IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Amid Cyber Attacks, Concern Over Health-Care Consolidation

A recent debilitating cyber attack struck Change Healthcare, a massive health-care technology company that among other services handles about half the medical claims in the country.

(TNS) — The staff at Perinatal Associates of New Mexico are writing out orders with pen and paper.

They're getting lab results by fax to their location in Santa Fe and others across the state.

They're having to manually upload hundreds of ultrasound scans by hand every day, a process that used to happen automatically and nearly instantaneously thanks to use of an interface that connects the ultrasound reporting system to the practice's electronic medical record.

In other words, the provider, which has locations across the state and which provides care for about half of New Mexico's high-risk pregnancies, has gone back in time 15 or 20 years, said Dr. Michael Ruma, the practice's president.

That's because of a debilitating cyberattack on Change Healthcare, a massive health care technology company that among other services handles about half the medical claims in the country — and developed and maintained the interface that links Ruma's ultrasound and medical record systems.

"It's become pandemonium," Ruma said. "... It's like we're in an indefinite purgatory with paper."

As health care providers wait for the Change Healthcare systems to be fully restored, some say the ordeal is raising larger concerns about who should bear the burden of fallout. They also are questioning why one of the largest companies in the world didn't have adequate security or built-in redundancy, and say they're concerned about the drawbacks of the high level of consolidation in today's medical world.

"When's the end of this and who's responsible for it?" Ruma said. "I know it's a cyberattack. But ... the parent organization for this company is one of the top three largest health insurers in the country, which ideally should have some of the best cybersecurity in the world."


The attack on Change Healthcare came to light in February and hobbled financial operations for health care organizations, from pharmacies to hospitals. The company has largely restored systems for handling pharmacy claims and processing payments. But a number of other services remain offline.

Change Healthcare has blamed a hacker-for-hire group known as "ALPHV BlackCat" for the attack, Forbes reported. It's unclear what the total financial impact will be.

New Mexico Superintendent of Insurance Alice Kane recently ordered major insurance companies in New Mexico to temporarily pause a number of practices that are slowing down claims processes for small and independent providers — requiring prior authorizations for medical procedures, for example, and asking providers to adhere to "timely filing" policies that set deadlines on claims submissions after performing a service.

Representatives of UnitedHealth Group, which owns Change Healthcare, did not agree to an interview and did not directly respond to emailed questions about concerns regarding the company's large number of subsidiaries — including insurer United Healthcare and primary care company Optum — or their business model as a whole.

A spokesman instead sent links to previous news releases detailing the loans the company has made available to providers, which he said is now up to more than $3.4 billion.

"Please remember that this incident did not involve any United Healthcare or Optum systems," United Healthcare spokesman Tyler Mason wrote in an email. "We remain confident that Optum, UnitedHealthcare and UnitedHealth Group systems are safe and were not affected by this issue."

'They're so big'

Katie Raiten, who co-owns Interventional Pain Associates with her husband, Dr. Joshu Raiten, said the Albuquerque clinic can maybe keep its doors open another two months if something doesn't change, thanks to weeks of delays and roadblocks in getting claims submitted and reimbursed. She said while Change Healthcare is starting to make progress in recovering its claims system, it's unfair small office practices are barely hanging on while larger facilities that offer identical services receive better reimbursement levels from all insurance carriers.

"I think that the disparity of reimbursement of a facility versus an office is so substantial ... which make it difficult for smaller practices or private practices to weather storms like this," Raiten said.

For Raiten's practice, the comparison in size between her company and UnitedHealth Group has also felt galling in the weeks since the cyberattack.

For example, while UnitedHealth Group has advanced loans through subsidiary Optum to providers based on estimates of their shortfalls, Raiten said it took her two and a half weeks to get access to the system to apply for it.

"Last week I was finally able to apply for assistance," Raiten said in an interview on Thursday. "The assistance that they originally offered me was $1,500, which doesn't even scratch the surface of what we're dealing with right now."

Raiten said she later was able to successfully apply for another $20,000 and has submitted a request for some other advance payments through Medicare, though she hasn't received a reply.

"What's really frustrating about this whole situation is if you look up the subsidiaries of UnitedHealth Group, UnitedHealthGroup is kind of like a monstrosity of a company," she said.

A U.S. Securities and Exchange Commission summary of the company's subsidiaries lists well over 100 entities, while its revenue last year was reported at $371.6 billion.

"If this is not a monopoly, I'm not so sure I know what is," Ruma said, adding the $3.4 billion the company is loaning to providers is a "slap in the face" and probably just pennies on the dollar compared to what small-scale providers need to keep their heads above water.

Raiten said in today's medical landscape, massive companies like UnitedHealth Group seem to hold all the cards.

"They're buying out hospitals. They're buying out companies that are responsible for processing prior authorizations," Raiten said, adding she believes that level of consolidation could be a breach of antitrust law. "... But they're so big that they're getting away with it."

Bloomberg News reported in late February the U.S. Department of Justice was initiating an antitrust investigation into UnitedHealth Group.

Nick Autio, general counsel for the New Mexico Medical Society, said it's been a "rude awakening" for the medical industry to realize that a single cyberattack on a highly centralized system could have such wide-ranging effects.

"Any time you have an issue like this, it can highlight weaknesses in the system," he said.

Redundancies needed

For providers still doing business by workarounds, the cyberattack has created a mountain of complications.

Some health care providers that use Change Healthcare as a clearinghouse for processing medical claims have reverted to submitting those on paper, which in turn floods insurance carriers with paperwork.

At Raiten's small practice, her biller has been submitting hard paper for just the bigger claims — trying to prioritize those that will bring the most money back into the struggling provider's coffers. In some instances, the company can submit claims through another clearinghouse, from health care firm Availity. But that firm is taking on a good deal of Change Healthcare's workload from all over the country, Raiten said.

"It's not seamless," she said.

The 30 or so medical assistants at Perinatal Associates of New Mexico, meanwhile, are each spending about two extra hours a day writing laboratory orders by hand and doing manual lab result entry, which Ruma said slows down the flow of information and also is a far riskier and error-prone method in an already highly litigious branch of medicine.

"It creates medical liability for us if we miss something that is now on paper, which previously was electronic," Ruma said, adding he's concerned about who will be held liable if a patient is harmed as a result of a clerical error on paper or because of a lack of information. "... Pregnancy is a high-risk situation."

Meanwhile, Ruma said he's still paying about $10,000 per month for his Change Healthcare subscription, and has had trouble getting basic answers from the company about the situation.

"It's exceedingly difficult for us to get information from UnitedHealth Group, because they're so large," Ruma said.

Ruma said he'd also like to see compensation for all the overtime he's paying to his staff to do the job of a non-functioning system.

"We are here to take care of patients and we will continue to do so," Ruma said. "... We would love some compensation for the pain and agony of it."

Ruma said he believes the federal government, which has pushed medical practitioners for decades to move to electronic medical record-keeping, needs to have greater oversight of health care giants like UnitedHealth Group, and systems that large should be required to have redundancies in place at all times. Ruma said it's akin to back-up generators at hospitals that exist to keep vital equipment like ventilators going in the event of a power failure.

"In this setting there is no back-up generator," he said.

Raiten agreed and said she'd also like to see better regulation of consolidation through more rigorous enforcement of the Fair Trade Act.

"I don't feel that that's happening with large companies such as UnitedHealth Group," Raiten said. "The purpose ... is to make sure that you're not creating a monopoly, where you're kind of eliminating the competition. ... They make it very difficult to compete."

© 2024 The Santa Fe New Mexican (Santa Fe, N.M.). Distributed by Tribune Content Agency, LLC.