DONATE
This story was updated on Mar. 1, 2024 at 10:35 a.m. ET.
A cyberattack against Change Healthcare, a health technology company, is having major ripple effects across the U.S.
Change Healthcare is part of Optum and owned by UnitedHealth Group. It plays a vital role in making and clearing health insurance claims, eligibility checks, pharmacy operations among other services across the country.
On Feb. 21, hackers reportedly gained access to the company bringing its operations to a halt.
The American Hospital Association said in a statement that this is “the most serious incident of its kind leveled against a U.S. health care organization”.
And it’s easy to see why.
The company processes 14 billion health care transactions every year, and according to its website, touches 1 in every 3 patient records.
Much like the rest of the country, the full scope of the impact in Indiana is still unclear. WFYI has reached out to the hospital association and the major health systems in the state but hasn’t received information from all of them yet.
Indiana University Health Plans, an insurance company built by IU Health that offers Medicare Advantage and employer-sponsored plans, announced on its website that – like many payers – they are unable to accept electronic claim submissions or send out electronic payments and remittances because of the outages. They provided an address where paper claims can still be submitted.
In an emailed statement, IU Health said, "like many national providers, IU Health is working with Change Healthcare to restore service[s]," and added that the outage has no impact on patient care.
Change Healthcare has multiple touchpoints with big swaths of the complex U.S. health care system and the impact of this cyberattack is still unfolding.
In a letter to the Department of Health and Human Services, the American Hospital Association said some of its members are struggling to get paid and that this cyberattack will have an adverse impact on hospitals’ finances and their ability to care for patients.
“[Change Healthcare’s] interrupted technology controls providers’ ability to process claims for payment, patient billing and patient cost estimation services,” the letter said. “Any prolonged disruption of Change Healthcare’s systems will negatively impact many hospitals’ ability to offer the full set of health care services to their communities.”
The AHA also said that without revenue sources, hospitals and health systems may be unable to pay salaries for clinicians and care teams, obtain medicine and medical supplies, and pay for other necessary operational costs.
“It is particularly concerning that while Change Healthcare’s systems remain disconnected, it and its parent entities benefit financially, including by accruing interest on potentially billions of dollars that belong to health care providers,” AHA’s letter to HHS added.
A ransomware group called BlackCat seems to be behind the February 2024 attack, according to a joint statement by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and HHS.
This is not the first cyberattack against a health care organization in the U.S. In fact, these attacks are becoming more common than ever. Research suggests that cyberattacks have more than doubled between 2016 and 2019. Some of these attacks can have a direct impact on patient care and hospital finances. A 2023 report by IBM suggests that the average cost of a cyberattack on a health care organization is north of $10 million excluding any ransom payments.
According to federal guidance, if a breach of unsecured protected health information affects 500 or more individuals, organizations must promptly notify the HHS Secretary. In Indiana, there were around 25 such incidents reported in the last 24 months alone.
This is a developing story.
Contact managing editor Farah Yousry at fyousry@wfyi.org
View More Programs
Support WFYI. We can't do it without you.