As the aftermath of a cyberattack on a major healthcare company enters its third week, desperate patients across the country are being forced to choose between paying for essential medicines out of pocket or forgoing them altogether. There is.
A little-known fact is that Change Healthcare, an important subsidiary of UnitedHealth Group, detected this attack on February 21st. Since then, pharmacies, clinics and patients have claimed that their lives and jobs have been ruined by a massive outage of systems commonly used for medical billing. and insurance claims.
In particular, disruptions in co-pay support and coupon card processing at pharmacies have highlighted the serious vulnerabilities of the systems that depend on people's lives.
Rhonda Miller, 54, said she and her husband rely on discount cards to buy insulin. Her husband has type 2 diabetes and congestive heart failure. But when she tried to pick up her medication at a pharmacy in Deadwood, South Dakota, on February 22, her card could not be processed. Without it, the drug would cost hundreds of dollars.
“If you have diabetes, whether you have type 1 or type 2 diabetes, you will die without insulin,” Miller says.
Change Healthcare's technology goes beyond transactions involving United Healthcare insurance and touches transactions across the industry. The company says it processes 15 billion transactions annually and generates $1.5 trillion in health insurance claims. Change said on its website that the hack affected 21 parts of its business, many of which are parts used by healthcare providers to receive payments, receive reimbursement from insurance companies, and process patients' insurance eligibility. said to include.
“Everything that requires interaction between health plans, pharmacies, facilities, and offices is disrupted,” said Dr. Jesse Ehrenfeld, president of the American Medical Association. “This could be whether you take standard medications on a daily basis, whether you rely on a drug company rebate program, or whether you are simply trying to get clearance for regular elective surgery. , with far-reaching implications.”
UnitedHealth Group said in a statement after the cyberattack that it “took immediate steps to disconnect Change Healthcare's systems to prevent further impact” and services “will remain offline until we are confident it can be safely resumed.” said.
The company announced Tuesday that a new network connecting pharmacies and benefits managers could go live as soon as Thursday.
Laura Lester, owner of Marion Family Pharmacy in Marion, Virginia, said the biggest impact in the community is on patients who cannot afford their medications without copay assistance cards.
“We have people coming off diabetes medications, antipsychotic medications, ADHD medications,” she says.
“Yesterday, one woman had to pay $1,100 out of pocket because her Co-Pay card didn't work,” Lester added. The patient required medication for irritable bowel syndrome.
Even patients who do not have access to copay assistance face untold challenges. Donna Hamlett, her 73-year-old breast cancer patient at the Florida Institute for Cancer Specialists, takes a drug called IBRANCE, which costs about $16,000 a month without insurance coverage. But on Feb. 23, she said, her pharmacist told her that her insurance could not process the refill because of the cyber attack.
Without medicine, Hamlet said, “the cancer would fill my body and I would die.”
After four or five days on the phone, she had a prescription filled through OptumRx, UnitedHealth Group's pharmacy benefits manager.
Nathan Walker, CEO of the Florida Institute, which treats Hamlet, estimates that $350 million worth of his clinic's claims were affected by billing delays caused by the cyber attack.
But Walker said he's most concerned about patients who can't get prior approval. Many insurance companies require prior authorization for cancer treatments that can cost up to $100,000 per course.
“Right now, we don't even know if we have prior authorization for new patients,” he said.
The Centers for Medicare and Medicaid Services on Tuesday encouraged Medicare and Medicaid programs to consider eliminating or relaxing prior authorizations during outages and providing upfront funding to health care providers. CMS said hospitals will be able to submit requests for expedited payments, and Medicare providers who are struggling to submit claims will be able to send paper versions and may qualify for exceptions or extensions.
UnitedHealth Group said as of Tuesday, about 90% of claims were being processed “without interruption” thanks to temporary fixes and the system being brought back online, and pharmacy claims were “at near-normal levels.” ” said that it is being done.
The company is encouraging healthcare providers to switch to the Optum system to speed up the process of submitting claims and receiving payments. Meanwhile, the company said the new network connections it plans to make Thursday should cover “the majority of the coupon volume” managed by Change Healthcare.
Optum also offers temporary loans to medical institutions, but providers say it's not enough.
Dr. Kristin Meyer, who runs an internal medicine practice in Exton, Pa., said her practice submits insurance claims of up to $600,000 a month, but only received financing offers of $4,000 a month.
Meyer said the small offer was “an emotional slap in the face” as his income suddenly stopped.
She said her practice manually submits some claims to insurance websites, and her staff prints about 1,000 paper claims and FedEx them to Medicare. .
“The next thing I have to do is start cutting expenses, stop buying supplies and vaccines, then cut staff, then shorten business hours, and then, God forbid, , it's unthinkable. Just closing the door,” Meyer said.
Doctors, pharmacists and industry experts say the hack has exposed significant vulnerabilities in the healthcare sector, especially given Change Healthcare's dominance.
“How does the system allow a data breach of this magnitude to occur and almost two weeks later leave a small pharmacy owner looking for a solution?” Owner of Skippack Pharmacy in Skippack, Pennsylvania Dr. Mayank Amin says:
Amin said he and his staff have spent hours calling insurance companies and manually checking patient eligibility one person at a time. He said his job keeps him up until 2 a.m. every night. Tomorrow, Amin plans to pick up free samples of the blood-thinning drug from a local clinic and distribute them to patients.
“What do you get out of this? There's zero profit, but you get the feeling that you can help the people who depend on you,” he said.
Rhonda Miller said she has given her husband a free box of diabetes medication so far at a pharmacy in South Dakota, and his doctor has also provided samples. But for families like hers, she says, the disruption means “playing with people's lives.”
Change Healthcare said the perpetrator of the cyberattack “identified itself as ALPHV/Blackcat.” Alphv was involved in an attack on MGM Resorts last year that cost the company $100 million. It is developed and maintained by a group of Russian speaking cyber criminals.
Victims of cybercrime last year made record extortion payments totaling $1 billion to ransomware criminals, according to Chainalysis, a company that tracks cryptocurrency payments.
UnitedHealthcare did not respond to questions about whether it had paid the ransom. However, experts from cybersecurity firm Record Future and cryptocurrency analysis firm Tenable pointed to a Bitcoin wallet that received more than $22 million in payments on Friday. Both companies claim the wallet seen by NBC News belonged to Alphv. Wired first reported the news.
This amount has since been calculated to be worth $3.2 million, but the companies have not been able to fully track it. Alphv's site on the dark web claims to no longer be operational.
Eric Noonan, a cybersecurity expert and CEO of Cyberseath, said if UnitedHealth were to pay the ransom, “this would set a terrible precedent, because if UnitedHealth were to go ahead and do it now… “The fact that we are here is to argue that this is a viable market.”
Noonan added that Change Healthcare “was a very attractive target” because it operates critical infrastructure and the attacks had tangible results.
Noonan said UnitedHealth needs to address whether patients' personal information has been compromised. So far, the company has said only that its team is “actively engaged and working to understand the impact.”
Noonan also called on the federal government to mandate minimum cybersecurity for all critical infrastructure sectors, including health care.
“I think Americans are somewhat vulnerable in this regard because they rely on their companies to implement adequate levels of cybersecurity, and very little of that is being done,” he said. Ta.