‘We’re hemorrhaging money’: US health clinics try to stay open after unprecedented cyberattack

Sean Lyngaas, CNN | 3/9/2024, 2:16 p.m.
For more than two weeks, a cyberattack has disrupted business at health care providers across the United States, forcing small …
The UnitedHealth website on a smartphone. For more than two weeks, a cyberattack has disrupted business at health care providers across the United States, forcing small clinics to scramble to stay in business. Mandatory Credit: Gabby Jones/Bloomberg/Getty Images via CNN Newsource

For more than two weeks, a cyberattack has disrupted business at health care providers across the United States, forcing small clinics to scramble to stay in business and exposing the fragility of the billing system that underpins American health care.

“We’re hemorrhaging money,” said Catherine Reinheimer, practice manager at the Foot and Ankle Specialty Center in the suburbs of Philadelphia. “This will probably be the last week that we can keep everybody on full-time without having to do something,” she told CNN. The center is considering taking out a loan to keep the lights on.

The cyberattack disrupted the computer networks of Change Healthcare, which serves thousands of hospitals, insurers and pharmacies nationwide. It prevented some insurance payments on prescription drugs from processing, leaving many care providers footing the bill up front and hoping to get reimbursed.

Change Healthcare, part of UnitedHealth, is one of handful of companies that make up the central nervous system of the US health care market. Its services allow doctors to look up patients’ insurance, pharmacies to process prescriptions, and health clinics to submit claims so they can get paid.

Health care groups have pleaded with the Department of Health and Human Services (HHS) to offer medical practices a financial lifeline. The department on Tuesday said it was taking extraordinary steps to help get claims processed, but some care providers say it’s not nearly enough.

Mel Davies, chief financial officer of Oregon Oncology Specialists, told CNN she is worried that the private clinic that treats 16,000 cancer patients annually could be forced to close if she doesn’t get financial relief soon.

Cash flow has dropped by 50% in the two weeks since the cyberattack, she said. “The magnitude of this is off the charts for us.”

On Thursday night, half a month since the saga began, Change Healthcare announced plans to have its electronic payment platform back online by March 15 and its network for submitting claims restored the following week.

But the financial wreckage caused by the cyberattack will take a lot longer to clean up, health providers and analysts say.

“The prospect of a month or more without a restored Change Healthcare claims system emphasizes the critical need for economic assistance to physicians, including advancing funds to financially stressed medical practices,” Jesse Ehrenfeld, president of the American Medical Association, said in a statement Friday.

Reinheimer, who works at the foot treatment center, said Change Healthcare’s plan to bringing systems back online was a “light at the end of the tunnel … However, it doesn’t solve the immediate issue, which is lack of money today, tomorrow and next week.”

The chaos caused by the cyberattack is prompting a reckoning for senior US cybersecurity officials about the vulnerabilities in hugely important companies that underpin the health care system.

The Change Healthcare hack “is an evolution beyond” other ransomware attacks on individual hospitals “that shows the entire system is a house of cards,” a senior US cybersecurity official told CNN.

Devastating financial fallout

Health care executives have been sounding the alarm for several days that the cyberattack is causing severe financial strain on the sector.

The Medical Group Management Association, which represents 15,000 medical practices, has warned of the “devastating” financial fallout from the hack and of “significant cash flow problems” facing doctors. The ransomware attack has “had a severe ongoing impact on cancer practices and their patients,” the nonprofit Community Oncology Alliance said this week.

A week ago, Change Healthcare announced plans for a temporary loan program to get money flowing to health care providers affected by the outage.

But Richard Pollack, head of the American Hospital Association representing thousands of hospitals nationwide, slammed the proposal as “not even a Band-Aid on the payment problems.”

The cyberattack could end up costing Change Healthcare billions of dollars in lost revenue and clients, said Carter Groome, chief executive of cybersecurity firm First Health Advisory.

“This is a huge, huge moneymaker being essentially the middleman or the intermediary between the insurance companies,” Groome told CNN.

Change Healthcare has blamed the hack on a multinational ransomware gang called ALPHV or BlackCat that the Justice Department says has been responsible for ransomware attacks on victims around the world.

A hacker affiliated with ALPHV this week claimed that the company had paid a $22 million ransom to try to recover data stolen in the hack. Tyler Mason, a spokesperson for Change Healthcare, declined to comment when asked if the company had paid off the hackers.

Private experts who track cryptocurrency payments said the hacking group had received a $22 million payment, but it was unclear who made the payment. “A cryptocurrency account associated with ALPHV received a $22 million payment [on March 1],” Ari Redbord, global head of policy at blockchain-tracing firm TRM Labs, told CNN.

For Joshua Corman, a cybersecurity expert who has focused on the health sector for years, the Change Healthcare cyberattack is clear evidence that the US health sector is not as resilient as it needs to be in a crisis.

Acquisitions that have merged multibillion-dollar healthcare companies have accentuated the problem so that “a single point of failure can have outsized, cascading reach and consequences,” said Corman, who helped lead a federal taskforce to protect coronavirus research from hacking.

If federal officials “don’t identify the systemically important entities proactively, our adversaries will continue to do it for us … while we burn,” he told CNN.