News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Change Healthcare Cyberattack Disrupts Pharmacy Order Processing for Healthcare Providers Nationwide

Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack

Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims. 

The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”

A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.

Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”

 Change Healthcare handles about 15 billion payments each year.

According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.

“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)

Millions of Records May be in Wrong Hands

Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.” 

The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies. 

“The healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” noted a joint statement from the federal Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

AHA Urges Disrupted Hospitals to Disconnect from Optum

In an AHA Cybersecurity Advisory, the American Hospital Association recommended that affected providers “consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.”

In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”

“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.

Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”

In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”

Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:

  • Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
  • Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
  • Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
  • Groups have been unable to perform eligibility checks for patients.
  • Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
  • Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.

Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.

—Donna Marie Pocius

Related Information:

UnitedHealth Suspects “Nation-state” Behind Change Cyberattack

UnitedHealth Says ‘Blackcat’ Ransomware Group Behind Hack At Tech Unit

UnitedHealth Hackers Say They Stole ‘Millions’ of Records, then Delete Statement

US SEC Form 8-K

Change Healthcare Incident Status

Information on the Change Healthcare Cyber Response

UnitedHealth Confirms BlackCat Group Behind Recent Cybersecurity Attack

CISA Cybersecurity Advisory

Hackers Behind UnitedHealth Unit Cyberattack Reportedly Identified

Hospitals Affected by Cyberattack of UnitedHealth Subsidiary

UnitedHealth Group’s Change Healthcare Experiencing Cyberattack Could Impact Healthcare Providers

AHA Letter to HHS: Implications Change Healthcare Cyberattack

MGMA Letter to HHS

The Change Healthcare Cyberattack Is Still Impacting Pharmacies. It’s a Bigger Deal Than You Think

Text-based Appointment Reminder System Cuts Patient No-Show Rates by One-Third at California’s Largest Physician-Owned Medical Practice

Could clinical laboratories use texting to improving patient compliance with the medical laboratory test orders given to them by their doctors?

California’s largest physician-owned medical practice has employed text messaging to reduce patient no-shows. Just as other innovations such as same-day walk-in clinical laboratory testing and patient at-home self-testing made it easier for patients to comply with physicians’ lab test orders, text messaging appears to help get more patients through the doors and into doctors’ exam rooms.

At least that’s the experience at Riverside Medical Clinic (RMC) in Riverside, Calif. The multi-specialty practice has more than 170 providers who see more than 400,000 patients annually. After struggling to lower its 15% baseline no-show rate using a phone-only reminder system, RMC turned to a two-way texting appointment reminder system from Santa Barbara, Calif.-based WELL Health (WELL).

According to a case study, prior to the texting system implementation, no-shows were costing RMC more than $3 million per year. “The problem we were trying to resolve was getting a hold of our patients in an expedient manner without having to do redundant work,” Diego Galvez-Ramirez, Associate Vice President, Patient Business Services at Riverside Medical Clinic, told Healthcare IT News. “We wanted to give time back to our staff. A big frustration was not having enough time for staff to accomplish their duties.”

After RMC implemented WELL’s HIPAA-compliant text-based reminder system, front office efficiency and productivity improved, and the practice experienced a 33% decrease in appointment no-shows.

Additionally:

  • No-shows decreased from 15% to 10% within the first month of going live across the enterprise.
  • Confirmed appointments rose from 29.45% to 94.45%, translating to a savings of more than $40,000 in two months.
  • 91% of patients who confirmed via WELL presented for their visit.
  • Phone volume at RMC’s two call centers decreased by 4% to 6%.

Galvez-Ramirez suggests that healthcare providers—including clinical laboratories and anatomic pathology groups—keep pace with the realities of today’s connected world. “Most of the time, the cell phone is not used to make phone calls,” he told Healthcare IT News. “You have to adapt to the new ways that your patients want and are used to communicating.

“In our environment,” he continued, “you also have to be quick to respond to your patients. No patient wants to spend unnecessary time on a phone call. Being able to send them their appointment to their phone is not a new concept, it’s an expectation.”

Based on an Axway survey of 1,200 smartphone users aged 18-60, the graphic above supports the view that text messaging is now the preferred method of communications for most people. Could clinical laboratories employ text messaging to lower patient no-shows and increase the proportion of patients who actually show up at a patient service center to provide a specimen in response to the medical laboratory test orders given to them by their physicians? (Graphic copyright: MakingCharts.com/Axway.)

The WELL messaging app draws a patient’s information from the physician’s electronic health record (EHR) system to configure the appointment reminder. This includes appointment type, date/time, and location. Based on the patient’s preferred method, the system sends reminder messages via phone, text, or e-mail.

As Healthcare IT News noted, WELL’s competitors in the patient communication space include:

Texting Reduces No-Shows at Other Healthcare Networks

Other healthcare organizations also have replicated RMC’s success in reducing its no-show rates by moving away from telephone-based reminders.

An Athena Health study examined 54.3 million patient visits in 2015 and found no-show rates dropped to 4.4% when patients received a reminder text from their provider. By comparison:

  • Athena patients who received a phone call instead of a text failed to show up 9.4% of the time;
  • E-mail reminders resulted in a 5.9% no-show rate; and,
  • 10.5% of patients who received no form of reminder message missed their appointments. 

Is Texting Secure and HIPAA Compliant?

A 2018 poll conducted by the Medical Group Management Association (MGMA) found that 68% of healthcare organizations used text messaging to communicate with patients about appointments. But is it secure?

An MGMA article notes that according to HIPAA Journal, “Recent changes to HIPAA have introduced new rules relating to how Protected Health Information (PHI) should be communicated and many healthcare organizations and other covered entities are now at risk of financial sanctions and legal action should an avoidable breach of PHI occur.” The MGMA goes on to state that, “As text messaging is not typically a fully-secure channel for the communication of PHI, practices must be vigilant when sending information via text messages.”

With proper training and precautions, clinical laboratories and pathology groups might want to add text messaging to their patient outreach programs. Data indicate that doing so could improve patient compliance with the medical lab test orders given to them by their physicians. Industry experts estimate that for every 100 medical lab test requests written by providers, only about 60% of patients show up to provide the specimens needed for a lab to perform those tests. Improving on those numbers would help clinical laboratories and patients alike.

—Andrea Downing Peck

Related Information:

Text-based Tool Reduces Patient No-Shows by More Than Two-Thirds

Case Study: Largest Physician-Owned Practice in California Sees a 33% Reduction in No-Shows in One Month

MGMA Stat Poll Indicates Most Organizations Use Text Messaging to Communicate Appointments

Getting No-Shows to Show Up

Not Texting in Healthcare? Here’s Why You Should

Text Messaging Remains an Effective Tool for Patient Appointment Reminders

To Get Patients in the Door, Try Texting

5 Ways Home Healthcare Providers Grow by Texting Clients, Employees

HHS Proposes One-Year Delay for ICD-10 Implementation: Is This Good News for Clinical Pathology Laboratories?

AMA opposition to ICD-10 deadline moves HHS to reconsider, while leaving some transition-ready providers rankled

When it comes to implementation of ICD-10 in the United States, the “do it later” crowd seems to have convinced the Department of Health and Human Services (HHS) of the need to once again move back the compliance date for ICD-10. On April 9, HHS announced a proposed rule to defer implementation by one year, with a new effective date of October 1, 2014.

Clinical laboratories and anatomic pathology groups have a big stake in a successful transition from ICD-9 to ICD-10. Among other reasons, Medicare Part B claims for medical laboratory  tests must be submitted with an appropriate ICD code [provided by the physician who ordered the lab tests] for the clinical lab or pathology group to be paid by the Medicare program.
(more…)

Clinical Laboratories Beware: Many Payers May Not Be Ready for HIPAA 5010 on January 1, 2012

Bigger challenge will be adoption of ICD-10 across entire U.S. healthcare system in 2013

Two disruptive events in the world of coding, billing, and claims reimbursement are about to engage the full attention of clinical laboratories and pathology groups. First is implementation of HIPAA 5010 forms for claims submission by all types of healthcare providers. This is scheduled to occur on January 1, 2012—just seven months away!

Second is implementation of ICD-10 codes. Federal law currently requires all payers and providers to begin using ICD-10 on October 1, 2013. On that date, the existing ICD-9 codes will no longer be used.

(more…)

Graduating Physicians Opt for Jobs in Hospital-Owned Practices over Private Practices

Trend could prove unfavorable to independent clinical laboratory companies

More physicians now join hospital-owned practices than any other type of practice. That’s one conclusion reported in a survey conducted by the Medical Group Management Association (MGMA). This is a trend that may have negative implications for independent clinical laboratory companies and pathology groups that provide medical laboratory testing to office-based physicians.

In the MGMA survey, higher compensation packages offered by hospital-owned practices were cited as one reason why growing numbers of physicians choose a hospital-owned practice. The survey also determined that physicians believe they will have a better chance for reimbursements in hospital-owned practice settings, compared to other practice models.

(more…)

;