A cyber warning for health care

Attack on UnitedHealth Group-owned company has had a broad, harmful impact. Company has faced criticism from medical providers for its response. This is an opportunity to step up.

The Minnesota Star Tribune
March 10, 2024 at 12:00AM
Molly Fulton, who helps run five urgent care centers in the Columbus, Ohio, area, described the hack to the New York Times as “worse than when COVID hit because even though we didn’t get paid for a while then either, at least we knew there was going to be a fix." (MADDIE MCGARVEY/The New York Times)

Opinion editor’s note: Editorials represent the opinions of the Star Tribune Editorial Board, which operates independently from the newsroom.

•••

The email from a Star Tribune reader had the word “Desperate” in the subject line. The author: Karin Olson, 76, of Richfield, who has Type 1 diabetes and depends on her Dexcom continuous glucose monitoring system to manage this serious condition.

Olson, a former registered nurse, recently found herself facing a potential care crisis through no fault of her own. The sensors on her Dexcom system are designed to last for up to 10 days before needing replacement, and monthly costs range from $440 to $470, according to GoodRx.com. Medicare typically covers the supplies she needs. But after a recent cyberattack on a medical claims-processing company acquired by Minnesota-based UnitedHealth Group in 2022, Olson couldn’t get new sensors at her local Walgreens or anywhere else.

“Now I’m in panic mode. No pharmacy is willing to refill my sensor supplies because Medicare can’t reimburse them as a result of the recent hacking. I’m running out of supplies. This is a life-threatening situation for me and others with Type 1 diabetes,” Olson wrote on Thursday morning. As for just paying for the supplies herself, Olson told an editorial writer that she’s on a fixed income with limited resources.

Fortunately, by Thursday afternoon, ongoing efforts by Walgreens and UnitedHealth appeared to have resolved this snag. In a phone call, a Walgreens district manager told Olson that a workaround had been found, and her prescription was ready for pickup with the usual copay.

Even though it ended well, Olson’s plight merits a broad spotlight and deeper understanding by policymakers and the public, with Congress in particular needing to explore how the cyberattack happened and how to prevent another one. At a minimum, a high-profile hearing is in order.

Vulnerabilities to outages and nefarious hackers are inherent in this digital era for any industry, but they are especially alarming in health care. As Olson’s case illustrates, a ransomware attack on a company she’d never heard of could swiftly impact her and other patients. An attack like this can also jeopardize the financial well-being of health care providers, with widespread claims-processing delays putting medical providers in a cash-flow crunch.

The UnitedHealth-owned company targeted is called Change Healthcare. It’s helpful to think of it like the Visa or MasterCard of the health care world, handling a broad array of claims and related financial transactions. The attack on the company resulted in the process of billing and paying for health care in many areas across the nation coming to a virtual standstill.

The Minnesota Hospital Association (MHA) merits praise for giving early warning to the nation about the cyberattack’s potentially dire financial impact on providers. “We could be fast approaching a financial cliff,” MHA CEO and president Dr. Rahul Koranne said on Thursday.

U.S. Sen. Amy Klobuchar, D-Minn., whose involvement drew praise from the state’s medical providers this week, clearly understands the urgency. “This cyber-attack by apparent foreign operatives threatens access to lifesaving care and underscores the urgency of strengthening our cybersecurity systems,” she said in a statement to an editorial writer on Friday.

“I have also raised this issue directly with senior officials at the Department of Health and Human Services to ensure they are taking direct and immediate action to protect the health care community. UnitedHealth Group must do everything in its power to swiftly address this situation and ensure patients can continue to access the medications and care they need.”

Klobuchar’s leadership is welcome. The Star Tribune Editorial Board also urges her to take the lead in congressional follow-up. She’s authored a book about antitrust issues. The cyberattack’s broad, harmful impact deepens concerns about ongoing consolidation within health care. It’s important to note that federal officials challenged United’s $13 billion acquisition of the company.

Klobuchar’s ending comment about UnitedHealth is on point. Late Thursday afternoon, UnitedHealth announced “substantial progress” in mitigating the cyberattack’s impact on consumers and care providers. “Electronic prescribing is now fully functional with claim submission and payment transmission also available as of today,” the statement said.

Electronic payment functionality will be available for connection beginning March 15, the company reported. And, “We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week.” UnitedHealth Group CEO Andrew Witty also said in the statement that “We are determined to make this right as fast as possible.”

That’s commendable, but the American Hospital Association and other providers have been far from satisfied with United’s assistance to them so far. “We need real solutions — not programs that sound good when they are announced but are fundamentally inadequate when you read the fine print,” the American Hospital Association’s president said in a Monday letter to United leadership.

In 2023, United “saw an adjusted profit of $22.38 billion on revenue of $371.6 billion,” the Star Tribune reported. This well-run Minnesota corporation has the financial resources to better assist struggling providers. This crisis will pass, but what will be remembered long afterward is how United rose to the challenge of helping those affected by the cyberattack. There’s work yet to do.

about the writer

about the writer

Editorial Board

See More

More from Editorials

card image

Now that Gov. Tim Walz’s vice presidential bid has ended, there’s important work to do at home. Reinvigorating that “One Minnesota” campaign is a must.