Health care providers dig out from ransomware attack

It was a cyberattack against a company hundreds of miles away that sent shock waves across Indiana’s health care system.

On Feb. 21, a company called Change Healthcare, based in Nashville, Tennessee, was hit by a ransomware attack that brought the operation to a standstill. The company acts as a clearinghouse for medical billing, insurance verification, payments, claims and other “revenue cycle” operations for thousands of hospitals and medical practices.

The attack brought many of its customers’ billing and claims operations to a stop, leaving them unable to get reimbursed for billions of dollars’ worth of procedures. That included dozens of health care companies in Indiana.

At Johnson Memorial Health in Franklin, back-office workers found themselves waiting on hold with insurance companies for hours at a time.

At the Indiana Spine Group in Carmel, medical payments came screeching to a halt, and officials decided to sharply lower pay to more than a dozen of their physicians while they used dwindling cash to pay employees and vendors.

And at Columbus Regional Health, officials say the system lost about $20 million before it was able to get a new billing system up and running.

It happened so fast that many hospitals and medical systems say they were blindsided by the cyberattack that struck a vulnerable piece of the nation’s health care system.

Now the hospitals and medical practices across Indiana—and thousands more across the nation—are wondering how much longer it will take to recover and get finances back on sturdy footing. The attack also caused massive prescription processing outages across the country.

Change Healthcare is the nation’s largest clearinghouse for medical claims, handling 15 billion transactions a year and touching one in three patient records. It is owned by UnitedHealth Group, the nation’s largest health insurer, based in suburban Minneapolis.

“Almost every hospital in some form or fashion is connected to them,” said Jimmy Burnett, managing director at Katz Sapper & Miller, an Indianapolis-based accounting and consulting firm.

The hospitals and medical practices that have been hurt the most are rural or community operations, which typically don’t have large reserves to weather such a crisis, Burnett said.

“Some of these hospitals are living on their monthly cash,” he said. “And that’s come to a halt.”

A ransomware group, ALPHV, also known as BlackCat, claimed responsibility for the cyberattack, according to a regulatory filing made by UnitedHealth Group.

Reuters reported last month that a bitcoin payment equivalent to nearly $22 million was made to a cryptocurrency wallet associated with ALPHV. Separately, WIRED reported that the transaction looked “very much like a large ransom payment.”

UnitedHealth Group has not commented on the payment and did not respond to IBJ messages seeking comment.

Change Healthcare also did not respond to IBJ for comment.

Unprecedented disruption

Across Indiana, the cyberattack caused an unprecedented disruption at hospitals and for physicians and other health care providers, the Indiana Hospital Association and the Indiana State Medical Association wrote last month in a letter to the Indiana Department of Insurance.

It will likely be months before hospitals and medical practices see their claims submission and other billing processes fully return to normal, they added. The hospital association estimated that Indiana hospitals have seen $945 million worth of revenue impacted.

“Our members are pursuing every avenue to ensure claims are processed, including utilizing paper claims and seeking alternative clearing houses,” the letter said.

Johnson Memorial, based in Franklin, said it doesn’t use Change Healthcare as a claims clearinghouse but does use it to verify patient insurance. Dr. David Dunkle, the system’s CEO, said the cyberattack slowed back-office operations but fortunately did not have a large financial impact.

“Our claims teams had to wait on hold for upwards of two hours,” he said. “Luckily, they know how to multitask.”

Other groups fared much worse.

The Indiana Spine Group, a Carmel-based group of spine surgeons, said it was at a standstill for more than three weeks.

“We were just kind of stuck in limbo, no claims going out, nothing coming back,” CEO Hardy Sikand said.

The cash crunch grew so tight that the practice was forced to cut compensation to 14 of its physician-partners so it could pay more than 200 employees as well as outside vendors. It continued with surgeries and other procedures but is still trying to find the best way to get its claims and payments back on track.

“We prepared [our physicians] early on that this was going to be the outcome of this cash crunch that we were facing,” Sikand said. “We will continue to do so until we get back to normal.”

At Columbus Regional Health, the system relied entirely on Change Healthcare for hospital billing and physician billing. “The entire system was impacted,” said Grant Byers, the chief financial officer. “It cut off all of our ability to bill and receive any cash payments.”

Columbus Regional normally burns through about $1.2 million a day in expenses, and that amount drained out for weeks without being replenished. Byers said the team realized the seriousness of the cyberattack at once and immediately opened a so-called “incident command” to deal with it, with officials across various functions teaming on a daily basis to trade information and plan a workaround.

The IT department, for example, immediately shut down all of the interfaces with Change Healthcare to avoid any additional corruption.

The revenue cycle department started sketching out alternative ways to send claims and receive payments. The hospital system worked with PNC Bank for nearly three weeks to build a new clearinghouse.

But for weeks, unable to send electronic claims to insurers, Columbus Regional resorted to sending them paper claims by fax machine, often with voluminous documentation to support a physician’s treatment plan for a patient.

By March 12, Columbus Regional was able to electronically send claims to all insurance carriers except Medicare. Slowly, it was able to start getting revenue again. In the meantime, it did not miss a payroll and was able to work out payment plans with some vendors.

“We’re still trying to figure out how much this cost us,” Byers said, “not just in terms of cash, but obviously in significant man-hours, with people away from normal duty to an all-hands-on-deck approach.”

Ripple effect

Terry Reinsager, who serves as revenue cycle task force leader for the Suburban Health Organization, a group of 13 suburban hospitals in Indiana, said four hospitals in the group were severely impacted by the cyberattack.

He identified those hospitals as Hendricks Regional Health, based in Danville; Witham Health Services, based in Lebanon; Marion Health, based in Grant County; and Margaret Mary Health, based in Batesville.

Hendricks Regional declined to comment to IBJ, while Marion Health and Margaret Mary Health did not respond to emails or telephone calls.

Witham Health told IBJ it had used Change Healthcare for all its clearinghouse needs and saw its electronic billing claims come to a standstill for weeks before it was able to build a workaround to check patient insurance eligibility.

“We were actually printing and stuffing envelopes,” said Angi Ortiz, Witham’s director of revenue cycle. “Now we have a new vendor, and we’re working on implementation. That started last week, and I believe we were able to get some claims out through their system.”

Other providers say they were hit to a lesser degree by the cyberattack.

Cancer Care Group, an independent practice of 20 radiation oncologists based in Indianapolis, said because it didn’t use Change Healthcare, it was unaware of the attack at first.

Cancer Care Group normally submits its electronic claims through a clearinghouse called Availity, which then electronically pushes claims through to all the payers. If another clearinghouse is required by certain payers, Availity would normally submit those claims through Change Health or whatever other clearinghouse was required for that specific payer.

“That is where the lack of transparency is,” CEO Steve Freeland said. “We don’t know all the behind-the-scenes transaction agents involved until a mess like this comes up. Then it’s a huge roadblock that can devastate some providers and minimally or not impact others.”

He said his practice has had hundreds of thousands of dollars in claims denied from specific payers.

Many of central Indiana’s largest hospital systems said they were not greatly affected.

Eskenazi Health said the effects of the cyberattack were “very minimal” since only a portion of its claims are processed through Change Healthcare. Less than 1 percent of its overall claim volume and total charges have been impacted.

Indiana University Health, the state’s largest hospital system, said although the cyberattack disrupted its claims process and impacted cash flow, it “has not had disruptions in its ability to meet its financial commitments or provide patient care.”

Community Health Network said it does not rely on Change Healthcare directly for electronic claim submission or payment processing. Yet, like many other health systems, it has seen some delayed payments.

“We continue to monitor held claims as well as the overall impact to cash flow,” the Indianapolis-based system said.

Seeking flexibility

Now, the state hospital and medical association has urged the state insurance department to waive or extend filing requirements for claims and to prohibit payers from denying claims for technical reasons, including lack of authorization, failure to check electronic eligibility, failure to appeal denials in a timely manner.

Many insurers require hospitals and medical practices to submit claims within 90 days.

“Timely filing limits and technical issues should not lead to inappropriate denials or the recoupment of claims due to the cyberattack on Change Healthcare,” the letter said, “and all payments due should be promptly paid to help minimize current cash flow issues.”

In response, state Insurance Commissioner Amy Beard sent a memo March 28 to health insurance companies in Indiana encouraging but not requiring all insurers to increase flexibility.

She said that could be achieved by insurers agreeing to modify existing procedures for prior authorization claims submission, payments and appeals. They could also implement alternative business processes and procedures.

The department pointed out that health carriers must continue to meet Indiana statutory requirements for the prompt payment of claims. State law requires insurers to pay or deny each clean claim within 30 days if filed electronically or 45 days if filed on paper.

“Thank you for your partnership and commitment to ensuring Hoosiers continue to receive the care they need while safeguarding the stability of the health insurance market in Indiana,” she wrote.

But some hospitals and medical offices say they have yet to see much flexibility from insurers.

“I don’t know that we’ve received a lot of assistance,” said Byers of Columbus Regional Health. “We’re still experiencing denials for timely filing.”

Hancock Health, which does not use Change Healthcare as its clearinghouse, said it still saw “degraded services” in billing and medical claims because the cyberattack reverberated throughout the health system.

“We’re seeing a large volume of denials that are hitting,” said Reinsager, who, in addition to serving as revenue cycle task force leader for the Suburban Health Organization, also works as an outside contractor overseeing the Greenfield-based system’s revenue cycle. “And we’re worried about our ability to timely appeal those denials.”

Indianapolis-based Elevance Health, parent of Anthem Blue Cross Blue Shield Indiana, the state’s largest health insurer, did not return phone calls or emails to discuss the issue.

The Insurance Institute of Indiana, a not-for-profit trade association, said its members were trying to work with providers during the crisis.

“Insurers doing business in Indiana are making all attempts to comply with the requests in the IDOI memorandum and more importantly in working with providers and their insurance customers to make sure claims-handling experiences have as little disruption as possible,” the group’s president, Marty Wood, wrote in an email to IBJ.•