Medical providers say UnitedHealth cyberattack fallout ‘a mess’ that threatens their financial health

Minnesota health care providers are sounding alarms over their ongoing difficulty billing health insurers as a result of last month’s cyberattack on a subsidiary of Minnetonka-based UnitedHealth Group.

While there’s typically a several-week lag for submitted claims to be paid, hospitals and clinics say they may soon face a cash crunch because of the billing mess. This could make covering payroll and supply costs challenging and take months to clean-up and sort.

UnitedHealth Group says it’s making progress on workarounds and fixes that are helping restore the payment system. Yet hospital and physician groups say many health care providers are still having major problems with everything from scheduling patients to estimating their costs and have strengthened calls for relief from the financial fallout.

More aftershocks from the cyberattack surfaced this week, from federal lawsuits filed against UnitedHealth to reports of a possible ransom being paid to the hackers.

“What we are hearing is hundreds of millions of dollars of claims are just sitting because they’ve not been able to go through this pipeline that’s been shut off,” said Dr. Rahul Koranne, chief executive of the Minnesota Hospital Association. “So there’s a scramble to get to other pipelines.”

The Feb. 21 cyber attack prompted UnitedHealth to suspend operations of the electronic data clearinghouse at Change Healthcare. This system, widely used by pharmacies, hospitals and clinics, processed in recent years an estimated 50% of all U.S. medical claims.

Last week, UnitedHealth rolled out a financial assistance program for health care providers struggling with cash flow, but the American Hospital Association on Monday blasted the offer as far too insufficient, saying the company “can — and should — be doing more to address the far-reaching consequences.”

Blue Cross and Blue Shield of Minnesota says it’s exploring options for making payments more timely. Minneapolis-based UCare is working to help health care providers on a case-by-case basis.

On Tuesday, the federal government announced steps to help health care providers, but the American Medical Association says the measures don’t go far enough.

UnitedHealth Group says its technical work is helping preserve patient access to medications.

“We continue to see pharmacy claims flowing at near-normal levels,” the company said in a Tuesday afternoon update. “While some pharmacies are still unable to submit claims, we are making progress toward full restoration.”

Yet the problems that remain are serious, said John Hoeschen, owner of St. Paul Corner Drug. His pharmacy was fortunate to primarily rely on a clearinghouse other than Change Healthcare, yet Hoeschen still has a stack of claims for Medicare Part B payments that he hasn’t been able to submit for about two weeks.

“If you can’t submit a claim, you can’t get paid for a claim,” he said. “It’s a mess — it’s an absolute mess. And I don’t know when it’s going to get resolved.”

Pharmacy patients are being directly affected, according to lawsuits filed this week in U.S. District Court in Minnesota.

In one filing, a California resident says he was told that, because of the problem, he’d have had to pay full price for his medication and pursue an insurance claim after the fact. The plaintiff “is hesitant to pursue further medical care until he is assured that his information has been secured and his insurance coverage will be accepted,” the lawsuit says.

A second lawsuit, brought by another California patient, says the inability to fill a prescription exposed him “to potential negative health risks.”

“[UnitedHealth Group] is responsible for the data breach because it failed to implement reasonable security procedures and practices and failed to disclose material facts surrounding its deficient security protocols,” this second lawsuit claims.

The company did not comment on the lawsuits, which were filed as class actions.

Compared with pharmacy systems, UnitedHealth Group says it will take longer to bring a full recovery to systems for filing medical claims. About 90% of these claims are “flowing uninterrupted,” the company said, but some health care providers say that doesn’t seem to capture the degree of disruption in Minnesota.

The Minnesota Hospital Association says it’s talking with the Gov. Tim Walz administration and the state’s congressional delegation about whether payments from the government’s Medicare and Medicaid programs could be accelerated for cash-strapped health care providers.

While Minneapolis-based Allina Health says it’s used manual workarounds to help patients with their insurance coverage and authorizations, it’s proven “much more difficult” to get claims submitted to insurers. Allina runs nine hospitals including Abbott Northwestern in Minneapolis, one of the state’s largest medical centers.

“We are experiencing a gap in our ability to bill for most of our hospital services,” the health system said in a statement Monday.

At Minnesota Voice & Speech Clinic in Hopkins, office manager Marti Priest says the system shutdown has left her practice with about $4,000 worth of claims she still can’t submit.

This week, the company that supplies an electronic medical record for her practice has scrambled to create an alternate system for submitting claims to commercial insurers, Priest said. While she hopes to start using it soon, Priest hasn’t yet found a workaround for submitting claims to government-sponsored health plans.

“Have you heard the old saying, ‘How many miles does it take to turn an ocean liner?’” Priest said. “This is the ocean liner, and every single provider is trying to stop on a dime and turn.”

UnitedHealth Group initially disclosed the incident by saying a “nation-state associated cyber security threat actor” had accessed some information technology systems at Change Healthcare. Last week, the company said the cyberattack was “perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”

This group is notorious for encrypting data to hold it hostage in order to secure massive cryptocurrency payouts. A federal report in February identified Blackcat among Russian cyber criminal groups, but cybersecurity expert Brett Callow said he didn’t consider the gang as being state-sponsored, nation-state associated or Russian.

Wired magazine reported earlier this week on signs from a Bitcoin account and a cybercriminal underground forum that suggest the alleged hackers might have received a $22 million ransom. UnitedHealth Group would not comment, beyond saying the company is “focused on the investigation.”

On Tuesday, Reuters reported on an apparent “exit scam” by the hackers, a strategy where criminals falsely claim their website has been disabled by law enforcement in hopes of avoiding payment to partners in crime.

The biggest cyber-ransom paid to date was about $40 million, said Callow, an analyst with the cybersecurity firm Emsisoft. Massive payments encourage the attackers and provide them with resources to scale their operations, he said.

“We know that $22 million was paid into a wallet belonging to ALPHV, and we know that someone claiming to be an affiliate of ALPHV stated that the money was paid by Change,” Callow said of the report in Wired magazine. “While this does not prove that Change paid, it certainly points to it.”

Aside from the Change Healthcare systems, UnitedHealth Group says its other systems were not hit by the cyberattack including those at its UnitedHealthcare insurance business as well as the Optum division for health care services.

Star Tribune staff writer Mike Hughlett contributed to this story.