03/08/2024
Message from Don Self:
MAJOR DISRUPTION IN CLAIMS
Roughly eight days back, Change Healthcare disclosed a major cyberattack causing extensive network issues. It's suspected the breach entered through Optum, affecting millions of daily claims. The resulting system outage has impacted over 1.6 million healthcare providers, pharmacies, and insurers, disrupting medical claims processing. This breach also extends to handling claims for CVS, U.S. Military Tricare, Medicare Part C, Metlife, among others, and is utilized by practice management systems like Kareo and Tebra. Reports suggest up to a third of U.S. patient records could be affected, raising concerns over the muted response from some quarters.
The International Ransomware gang, Blackcat is claiming they are responsible and claiming to have stolen 6 Terabytes of Change Healthcare data in this attack. 6 TB of data would be equivalent to 6,000 hours (250 days at 24 hours a day) of high-definition video. If they did steal this information, you may be wondering what kind of data? Since UHC, Optum and Change process claims for pharmacies and medical offices, I suspect that it could include:
o Patient medical and patient financial records, passwords and more
o Pharmacy bank information since they pay the pharmacies electronically
o Medical office bank information, since they pay clinics electronically
o Who knows what else?
So – has your own Practice Management or EMR system contacted you to tell you to change passwords or to even hold claims? Is UHC or Optum being completely 100% honest with us yet? Their daily updates website www.donself.com/shopat since the attack began all say the same thing: “We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue” Are these are the same people that tell you:
• That you have a timely filing deadline on commercial claims – which you do not?
• That you have to refund them money when you don’t owe it?
• That your appeal period is less than 180 days?
• That you have to send them massive amounts of records, when you do not?
And now, they want you to believe that they are being completely truthful on this breach that will probably cost them $Billions?
Folks – I don’t have the answers yet – but if I were responsible for filing insurance claims and all of my claims were going through Change Healthcare or Optum – I would be holding those claims and looking for another clearinghouse. If I saw a patient with UHC insurance right now, I’d hold the claim and not send it. Remember – if YOU have a reason to suspect that a covered entity that you deal with is not HIPAA secure, should you be releasing data to that entity – thereby putting yourself at risk with the HHS Office of Civil Rights for the kinds of penalties that the government agency can hit you with? You may need to reach out to your HIPAA Compliance officer or your Liability carrier to see what they are advising right now to protect yourself.
I’ve had people ask me whether this will be over soon. I don’t know but I strongly suspect that this is only the beginning. If they were able to breach Optum and UHC, which clearinghouse or which major insurance player is next? If the FBI was correct that Blackcat has already made more than $300 Million on their ransomware and we have no idea who is behind Blackcat, perhaps we should be investing in medical pegboard systems and paper CMS-1500 claim forms.
I will try to keep my readers updated as I get more information.
