Change Healthcare cyber attack has caused financial ‘mess’ for doctors

Small private practices and healthcare providers are facing mounting financial pressure as key reimbursement systems remain down for the ninth day following the Change Healthcare cyber attack.

Change Healthcare offers payment and revenue cycle management tools that help facilitate transactions between providers and most major insurance companies. Its parent company UnitedHealth Group discovered that a cyber threat actor had breached a portion of the unit’s information technology network on Feb. 21, according to submission with the US Securities and Exchange Commission

As a result, the company isolated and shut down affected systems “immediately upon detection” of the threat, the filing said.

The fallout sent waves of disruption across the US health care system

Doctors told CNBC that the outage left them unable to check patients’ eligibility for treatment or fill prescriptions electronically, creating more administrative responsibility for workers already overwhelmed with clerical work. Perhaps more importantly, providers have been unable to obtain reimbursement from insurers, effectively halting the revenue cycles of many health systems.

Smaller and medium-sized practices that rely on cash flow from reimbursements to operate face tough decisions about how to stay afloat. If the shutdown drags on too long, experts say some practices may have to close their doors for good.

Dr. Purvi Parikh, an allergist and immunologist in private practice in New York, told CNBC that the breach was a “mess” and “a lot of stress.” Like many others, she said her practice has been unable to receive reimbursements from insurers for patient visits, making it difficult for the practice to pay operating costs such as salaries and medical supplies.Â

Switching to a new platform can take weeks, Parikh said, so there’s no immediate solution available. As of Thursday, Change Healthcare had not shared any updates on when it expects its systems to be back online.

“The most frustrating part is that no one has any answers or solutions,” Parikh said. “We’re just stuck.”

Change Healthcare on Thursday said the Blackcat ransomware group was behind the attack. Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to Release in December from the US Department of Justice

The company said it is working with law enforcement and third-party consultants such as Google-owned Mandiant and cybersecurity software provider Palo Alto Networks to assess the breach.

“Patient care is our top priority, and we have multiple solutions in place to ensure people have access to the medicines and care they need,” Change Healthcare said in a statement to CNBC.

Dr. Kiranjit Khalsa, an allergist and immunologist who runs an independent practice in Scottsdale, Arizona, said her staff has been working longer hours to try to handle the extra work resulting from the breach, as well as manually recalling prescriptions. Â Â

She said reimbursement issues have been “the biggest burden” as she worries about how she can continue to support her patients and staff. Khalsa is considering reducing staff hours and even closing the clinic for a few days.

“I’m worried about providing them,” Khalsa said in an interview with CNBC. “I also worry about: Where am I going to get this money if it doesn’t come? Do I need to take out a loan to keep the clinic going?’

Even when Change Healthcare’s systems come back online, there are many unanswered questions about what happens next, according to Dr. Dan Inder Srow, an interventional cardiologist who owns a private practice around Phoenix, Arizona. He said it was unclear whether Change Healthcare would take on the responsibility of processing all the claims or whether it would need to hire additional staff to help.

“I don’t think people are aware that the actual people providing the services are not able to monetize those services,” Dr. Srow told CNBC. “We don’t know how long this is going to last, and it’s such a dangerous, dangerous thing.”

Dr. Jesse Ehrenfeld, president of the American Medical Association, said he spent days fielding calls from concerned colleagues.

He said he spoke to one doctor who runs an oncology practice and only has up to two weeks’ worth of cash. If the outage drags on, the clinic won’t be able to buy the chemotherapy that patients depend on for treatment.

With many suppliers operating on extremely thin margins, Ehrenfeld said there is a chance some will go out of business.

“We have so many practices that are on the edge, especially smaller practices, where they’re just scraping by,” Ehrenfeld said in an interview with CNBC. “Any deviation in the system where, ‘Oh, you don’t get checks for two weeks,’ is obviously a situation that puts practices at risk.”

In 2022. Change healthcare united with provider Optum, which serves more than 100 million patients in the U.S. and is owned by UnitedHealth, the nation’s largest healthcare company by market capitalization.

The American Medical Association vocally opposed the merger, writing a letter to the DOJ that the union could stifle competition, give UnitedHealth access to large data repositories and potentially disrupt patient care.

The merger eventually went through, but the DOJ recently launched an antitrust investigation into UnitedHealth, according to the Wall Street Journal report Tuesday.

“It’s kind of a perfect storm of regulatory issues [and] lack of competition – and unfortunately, the people who will really suffer are patients and those who work in the health care system,” said Dr. Ravi Parikh, a retinal specialist who owns and operates a practice in New York. Â

The cyber attack has left Parikh’s clinic with no way to get reimbursed for the expensive drugs it administers. He said he has considered contingency plans, such as seeking cheaper drugs and asking some patients to pay upfront, but his focus is on providing the best possible care.

“The health care system may eventually grind to a halt because many clinics and pharmacies may not be viable,” Parikh said.