News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Change Healthcare Cyberattack Disrupts Pharmacy Order Processing for Healthcare Providers Nationwide

Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack

Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims. 

The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”

A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.

Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”

 Change Healthcare handles about 15 billion payments each year.

According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.

“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)

Millions of Records May be in Wrong Hands

Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.” 

The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies. 

“The healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” noted a joint statement from the federal Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

AHA Urges Disrupted Hospitals to Disconnect from Optum

In an AHA Cybersecurity Advisory, the American Hospital Association recommended that affected providers “consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.”

In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”

“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.

Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”

In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”

Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:

  • Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
  • Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
  • Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
  • Groups have been unable to perform eligibility checks for patients.
  • Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
  • Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.

Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.

—Donna Marie Pocius

Related Information:

UnitedHealth Suspects “Nation-state” Behind Change Cyberattack

UnitedHealth Says ‘Blackcat’ Ransomware Group Behind Hack At Tech Unit

UnitedHealth Hackers Say They Stole ‘Millions’ of Records, then Delete Statement

US SEC Form 8-K

Change Healthcare Incident Status

Information on the Change Healthcare Cyber Response

UnitedHealth Confirms BlackCat Group Behind Recent Cybersecurity Attack

CISA Cybersecurity Advisory

Hackers Behind UnitedHealth Unit Cyberattack Reportedly Identified

Hospitals Affected by Cyberattack of UnitedHealth Subsidiary

UnitedHealth Group’s Change Healthcare Experiencing Cyberattack Could Impact Healthcare Providers

AHA Letter to HHS: Implications Change Healthcare Cyberattack

MGMA Letter to HHS

The Change Healthcare Cyberattack Is Still Impacting Pharmacies. It’s a Bigger Deal Than You Think

Florida Nurse Practitioner Convicted for Involvement in $200 Million Medicare Fraud Scheme Involving Clinical Laboratory Tests, Other Procedures

Federal prosecutors allege that this nurse practitioner ordered more genetic tests for Medicare beneficiaries than any other provider during 2020

Cases of Medicare fraud involving clinical laboratory testing continue to be prosecuted by the federal Department of Justice. A jury in Miami recently convicted a nurse practitioner (NP) for her role in a massive Medicare fraud scheme for millions of dollars in medically unnecessary genetic testing and durable medical equipment. She faces 75 years in prison when sentenced in December.  

In their indictment, federal prosecutors alleged that from August 2018 through June 2021 Elizabeth Mercedes Hernandez, NP, of Homestead, Florida, worked with more than eight telemedicine and marketing companies to sign “thousands of orders for medically unnecessary orthotic braces and genetic tests, resulting in fraudulent Medicare billings in excess of $200 million,” according to a US Department of Justice (DOJ) news release announcing the conviction.

“Hernandez personally pocketed approximately $1.6 million in the scheme, which she used to purchase expensive cars, jewelry, home renovations, and travel,” the press release noted.

Hernandez was indicted in April 2022 as part of a larger DOJ crackdown on healthcare fraud related to the COVID-19 outbreak.

Luis Quesada

“Throughout the pandemic, we have seen trusted medical professionals orchestrate and carry out egregious crimes against their patients all for financial gain,” said Assistant Director Luis Quesada (above) of the FBI’s Criminal Investigative Division, in a DOJ press release. Clinical laboratory managers would be wise to monitor these Medicare fraud cases. (Photo copyright: Federal Bureau of Investigation.)

Nurse Practitioner Received Kickbacks and Bribes

Federal prosecutors alleged that the scheme involved telemarketing companies that contacted Medicare beneficiaries and persuaded them to request genetic tests and orthotic braces. Hernandez, they said, then signed pre-filled orders, “attesting that she had examined or treated the patients,” according to the DOJ news release.

In many cases, Hernandez had not even spoken with the patients, prosecutors said. “She then billed Medicare as though she were conducting complex office visits with these patients, and routinely billed more than 24 hours of ‘office visits’ in a single day,” according to the news release.

In total, Hernandez submitted fraudulent claims of approximately $119 million for genetic tests, the indictment stated. “In 2020, Hernandez ordered more cancer genetic (CGx) tests for Medicare beneficiaries than any other provider in the nation, including oncologists and geneticists,” according to the news release.

The indictment noted that because CGx tests do not diagnose cancer, Medicare covers them only “in limited circumstances, such as when a beneficiary had cancer and the beneficiary’s treating physician deemed such testing necessary for the beneficiary’s treatment of that cancer. Medicare did not cover CGx testing for beneficiaries who did not have cancer or lacked symptoms of cancer.”

In exchange for signing the orders, Hernandez received kickbacks and bribes from companies that claimed to be in the telemedicine business, the indictment stated.

“These healthcare fraud abuses erode the integrity and trust patients have with those in the healthcare industry … the FBI, working in coordination with our law enforcement partners, will continue to investigate and pursue those who exploit the integrity of the healthcare industry for profit,” said Assistant Director Luis Quesada of the Federal Bureau of Investigation’s Criminal Investigative Division, in the DOJ press release.

Conspirators Took Advantage of COVID-19 Pandemic

Prosecutors alleged that as part of the scheme, she and her co-conspirators took advantage of temporary amendments to rules involving telehealth services—changes that were enacted by Medicare in response to the COVID-19 pandemic.

The indictment noted that prior to the pandemic, Medicare covered expenses for telehealth services only if the beneficiary “was located in a rural or health professional shortage area,” and “was in a practitioner’s office or a specified medical facility—not at a beneficiary’s home.”

But in response to the pandemic, Medicare relaxed the restrictions to allow coverage “even if the beneficiary was not located in a rural area or a health professional shortage area, and even if the telehealth services were furnished to beneficiaries in their home.”

Hernandez was convicted of:

  • One count of conspiracy to commit healthcare fraud and wire fraud.
  • Four counts of healthcare fraud.
  • Three counts of making false statements.

Medscape noted that she was acquitted of two counts of healthcare fraud. The trial lasted six days, Medscape reported.

Hernandez’s sentencing hearing is scheduled for Dec. 14.

Co-Conspirators Plead Guilty

Two other co-conspirators in the case, Leonel Palatnik and Michael Stein, had previously pleaded guilty and received sentences, the Miami Herald reported.

Palatnik was co-owner of Panda Conservation Group LLC, which operated two genetic testing laboratories in Florida. Prosecutors said that Palatnik paid kickbacks to Stein, owner of 1523 Holdings LLC, “in exchange for his work arranging for telemedicine providers to authorize genetic testing orders for Panda’s laboratories,” according to a DOJ press release. The kickbacks were disguised as payments for information technology (IT) and consulting services.

“1523 Holdings then exploited temporary amendments to telehealth restrictions enacted during the pandemic by offering telehealth providers access to Medicare beneficiaries for whom they could bill consultations,” the press release states. “In exchange, these providers agreed to refer beneficiaries to Panda’s laboratories for expensive and medically unnecessary cancer and cardiovascular genetic testing.”

Palatnik pleaded guilty to his role in the kickback scheme in August 2021 and was sentenced to 82 months in prison, a DOJ press release states.

Stein pleaded guilty in April and was sentenced to five years in prison, the Miami Herald reported. He was also ordered to pay $63.3 million in restitution.

These federal cases involving clinical laboratory genetic testing and other tests and medical equipment indicate a commitment on the DOJ’s part to continue cracking down on healthcare fraud.

—Stephen Beale

Related Information:

Nurse Practitioner Convicted of $200M Health Care Fraud Scheme

Florida Nurse Practitioner Convicted in $200 Million Medicare Scheme

Florida Nurse Convicted for Fraudulent Orders Billing Medicare for $200M

South Florida Nurse Convicted of Medicare Scheme for Approving $200 Million in Bogus Products

Justice Department Announces Nationwide Coordinated Law Enforcement Action to Combat COVID-19 Health Care Fraud

Laboratory Owner Pleads Guilty to $73 Million Medicare Kickback Scheme

Laboratory Owner Sentenced to 82 Months in Prison for COVID-19 Kickback Scheme

Department of Justice Recovers $1.8B from Medical Laboratory Owners and Others Accused of Alleged Healthcare Fraud During COVID-19 Pandemic

It did not take long for fraudsters to pursue hundreds of billions of federal dollars designated to support SARS-CoV-2 testing and it is rare when federal prosecutors bring cases only a few months after illegal lab testing schemes are identified

As if the COVID-19 pandemic weren’t bad enough, unscrupulous clinical laboratory operators quickly sought to take advantage of the critical demand for SARS-CoV-2 testing and defraud the federal government.

Unfortunately for the many defendants in these cases, federal investigations into alleged cases of fraud were launched with noteworthy speed. As a result of these investigations into alleged healthcare fraud by clinical laboratories and other organizations during fiscal year (FY) 2020, the US Department of Justice (DOJ) announced the US government has recovered $1.8 billion.

The federal prosecutions involved dozens of medical laboratory owners and operators who paid back “hundreds of millions in alleged federal healthcare program losses,” Goodwin Life Sciences Perspectives explained.

The annual report of the Departments of Health and Human Services (HHS) and Justice Health Care Fraud and Abuse Control Program (HCFAC) reported that federal agencies found and prosecuted alleged healthcare fraud for unnecessary laboratory testing related to:

The HCFAC is a joint program of the HHS Office of Inspector General (OIG), Centers for Medicare and Medicaid Services (CMS), and DOJ, a CMS fact sheet explained.

Billions Recovered by HCFAC Program

When combined with similar efforts starting in prior years, the program has returned to the federal government and private individuals a total of $3.1 billion, the DOJ noted.

“In its 24th year of operation, the program’s continued success confirms the soundness of a collaborative approach to identify and prosecute the most egregious instances of healthcare fraud, to prevent future fraud and abuse, and to protect program beneficiaries,” the report states.

Graphic oh healthcare fraud

According to the graphic above, which is based on analysis by B2B research company MarketsandMarkets, “North America will dominate the healthcare fraud analytics market from 2020–2025.” As clinical laboratory testing represents a significant portion of the fraud, medical lab managers will want to remain vigilant. (Graphic copyright: MarketsandMarkets.)

COVID-19 Pandemic an Opportunity for Fraud

The HHS report notes that the COVID-19 pandemic required CMS to develop a “robust fraud risk assessment process” to identify clinical laboratory fraud schemes, such as offering COVID-19 tests in exchange for personal details and Medicare information.

“In one fraud scheme, some labs are targeting retirement communities claiming to offer COVID-19 tests but are drawing blood and billing federal healthcare programs for medically unnecessary services,” the HHS report notes.

Still other alleged schemes involved billing for expensive tests and services in addition to COVID-19 testing. “For example, providers are billing a COVID-19 test with other far more expensive tests such as the Respiratory Pathogen Panel (RPP) and antibiotic resistance tests,” the report says.

“Other potentially unnecessary tests being billed along with a COVID-19 test include genetic testing and cardiac panels CPT (current procedural terminology) codes. Providers are also billing respiratory, gastrointestinal, genitourinary, and dermatologic pathogen code sets with the not otherwise specified code CPT 87798,” the report states.

Different Types of Healthcare Organizations Investigated in 2020

Beyond clinical laboratories, the HHS’ 124-page report also shares criminal and civil investigations of other healthcare organizations and areas including:

  • clinics,
  • drug companies,
  • durable medical equipment,
  • electronic health records,
  • home health providers,
  • hospice care,
  • hospitals and healthcare systems,
  • medical devices,
  • nursing home and facilities,
  • pharmacies, and
  • physicians/other practitioners.  

According to the DOJ, “enforcement actions” in 2020 included:

  • 1,148 new criminal healthcare fraud investigations opened,
  • 440 defendants convicted of healthcare fraud and related crimes,
  • 1,079 civil healthcare fraud investigations opened, and
  • 1,498 pending civil health fraud matters at year-end.

“Federal Bureau of Investigation (FBI) investigative efforts resulted in over 407 operational disruptions of criminal fraud organizations and the dismantlement of the criminal hierarchy of more than 101 healthcare fraud criminal enterprises,” the DOJ reported. 

Furthermore, the report said OIG investigations in 2020 led to:

  • 578 criminal actions against people or organizations for Medicare-related crimes,
  • 781 civil actions such as false claims, and
  • 2,148 people and organizations eliminated from Medicare and Medicaid participation.

Implications for Clinical Laboratories

In 2020, OIG issued 178 reports, completed 44 evaluations, and made 689 recommendations to HHS divisions.

Clinical laboratory leaders may be most interested in those related to patient identification as a means to combating fraud and Medicare Part B lab testing reimbursement.

The HHS report says, “Medicare Advantage (MA) encounter data continue to lack National Provider Identifiers (NPIs) for providers who order and/or refer … clinical laboratory services,” adding that, “Almost half of MA organizations believe that using NPIs for ordering providers is critical for combating fraud.”

Additionally, the report states, “Medicare Part B spending for lab tests increased to $7.6 billion in 2018, despite lower payment rates for most lab tests. The $459 million spending increase was driven by:

  • “increased spending on genetic tests,
  • “ending the discount for certain chemistry tests, and the
  • “move to a single national fee schedule.”

Medical laboratory leaders may be surprised to learn that federal healthcare investigators were so vigorous in their investigations, even during the worst of the COVID-19 pandemic.

Vigilance is critical to ensure labs do not fall under the DOJ’s scrutiny. This HHS report, which describes the types and dollars involved in fraudulent schemes by clinical labs and other providers, could help inform revisions to federal compliance regulations and statutes.

Donna Marie Pocius

Related Information

Annual Report of the Departments of Health and Human Services (HHS) and Justice Healthcare Fraud and Abuse Control (HCFAC) Program FY 2020

DOJ Recoups a Total of $1.8 Billion from Healthcare Fraud in 2020, Laboratory Recoupments Alone Account for Hundreds of Millions

Healthcare Fraud and Abuse Control Program Protects Consumers and Taxpayers by Combatting Healthcare Fraud

2020 National Health Care Fraud Takedown

Medical Laboratory Testing Company uBiome Raided by FBI for Alleged Insurance Fraud and Questionable Business Practices

Following the raid, the company’s co-founders resigned from the board of directors

Microbiome testing company, uBiome, a biotechnology developer that offers at-home direct-to-consumer (DTC) test kits to health-conscious individuals who wish to learn more about the bacteria in their gut, or who want to have their microbiome genetically sequenced, has recently come under investigation by insurance companies and state regulators that are looking into the company’s business practices.

CNBC reported that the Federal Bureau of Investigation (FBI) raided the company’s San Francisco headquarters in April following allegations of insurance fraud and questionable billing practices. The alleged offenses, according to CNBC, included claims that uBiome routinely billed patients for tests multiple times without consent.

Becker’s Hospital Review wrote that, “Billing documents obtained by The Wall Street Journal and described in a June 24 report further illustrate uBiome’s allegedly improper billing and prescribing practices. For example, the documents reportedly show that the startup would bill insurers for a lab test of 12 to 25 gastrointestinal pathogens, despite the fact that its tests only included information for about five pathogens.”

Company Insider Allegations Trigger FBI Raid

In its article, CNBC stated that “company insiders” alleged it was “common practice” for uBiome to bill patients’ insurance companies multiple times for the same test.

“The company also pressured its doctors to approve tests with minimal oversight, according to insiders and internal documents seen by CNBC. The practices were in service of an aggressive growth plan that focused on increasing the number of billable tests served,” CNBC wrote.

FierceBiotech reported that, “According to previous reports, the large insurers Anthem, Aetna, and Regence BlueCross BlueShield have been examining the company’s billing practices for its physician-ordered tests—as has the California Department of Insurance—with probes focusing on possible financial connections between uBiome and the doctors ordering the tests, as well as rumors of double-billing for tests using the same sample.”

Becker’s Hospital Review revealed that when the FBI raided uBiome they seized employee computers. And that, following the raid, uBiome had announced it would temporarily suspend clinical operations and not release reports, process samples, or bill health insurance for their services.

The company also announced layoffs and that it would stop selling SmartJane and SmartGut test kits, Becker’s reported.

uBiome Assumes New Leadership

Following the FBI raid, uBiome placed its co-founders Jessica Richman (CEO) and Zac Apte (CTO) on administrative leave while conducting an internal investigation (both have since resigned from the company’s board of directors). The company’s board of directors then named general counsel, John Rakow, to be interim CEO, FierceBiotech reported.

John Rakow (center) is shown above with uBiome co-founders Jessica Richman (lower left) and Zac Apte (lower right). In a company statement, Rakow stressed that he believed in the company’s products and ability to survive the scandal. His belief may be based on evidence. Researchers have been developing tests based on the human microbiome for everything from weight loss to predicting age to diagnosing cancer. Such tests are becoming increasingly popular. Dark Daily has reported on this trend in multiple e-briefings. (Photo copyrights: LinkedIn/uBiome.)

After serving two months as the interim CEO, Rakow resigned from the position. The interim leadership of uBiome was then handed over to three directors from Goldin Associates, a New York City-based consulting firm, FierceBiotech reported. They include:

Four testing products remain available for in-home testing on the uBiome website:

What Went Wrong?

Richman and Apte founded uBiome in 2012 with the intent of marketing a new test that would prove a link between peoples’ microbiome and their overall health. The two founders initially raised more than $100 million from venture capitalists, and, according to PitchBook, uBiome was last valued at around $600 million, Forbes reported.

Nevertheless, as a company, uBiome’s future is uncertain. Of greater concern to clinical laboratory leaders is whether at-home microbiology self-test kits will become a viable, safe alternative to tests traditionally performed by qualified personnel in controlled laboratory environments.

Dark Daily reported on the controversy surrounding this trend in “At-Home Microbiology Tests Trigger Concerns about Scientific Value and Impact from Microbiologists and Clinical Laboratory Scientists,” October 16, 2017.

It’s a trend worth watching.

—JP Schlingman

Related Information:

Insiders Describe Aggressive Growth Tactics at uBiome, the Health Start-up Raided by the FBI Last Week

FBI Investigating uBiome’s Billing Practices

Turmoil Persists at uBiome with New Management Overhaul Amid FBI Probe: Reports

uBiome Appoints John Rakow as Interim Chief Executive Officer

Another Shakeup at uBiome: Interim CEO Quits

Seven Updates on the Ongoing uBiome Investigation

Microbiome Startup uBiome Cofounders on Administrative Leave after Reports of FBI Raid

Microbiome Testing Startup Under Scrutiny for Billing Practices

At-Home Microbiology Tests Trigger Concerns about Scientific Value and Impact from Microbiologists and Clinical Laboratory Scientists

;