Change Healthcare cyberattack: Many Americans could be affected, hospitals still hurting

More than two months after the disclosure of the Change Healthcare cyberattack, UnitedHealth Group says patient data appears to have been exposed.

UnitedHealth Group says it appears that the patient data of many Americans was exposed in the Change Healthcare cyberattack. Hospitals continue to struggle financially due to disruptions in payments of claims.

UnitedHealth said this week that the company has found files containing private health data, or information that could identify individuals “which could cover a substantial portion of people in America.”

The company did not estimate how many individuals may be affected by the breach, and said it expects to take several months before UniteHealth can identify and contact customers and individuals who have been impacted. The company did say it hasn’t found evidence of medical histories or doctors’ charts being taken.

UnitedHealth told media outlets that the company did pay a ransom, but hasn’t specified how much was paid. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” a company spokesperson told CNBC.

UnitedHealth has set up a website for individuals to get more information: http://changecybersupport.com/. The company said it has distributed more than $6 billion to assist providers.

“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” Andrew Witty, chief executive officer of UnitedHealth Group, said in a statement.

UnitedHealth said it has restored pharmacy services and medical claims services to levels before the breach, which was first reported Feb. 21. And the company said 86% of payment processing services have been restored. UnitedHealth also said other services, including eligibility software, are being restored, with full restoration in the coming weeks.

• Read more: Healthcare mergers may face more scrutiny on cybersecurity

Hospitals and health systems say they have suffered serious financial problems due to the cyberattack. At a House hearing last week, cybersecurity experts and healthcare leaders said the Change Healthcare attack represents the most serious cyberattack ever suffered by the U.S. health industry. Change Healthcare touches 1 in every 3 patient records nationwide, and processes pharmacy services, billing and claims for hospitals.

During an online discussion held by the Washington State Hospital Association Tuesday, health leaders said the cyberattack has posed significant problems for the state’s hospitals.

Caitlin Safford, senior director of government affairs for the Washington State Hospital Association, said some hospitals have seen 75% to 100% of their back end operations impacted by the Change Healthcare cyberattack.

“This amounts to millions of dollars in delayed funding at a time when most hospitals … have little left in reserve,” Safford said in the briefing.

She said one system, which typically gets about $12 million in monthly claims payments, received only about $500,000 in payments a month after the cyberattack occurred.

• Read more: Change Healthcare cyberattack continues to affect doctors: ‘Practices will close’

Hospital officials said they expected it would take months until they gained a full picture of the impact of the cyberattack.

Cathy Bambrick, administrator of Astria Toppenish Hospital, a 63-bed community hospital, said Change Healthcare was the hospital’s primary clearinghouse for claims. She said the attack has been “potentially catastrophic.” She said the hospital is down $3.5 million in typical claims payments.

Cassie Sauer, president and CEO of the Washington State Hospital Association, said that the losses have compounded an already precarious environment for the state’s hospitals. Most of the state’s hospitals are losing money, and Washington’s hospitals have lost a combined $3.8 billion over the past two years.

Hospitals continued to provide care and services for payments, in many cases without first securing pre-approval from insurers, Sauer said. Change Healthcare handles insurance eligibility services for many providers, and those services were disrupted by the breach. Sauer said hospitals are worried they won’t be reimbursed for the care they gave to patients.

“A lot of hospitals … went ahead and provided services without prior authorizations,” Sauer said. “That is very, very nerve wracking, to provide care to someone who you know needs the care, insurance requires you to get it authorized, the system was not working. You could not get a prior authorization.”

“And so now we're really worried they're not going to get paid,” Sauer said. “And that is going to be a disaster, honestly.”

The cyberattack did have an impact on patient care in other ways. While pharmacy services were among the first restored, Sauer noted some patients either had to pay in cash to get their medications or wait to get their prescriptions.

“We did see people who got sicker because they weren't getting their regular medications filled,” Sauer said.