said its systems were affected by a ransomware attack on Feb. 21.
Hospitals and medical groups who used the Change system have been unable to process payments, leaving them unable to meet their own financial obligations, including paying employees, providers said.
UnitedHealth Group, which owns Change Healthcare, did not say how many patients or healthcare providers in New Jersey have been affected.
But the New Jersey Hospital Association (NJHA) said the attack “massively disrupted healthcare delivery for patients and hospitals.”
Patients were unable to get prior authorizations for care, and facilities have struggled with claims processing, pharmacy orders and the ability to obtain patient data, said Cathy Bennett, the group’s president and CEO.
“We have heard from our members about the cascading effect of this cyberattack that is costing millions in reimbursement losses each day,” she said. “Hospitals, which were already grappling with workforce shortages and stabilizing financials, now have cash flow disruptions to contend with too.”
Asurvey earlier this month by the American Hospital Association found 94% of hospitals experienced a financial impact from the attack, with more than half calling the impact “significant” or “serious.”
More than 80% of hospitals reported the cyberattack has affected their cash flow, and of those, nearly 60% said more than $1 million in revenue was affected each day, it said.
According to a Reuters report, Change processes about 50% of the medical claims in the United States for about 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.
In New Brunswick, St. Peter’s Healthcare System said it uses the system to process credit card transactions on its inpatient payment portal, which has been down since the incident was reported.
Spokeswoman Michelle Ozerati said in response, it turned off its patient payment webpage.
She said the page will remain “turned off until we are satisfied that enabling the page will not be a risk to our organization.”
She did not address the exact financial implication for the group, but she said no Saint Peter’s system was directly affected. Patients can contact the billing office at (732) 745-8600, ext. 6698, to make a payment by phone, she said.
Some healthcare providers are filing suit over the cyberattack. At least two lawsuits have been filed against the company by practitioners, including an Illinois mental health care provider who claimed they had to take money out of a retirement account to make payroll.
And last week, attorneys from at least six class action lawsuits against Change asked for their cases to be consolidated into one. The lawsuits all alleged Change did not keep patient personal information safe, putting them at risk of identity theft, and in some cases, they said, patients were unable to fill prescriptions because pharmacies could not process their insurance claims.
UnitedHealth Group said Monday it has advanced more than $2 billion “through multiple initiatives” to help providers whose finances have been disrupted by the cyberattack.
Asked how it notified patients of the attack, UnitedHealth spokesman Eric Hausman said: “Our privacy office and security information teams are actively engaged and working to understand the impact to members, patients and customers.”
He said the company will continue to post updated information on its website.
Giving providers a glimmer of hope that systems will be back online soon, the company said it will begin releasing new software over the next several days as it works to restore service.
“We continue to make significant progress in restoring the services impacted by this cyberattack,” Andrew Witty, CEO of UnitedHealth Group, said in a press release. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”
It said it restored Change Healthcare’s electronic payments platform on March 15, and on March 7, it restored 99% of Change Healthcare’s pharmacy network services.
The Office for Civil Rights, under the U.S. Department of Health and Human Services, is investigating whether Change Healthcare violated any patient privacy laws.
The New Jersey Department of Health did not immediately say how many providers or patients in New Jersey are affected.
Bennett, of the New Jersey Hospital Association, said insurance companies, Medicare and Medicaid providers “need to support patients” by waiving requirements for prior authorizations for care and by advancing payments to providers.
“For nearly a month, hospitals have been forced to use onerous workarounds, including manual processes, paper claims and phone calls to manage millions of transactions including prescriptions and prior authorizations for patients’ care and submitting claims to insurance companies,” Bennett said.
Please subscribe now and support the local journalism YOU rely on and trust.
Karin Price Mueller may be reached at KPriceMueller@NJAdvanceMedia.com. Follow her on X at @KPMueller.
