Hospitals and clinics across Oregon are facing a big dip in their cash flow this month 鈥 the fallout of a ransomware attack on a national company that connects health care providers with insurers.
The Feb. 21 hack took , based in Nashville, offline.
Knocking out that one company caused chaos nationwide, including in Oregon.
Change runs a popular clearinghouse, a service health care providers use to electronically bill insurers, including Medicare and Medicaid. Providers also use Change鈥檚 services to standardize and securely transmit patient data and prescriptions.
Change鈥檚 largest clearinghouse the weekend of March 23, and insurers have been reconnecting to it since. Claims processing remains slower than usual and some services are still experiencing outages.
But health care providers across Oregon are still sorting through reams of bills to see if they will be reimbursed for care given during the hack.
Leaders also say shakeup has them newly considering the risks posed by consolidation and vertical integration in the health care industry.
And the attack has drawn additional attention to Change鈥檚 parent company, UnitedHealth Group, an industry giant that鈥檚 been primary care clinics in Oregon.
鈥淚 don鈥檛 think many organizations realize the monopoly with UnitedHealth Group,鈥 said Sonney Sapra, chief information officer with Samaritan Health Services.
Bills pile up
Oregon Specialty Group is one of the many medical practices in the state that relied on that clearinghouse to bill all of its largest payers. Its clinics in the Willamette Valley care for patients with cancer and other serious illnesses.
For more than three weeks in February and March, Oregon Specialty Group had to switch to printing its bills and mailing or faxing them.
鈥淭hat鈥檚 1990s, you know,鈥 said Shelly Carlson, the revenue cycle manager.
Back-office staff were working overtime. Carlson鈥檚 team would try to fax bills to insurers, only to get busy signals. Other clinics across the country had reverted to faxing, too. In the time it took to submit one or two claims, Carlson said, 鈥渏ust a month and a half ago, we could have put through maybe 200.鈥
The slowdown in billing cut Oregon Specialty Group鈥檚 revenue by about 50%, a big challenge for an independent practice that relies on cash flow.
The bill for the practice鈥檚 drugs, for example, runs between $500,000 and $1 million daily.
鈥淥ur business 鈥 cancer care, primarily 鈥 is a very expensive type of health care to be in,鈥 said Mel Davies, Oregon Specialty Groups鈥 chief financial officer.
Davies said their supplier, McKesson, immediately stepped in with help so patients鈥 access to cancer drugs wasn鈥檛 in jeopardy. McKesson waived some fees and offered extended payment timelines.
Oregon Specialty Group also looked into getting help from UnitedHealth Group.
UnitedHealth Group is the parent company of Change Healthcare, the tech company that got hacked. It is the largest for-profit health care company in the U.S.
United announced on March 1 a temporary funding assistance program. Davies immediately sought a loan. She said United indicated the practice would qualify for less than $8,000.
Davies was incensed.
鈥淚 find that to be cavalier, putting information out to make it seem like they鈥檙e offering support when it wasn鈥檛 meaningful enough,鈥 she said.
Other providers had similar experiences with the aid program in the days following the cyberattack. A survey by the American Hospital Association, for example, found that few hospitals were participating in United鈥檚 aid program 鈥渓argely due to unexpectedly low amounts offered and one-sided terms,鈥 the AHA wrote to Congress.
A spokesperson for United acknowledged that its initial loan offers were small. UnitedHealth Group based its offers of aid on the difference between providers鈥 historical payment levels and the payment levels following the attack.
But United only considered reduced payments from its own divisions, even as the attack had brought a halt to payments from thousands of insurers across the country. At the same time, that other insurers should be extending loans too.
鈥淲e urge all payers to do the same, as this is the fastest, most efficient way to address provider short-term cash flow needs,鈥 the company wrote in a press release posted March 7.
Davies said the opposite happened. After United announced its aid program, one of Oregon Specialty Group鈥檚 largest payers, Regence, said it wouldn鈥檛 be providing advance payments.
UnitedHealth Group launched then, providing much larger amounts 鈥渆valuated on a case-by-case basis,鈥 according to the press release, particularly for small and regional providers.
Oregon Specialty Group tried a second time to apply for assistance.
Davies and her staff said the process was slow and hard to navigate. It required signing up for , getting documents notarized, and hours on the phone with customer service.
That changed, Davies said, after OPB reached out to United with questions for this story.
A day later, a CEO with a UnitedHealth Group subsidiary contacted Davies and helped Oregon Specialty Group apply for a $1.2 million loan.
United鈥檚 spokesperson said the company providers, and has advanced more than $3 billion in loans to date. More than 40% have gone to safety net hospitals and federally-qualified health centers serving many of the patients and communities at the highest risk.
Future issues
A little further south in the Willamette Valley, Samaritan Health Services runs nonprofit hospitals in Corvallis, Newport and Lincoln City. Samaritan delayed submitting about $150 million in claims, after they severed their connections to Change Healthcare.
鈥淚t only took a few hours for me to come to the realization that this is not going to be a couple of days or a week event, this could be months,鈥 said Dan Smith, Samaritan鈥檚 chief financial officer. 鈥淔rom a cash flow perspective, we don鈥檛 have months to wait.鈥
Samaritan did not wait. Smith鈥檚 team had been looking into switching clearinghouses prior to the attack. They fast-tracked that process and signed a new deal with one of Change Healthcare鈥檚 competitors. After three weeks without being able to send a single claim, Samaritan resumed billing in mid-March.
But Smith is concerned that insurers could reject claims that were delayed following the hack. Most insurance companies use algorithms to approve claims, according to Smith. And many of the claims dating from the weeks after the cyberattack will have irregularities.
Change鈥檚 electronic services that went temporarily offline included much more than just the insurance billing clearinghouse. The system Samaritan used to transmit prescription information to its pharmacies went down for several days too, and the hack interrupted other electronic communications with insurers.
It was a ton of work to make sure patients in the hospital were getting the right drugs on time. So, Samaritan temporarily suspended the usual process to seek pre-authorization from insurers for procedures.
Smith wants the federal government to intervene and guarantee that providers will be paid fairly.
鈥淪ome way to not have 100% denial on all these claims that happened in this three-week period,鈥 Smith said.
He believes it鈥檚 possible some insurance companies have profited from the attack. They鈥檝e paid out billions less in claims this month, and as a result are likely holding on to more cash 鈥 and earning interest on it.
鈥淭hat should have been in our bank account,鈥 Smith said. 鈥淲hen you add that up, nationwide, who鈥檚 paying the bill on that? Where is that going?鈥
One company that more interest is UnitedHealth Group. It鈥檚 insurance division, United Healthcare, controls more of the health insurance market than any other private company.
A spokesperson did not answer a question about how much less money United Healthcare had paid out in claims since the cyberattack, and whether it had earned additional interest.
United Healthcare, the spokesperson said, was not a top user of Change鈥檚 clearinghouse, and the insurers鈥 claims 鈥渨ere moving some time ago.鈥
Copyright 2024 Oregon Public Broadcasting. To see more, visit .
