Cyberattack Paralyzes the Largest US Health Care Payment System

An urgent care chain in Ohio may be forced to stop paying rent and other bills to cover salaries. In Florida, a cancer center is racing to find money for chemotherapy drugs to avoid delaying critical treatments for its patients. And in Pennsylvania, a primary care doctor is slashing expenses and pooling all of her cash — including her personal bank stash — in the hopes of staying afloat for the next two months.

These are just a few examples of the severe cash squeeze facing medical care providers — from large hospital networks to the smallest of clinics — in the aftermath of a cyberattack two weeks ago that paralyzed the largest U.S. billing and payment system in the country. The attack forced the shutdown of parts of the electronic system operated by Change Healthcare, a sizable unit of UnitedHealth Group, leaving hundreds, if not thousands, of providers without the ability to obtain insurance approval for services ranging from a drug prescription to a mastectomy — or to be paid for those services.

In recent days, the chaotic nature of this sprawling breakdown in daily, often invisible transactions led top lawmakers, powerful hospital industry executives and patient groups to pressure the U.S. government for relief. On Tuesday, the Health and Human Services Department announced that it would take steps to try to alleviate the financial pressures on some of those affected: Hospitals and doctors who receive Medicare reimbursements would mainly benefit from the new measures.

U.S. health officials said they would allow providers to apply to Medicare for accelerated payments, similar to the advanced funding made available during the pandemic, to tide them over. They also urged health insurers to waive or relax the much-criticized rules imposing prior authorization that have become impediments to receiving care. And they recommended that insurers offering private Medicare plans also supply advanced funding.

H.H.S. said it was trying to coordinate efforts to avoid disruptions, but it remained unclear whether these initial government efforts would bridge the gaps left by the still-offline mega-operations of Change Healthcare, which acts as a digital clearinghouse linking doctors, hospitals and pharmacies to insurers. It handles as many as one of every three patient records in the country.

The hospital industry was critical of the response, describing the measures as inadequate.

Beyond the news of the damage caused by another health care cyberattack, the shutdown of parts of Change Healthcare cast renewed attention on the consolidation of medical companies, doctors’ groups and other entities under UnitedHealth Group. The acquisition of Change by United in a $13 billion deal in 2022 was initially challenged by federal prosecutors but went through after the government lost its case.

So far, United has not provided any timetable for reconnecting this critical network. “Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need,” United said in an update on its website.

But on March 1, a bitcoin address connected to the alleged hackers, a group known as AlphV or BlackCat, received a $22 million transaction that some security firms say was probably a ransom payment made by United to the group, according to a news article in Wired. United declined to comment, as did the security firm that initially spotted the payment.

Still, the prolonged effects of the attack have once again exposed the vast interconnected webs of electronic health information and the vulnerability of patient data. Change handles some 15 billion transactions a year.

The shutdown of some of Change’s operations has severed its digital role connecting providers with insurers in submitting bills and receiving payments. That has delayed tens of millions of dollars in insurance payments to providers. Pharmacies were initially unable to fill many patients’ medications because they could not verify their insurance, and providers have amassed large sums of unpaid claims in the two weeks since the cyberattack occurred.

“It absolutely highlights the fragility of our health care system,” said Ryan S. Higgins, a lawyer for McDermott Will & Emery who advises health care organizations on cybersecurity. The same entity that was said to be responsible for the cyberattack on Colonial Pipeline, a pipeline from Texas to New York that carried 45 percent of the East Coast’s fuel supplies, in 2021 is thought to be behind the Change assault. “They have historically targeted critical infrastructure,” he said.

In the initial days after the attack on Feb. 21, pharmacies were the first to struggle with filling prescriptions when they could not verify a person’s insurance coverage. In some cases, patients could not get medicine or vaccinations unless they paid in cash. But they have apparently resolved these snags by turning to other companies or developing workarounds.

“Almost two weeks in now, the operational crisis is done and is pretty much over,” said Patrick Berryman, a senior vice president for the National Community Pharmacists Association.

But with the shutdown growing longer, doctors, hospitals and other providers are wrestling with paying expenses because the steady revenue streams from private insurers, Medicare and Medicaid are simply not flowing in.

Arlington Urgent Care, a chain of five urgent care centers around Columbus, Ohio, has about $650,000 in unpaid insurance reimbursements. Worried about cash, the chain’s owners are weighing how to pay bills — including rent and other expenses. They’ve taken lines of credit from banks and used their personal savings to set aside enough money to pay employees for about two months, said Molly Fulton, the chief operating officer.

“This is worse than when Covid hit because even though we didn’t get paid for a while then either, at least we knew there was going to be a fix,” Ms. Fulton said. “Here, there is just no end in sight. I have no idea when Change is going to come back up.”

The hospital industry has labeled the infiltration of Change “the most significant cyberattack on the U.S. health care system in American history,” and urged the federal government and United to provide emergency funding. The American Hospital Association, a trade group, has been sharply critical of United’s efforts so far and the latest initiative that offered a loan program.

“It falls far short of plugging the gaping holes in funding,” Richard J. Pollack, the trade group’s president, said on Monday in a letter to Dirk McMahon, the president of United.

“We need real solutions — not programs that sound good when they are announced but are fundamentally inadequate when you read the fine print,” Mr. Pollack said.

The loan program has not been well received out in the country.

Diana Holmes, a therapist in Attleboro, Mass., received an offer from Optum to lend her $20 a week when she says she has been unable to submit roughly $4,000 in claims for her work since Feb. 21. “It’s not like we have reserves,” she said.

She says there has been virtually no communication from Change or the main insurer for her patients, Blue Cross of Massachusetts. “It’s just been maddening,” she said. She has been forced to find a new payment clearinghouse with an upfront fee and a year’s contract. “You’ve had to pivot quickly with no information,” she said.

Blue Cross said it was working with providers to find different workarounds.

Florida Cancer Specialists and Research Institute in Gainesville resorted to new contracts with two competing clearinghouses because it spends $300 million a month on chemotherapy and other drugs for patients whose treatments cannot be delayed.

“We don’t have that sort of money sitting around in a bank,” said Dr. Lucio Gordan, the institute’s president. “We’re not sure how we’re going to retrieve or collect the double expenses we’re going to have by having multiple clearinghouses.”

Dr. Christine Meyer, who owns and operates a primary care practice with 20 clinicians in Exton, Pa., west of Philadelphia, has piled “hundreds and hundreds” of pages of Medicare claims in a FedEx box and sent them to the agency. Dr. Meyer said she was weighing how to conserve cash by cutting expenses, such as possibly reducing the supply of vaccines the clinic has on hand. She said if she pulled together all of her cash and her line of credit, her practice could survive for about two and a half months.

Through Optum’s temporary funding assistance program, Dr. Meyer said she received a loan of $4,000, compared with the roughly half-million dollars she typically submits through Change. “That is less than 1 percent of my monthly claims and, adding insult to injury, the notice came with this big red font that said, you have to pay all of this back when this is resolved,” Dr. Meyer said. “It is all a joke.”

The hospital industry has been pushing Medicare officials and lawmakers to address the situation by freeing up cash to hospitals. Senator Chuck Schumer, Democrat of New York and the chamber’s majority leader, wrote a letter on Friday, urging federal health officials to make accelerated payments available. “The longer this disruption persists, the more difficult it will be for hospitals to continue to provide comprehensive health care services to patients,” he said.

In a statement, Senator Schumer said he was pleased by the H.H.S. announcement because it “will get cash flowing to providers as our health care system continues to reel from this cyberattack.” He added, “The work cannot stop until all affected providers have sufficient financial stability to weather this storm and continue serving their patients.”