Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack
Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims.
The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”
A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.
Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”
Change Healthcare handles about 15 billion payments each year.
According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.
“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)
Millions of Records May be in Wrong Hands
Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.”
The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies.
In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”
“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.
Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”
In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”
Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:
Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
Groups have been unable to perform eligibility checks for patients.
Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.
Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.
Could clinical laboratories use texting to improving patient compliance with the medical laboratory test orders given to them by their doctors?
California’s largest physician-owned medical practice has
employed text messaging to reduce patient no-shows. Just as other innovations such
as same-day walk-in clinical laboratory
testing and patient at-home self-testing made it easier for patients to comply
with physicians’ lab test orders, text messaging appears to help get more
patients through the doors and into doctors’ exam rooms.
At least that’s the experience at Riverside Medical Clinic
(RMC) in Riverside, Calif. The multi-specialty practice has more than 170
providers who see more than 400,000 patients annually. After struggling to
lower its 15% baseline no-show rate using a phone-only reminder system, RMC turned
to a two-way texting appointment reminder system from Santa Barbara, Calif.-based
WELL Health (WELL).
According to a case
study, prior to the texting
system implementation, no-shows were costing RMC more than $3 million per year.
“The problem we were trying to resolve was getting a hold of our
patients in an expedient manner without having to do redundant work,” Diego
Galvez-Ramirez, Associate Vice President, Patient Business Services at
Riverside Medical Clinic, told Healthcare IT News. “We wanted to
give time back to our staff. A big frustration was not having enough time for
staff to accomplish their duties.”
After RMC implemented WELL’s HIPAA-compliant text-based reminder
system, front office efficiency and productivity improved, and the practice
experienced a 33% decrease in appointment no-shows.
Additionally:
No-shows decreased from 15% to 10% within the
first month of going live across the enterprise.
Confirmed appointments rose from 29.45% to
94.45%, translating to a savings of more than $40,000 in two months.
91% of patients who confirmed via WELL presented
for their visit.
Phone volume at RMC’s two call centers decreased
by 4% to 6%.
Galvez-Ramirez suggests that healthcare providers—including
clinical laboratories and anatomic pathology groups—keep pace with the
realities of today’s connected world. “Most of the time, the cell phone is not
used to make phone calls,” he told Healthcare IT News. “You have to adapt
to the new ways that your patients want and are used to communicating.
“In our environment,” he continued, “you also have to be
quick to respond to your patients. No patient wants to spend unnecessary time
on a phone call. Being able to send them their appointment to their phone is
not a new concept, it’s an expectation.”
The WELL messaging app draws a patient’s information from the
physician’s electronic
health record (EHR) system to configure the appointment reminder. This
includes appointment type, date/time, and location. Based on the patient’s
preferred method, the system sends reminder messages via phone, text, or e-mail.
As Healthcare IT News noted, WELL’s competitors in the
patient communication space include:
Texting Reduces No-Shows at Other Healthcare Networks
Other healthcare organizations also have replicated RMC’s
success in reducing its no-show rates by moving away from telephone-based
reminders.
An Athena Health
study examined 54.3 million patient visits in 2015 and found no-show rates
dropped to 4.4% when patients received a reminder text from their provider. By
comparison:
Athena patients who received a phone call
instead of a text failed to show up 9.4% of the time;
E-mail reminders resulted in a 5.9% no-show rate;
and,
10.5% of patients who received no form of
reminder message missed their appointments.
Is Texting Secure and HIPAA Compliant?
A 2018 poll conducted by the Medical
Group Management Association (MGMA) found that 68% of healthcare organizations
used text messaging to communicate with patients about appointments. But is it
secure?
An MGMA
article notes that according to HIPAA Journal,
“Recent changes to HIPAA
have introduced new rules relating to how Protected
Health Information (PHI) should be communicated and many healthcare
organizations and other covered entities are now at risk of financial sanctions
and legal action should an avoidable breach of PHI occur.” The MGMA goes on to
state that, “As text messaging is not typically a fully-secure channel for the
communication of PHI, practices must be vigilant when sending information via
text messages.”
With proper training and precautions, clinical laboratories and
pathology groups might want to add text messaging to their patient outreach
programs. Data indicate that doing so could improve patient compliance with the
medical lab test orders given to them by their physicians. Industry experts
estimate that for every 100 medical lab test requests written by providers,
only about 60% of patients show up to provide the specimens needed for a lab to
perform those tests. Improving on those numbers would help clinical
laboratories and patients alike.
That high rate of non-participation is not true for one group of practitioners, however. Pathologists had the highest participation rate (78.7%) among specialties in PQRS and recorded the fourth-highest participation rate (80.3%) in the e-prescribing program! Pathologists received an average incentive of $246 for the 2013 e-prescribing program and $384 for the 2013 PQRS program. (more…)
AMA opposition to ICD-10 deadline moves HHS to reconsider, while leaving some transition-ready providers rankled
When it comes to implementation of ICD-10 in the United States, the “do it later” crowd seems to have convinced the Department of Health and Human Services (HHS) of the need to once again move back the compliance date for ICD-10. On April 9, HHS announced a proposed rule to defer implementation by one year, with a new effective date of October 1, 2014.
Clinical laboratories and anatomic pathology groups have a big stake in a successful transition from ICD-9 to ICD-10. Among other reasons, Medicare Part B claims for medical laboratory tests must be submitted with an appropriate ICD code [provided by the physician who ordered the lab tests] for the clinical lab or pathology group to be paid by the Medicare program. (more…)
Bigger challenge will be adoption of ICD-10 across entire U.S. healthcare system in 2013
Two disruptive events in the world of coding, billing, and claims reimbursement are about to engage the full attention of clinical laboratories and pathology groups. First is implementation of HIPAA 5010 forms for claims submission by all types of healthcare providers. This is scheduled to occur on January 1, 2012—just seven months away!
Second is implementation of ICD-10 codes. Federal law currently requires all payers and providers to begin using ICD-10 on October 1, 2013. On that date, the existing ICD-9 codes will no longer be used.