Massachusetts

Cyberattack is costing Massachusetts hospitals $24 million a day

Health care breaches are "growing in popularity and severity," according to Health and Human Services Secretary Kate Walsh

NBC Universal, Inc.

The debilitating cyberattack on Change Healthcare last month is costing the Massachusetts health care system about $24 million a day, and care providers are looking to health insurers for financial relief.

The Massachusetts Health and Hospital Association on Monday pegged the average daily costs stemming from the attack at $24,154,000, based on a survey that reflects responses from 12 hospitals and health systems.

UnitedHealth Group said its Change Healthcare systems should be restored later this month, but MHA remains skeptical.

"Depending on how long it lasts, it's just like a snowball effect," Karen Granoff, MHA's senior director of managed care, told the News Service. "The longer you don't get paid, the more you're going to have problems."

"It's not affecting patient care at this point, but everyone's worried," she added.

Recognizing effects on cash flow at hospitals, the U.S. Department of Health and Human Services last week said the "incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem." 

With Change Healthcare's systems still impaired for now, some Massachusetts hospitals might need loans or bridge payments in order to pay providers, MHA said in its newsletter Monday.

While the leader of the Massachusetts Association of Health Plans said insurers are willing to provide financial support and some flexible operating policies on a case by case basis, she said that only a "small subset of the provider community" is still grappling with Change Health's downed systems.

Health officials say hospitals across the country are dealing with disruptions to daily operations and provider payments after the Feb. 21 attack on Change Healthcare, owned by UnitedHealth Group, which offers services including eligibility verification, claims processing and prior authorization submissions.

Health and Human Services Secretary Kate Walsh called the attack on Change Healthcare a "very big breach" and a "very scary breach." Walsh, speaking during a fiscal 2025 budget hearing in Burlington Monday, said she's been working close with Jason Snyder, secretary of the Executive Office of Technology Services and Security.

"There were some smaller hospitals that used Change for their revenue cycle, and we stepped in to help them with their cash flow, related to if the revenue cycle is delaying," Walsh said. "Health care breaches are growing in popularity and severity, I guess, and your health information is worth a lot more on the web than your credit card information. Almost every hospital CEO has dealt with a breach."

Walsh also said that MassHealth had a "significant number of intersection points with Change."

"We were able to address and try to plug those holes from an information security standpoint," she said.

In a letter to Massachusetts insurers last week, MHA President Steve Walsh urged health plans to consider making bridge payments to help hospitals maintain daily operations.

Steve Walsh also asked health plans to allow for some flexibilities until Change Healthcare platforms are restored, such as waiving prior authorizations and the time limit to file claims, and extending the timeline to file claims appeals.

In his letter, Walsh said hospitals surveyed reported a wide range of financial impact while Change remains offline, from $1 million a day for a community hospital to $12 million a day for a health system.

"Prolonged disruption of Change Healthcare's systems will negatively affect the ability of many hospitals to offer a full set of healthcare services to their communities," the MHA's Walsh wrote. "If health plans are unable to pay claims, hospitals and health systems may be unable to pay salaries, acquire necessary medicines and supplies, and pay for mission-critical contract work in areas such as physical security, dietary, and environmental services."

Blue Cross Blue Shield of Massachusetts has implemented some of those policies, but other insurers have asked providers to contact them to work out individualized solutions, Granoff said. That creates another major administrative barrier, she said.

Lora Pellegrini, CEO of MAHP, said member plans are willing to work with providers to offer bridge funding, among other solutions, on a tailored, case-by-case basis. Pellegrini said insurers have offered to meet with affected hospitals this week and discuss targeted ways to solve their issues triggered by the cyberattack.

"We're feeling pretty confident we can work with them to get them to a better place," Pellegrini said.

Pellegrini said the cyberattack, and the inevitability of future incidents, underscores the need for hospitals to invest in back-up systems that will allow providers to continue handling administrative tasks.

"Many providers have pivoted to additional administrative systems, but perhaps those that continue to have issues have not, and we think an important message is that everyone needs to have a redundancy in place," she said.

Pellegrini said she's also suggested creating a joint cybersecurity workgroup with MHA.

On Beacon Hill, Committee on Advanced Information Technology, the Internet and Cybersecurity Co-chair Sen. Michael Moore stressed the need to pass comprehensive cybersecurity and artificial intelligence legislation.

Moore said a redrafted bill the panel reported out favorably in late December would establish industry-specific regulations and guidelines, enable the Commonwealth Fusion Center to respond to and investigate attacks, and require cybersecurity training for public employees. The bill, which is in the custody of Senate Ways and Means Committee, would also allow the governor to invoke the the Civil Defense Act and to declare a state of emergency following a cyberattack.

The bill faced opposition earlier this session as industries pushed back against government regulations, Moore said. To build consensus, lawmakers, government officials and the private sector "have to come together and realize that all regulation isn't bad," he said. 

"I think we need everyone to realize this isn't us versus them," Moore told the News Service. "This is something we all need to come together on, and we're working together to make sure we have the protections that are necessary for our basic needs. If we had a massive breach where our health care system is shut down, what is that going to do to everyone's lives and quality of life?"

Change Healthcare is not responding to reports it paid more than $22 million to the hackers. The CEO of its parent company did say in a statement: 

"We are committed to providing relief for people affected by this malicious attack on the U.S. health system. We’re determined to make this right as fast as possible." 

Copyright State House News Service
Contact Us