Change Healthcare Systems Cyberattack Shuts Down Payment Processing
A recent cybersecurity attack renews the warnings to ensure your required HIPAA compliance plan and manual are updated and active. On February 21, 2024, Change Healthcare (a subsidiary of Optum) experienced a cybersecurity attack. Some software systems, providers, hospitals, and clearinghouses have been affected by this attack. As of March 8, 2024, Change Healthcare stated that there is no indication that any other UnitedHealth Group systems have been affected by this attack. They have not verified whether patient information was compromised.
Change Healthcare announced that BlackCat/ALPHV identified itself to the company, claiming responsibility for the cybercrime. According to the US Department of Justice, BlackCat/ALPHV is the second most prolific ransomware-as-a-service entity in the world, with over 1000 victims of cybercrimes across the globe.
Advertisement
The restoration of the Change Healthcare systems has caused a shutdown of claims processing and prior authorization of benefits for some plans, including Medicare Advantage plans. The company expects to begin testing and reestablishing connectivity to its claims network and software on March 18, 2024.
Medicare Claim Information
Workarounds have been established for several payers, including National Government Services (NGS). Keep in mind that if you choose to submit paper claims to NGS, Medicare payment will occur 29 days from the date the paper claim is received, whereas the payment for electronically submitted claims is only 14 days.
As an alternative, providers can use the NGSConnex for Part B claim submissions if they are affected and choose not to wait until the Change Healthcare system is restored.
As of March 9, CMS will offer emergency funding to Medicare providers affected by last month’s Change Healthcare cyber incident. The emergency funds represent upfront payments made to providers and suppliers based on their expected future claims. You can see if you’re eligible for advanced payments here.
Other Claims Processing Information
One clearinghouse recently indicated “the route to this payer has been impacted by the Change Healthcare cyber incident. Providers will need to submit by paper, hold, or utilize the payer’s DDE.” However, we are recommending that providers hold claims, since connectivity is expected to be restored by early next week (week of March 18, 2024).
Cybersecurity Threats Remains a Problem for Healthcare
In 2023, a record-setting 725 healthcare security breaches were reported to the Department of Health & Human Services Office for Civil Rights, according to a report from The HIPAA Journal. Last year, an average of 370,000 healthcare records were breached every day.
This is an opportunity for you to ensure that your system is safe. Perform Live Updates for your Network Security software. Providers and staff should be diligent in not clicking on links in emails or on social media, downloading attachments, or clicking on any links in the email. A HIPAA requirement is that you also conduct a Security Risk Assessment (https://www.healthit.gov/sites/default/files/SRA_Tool_3.4.msi ) annually for your office. While the effects of this cybersecurity event are ongoing, providers and staff must work to protect the health information and financial records of the office and their patients. Breaches of this type are all too common and may result in significant interruptions in patient care and ensuing fines.
