Worcester health care industry feeling pain from cyberattack that paralyzed payment system
WORCESTER — When it rains, it pours. The old saying that describes bad things happening at the same time could apply to the health care industry.
It’s plagued with skyrocketing costs for care, a severe shortage of nurses and primary care doctors, and “boarding” that has patients stuck for weeks in emergency rooms and hospital hallways, waiting for an available bed. Don't forget about the Steward Health Care financial crisis.
Now, there’s another log to put on the troubled health care fireplace: a cyberattack.
It happened nearly a month ago, on Feb. 21. A ransomware attack crippled Change Healthcare, and many health care institutions nationwide are feeling the pain, including some in Worcester.
One is Revidas on Grove Street, a company that provides mental health counseling to over 200 clients. Revidas depends on the smooth processing of insurance claims to get paid, meet payroll and cover its expenses. However, the processing ground to a halt when Change, a subsidiary of UnitedHealth Group, was hit by a cyberattack.
Change Healthcare, the largest clearinghouse for insurance billing and payments in the U.S., takes claims from medical providers and sends them along to insurance companies.
Monthly payroll at Revidas runs about $50,000, and managing director Geoff Cushner said that since the cyberattack, his company has continued to see clients even though many insurance reimbursements aren’t coming in.
“The industry can’t continue like this,” said Cushner.
He said Revidas continues to see clients due to ethical obligations, but fears some providers could stop services until Change Healthcare returns to normal operations. Some providers, said Cushner, might have to turn away patients with government insurance plans like Medicare and Medicaid, and accept only cash payments.
Cushner has been in touch with a bank for a potential loan to cover expenses until Change is back on its feet. That could reportedly start Monday, when the company is expected to have its payment platform back online. It hopes to have its medical claims network fully operational on Wednesday.
'Not something I would see as realistic'
Some are skeptical that timeline will be achieved, believing it will take more time before insurance reimbursements are flowing at the pace that existed before the cyberattack. A Monday resumption to normal "is not something I would see as realistic,” said Sergio Melgar, executive vice president and chief financial officer at UMass Memorial Health.
UMass has been unable to bill for most medical services since Feb. 21, an amount of lost reimbursement that totals $11 million daily, said Melgar. The health system tapped into an $80 million line of credit to help meet its financial obligations. It also requested advance payments from some payers, including Medicare, Medicaid and commercial insurers.
The hospital continues to see patients, despite the financial disruption. UMass will check the reliability of Change Healthcare’s system to make sure it’s secure and can protect patient and institution data before reconnecting to it.
Cash advances needed
As for how long UMass can weather the financial storm, Melgar said it depends on whether cash advances come through from Medicare, Medicaid and other payers.
The federal government authorized intermediaries to supply up to 30 days of cash advances, according to Melgar. Approval came through from one intermediary to provide roughly $2 million to Harrington Hospital. Melgar expects another intermediary to provide cash advances for the health system’s larger hospitals, including UMass Memorial Medical Center.
“Ideally this can shelter us from a cash shortfall until system operations can get back to a normal activity cycle,” he said.
Meanwhile, pharmacy is the clinical area most impacted at UMass, where the challenge is verifying patient eligibility for prescriptions. Manual submissions and using other software tools are being used to fill prescriptions, but Melgar said the pharmacy situation remains a challenge.
Community Healthlink, a provider of mental health, substance use and homelessness services that is affiliated with UMass Memorial Health, is processing insurance claims, said Melgar. That is happening, because Community Healthlink is the smallest provider in the UMass Memorial system.
However, other departments at UMass haven't been able to file insurance claims since Feb. 21, and Melgar explained the hospital's billing runs on 30-day cycles. He anticipates a “big cash shortage” in March.
Saint Vincent Hospital declined comment when asked if the cyberattack had impacted its financial and clinical operations.
Questions and federal investigation
The breach opens a can of questions, including how it happened, and what can be done to prevent other ruptures. It also put the spotlight on the private and public sectors to take a hard look at their operations and what they can do to better safeguard sensitive personal and organizational information.
The U.S. Department of Health and Human Services Office for Civil Rights is investigating UnitedHealth Group. The federal agency said the breach reached a level of “unprecedented magnitude.”
Closer to home, state Sen. Michael Moore, a Millbury Democrat, cosponsored legislation to modernize electronic systems against cybersecurity threats. The bill would create a cybersecurity control board of experts from the public and private sectors to establish basic protections against data breaches.
“Leaving it up to the private sector for self-regulation is not working,” said Moore. To highlight the need for lawmakers to pass the bill, Moore cited a survey by the Massachusetts Health and Hospital Association that showed the magnitude of the cyberattack on Change Healthcare: approximately $24 million in reimbursement losses daily for 12 Massachusetts hospitals and health systems.
“The dollar value that impacted our hospitals and health care systems is enormous,” said Moore.
Former Gov. Charlie Baker signed an executive order in December 2022 to enhance the state’s ability to prepare for and respond to cybersecurity incidents. Melgar said an interconnected world electronically means vigilance is needed to protect businesses and individuals from cybercrime.
Larger crisis?
Cushner hopes Change Healthcare returns to the business of processing insurance claims in a timely fashion, sooner rather than later. Reimbursements at his company dropped 85% so far this month, and while Cushner is optimistic Revidas will remain in the health care game despite the challenge, other providers may not be as fortunate.
“I hope by the end of next week, the (Change Healthcare) system is turned on. If not, we could have a larger crisis, and other providers could go out of business.”
Contact Henry Schwan at henry.schwan@telegram.com. Follow him on Twitter @henrytelegram
This article originally appeared on Telegram & Gazette: Worcester health care industry feeling pain from Change cyberattack
