A stack of paper medical claims piling up in the Salem, Ore., business office of Oregon Specialty Group. The cancer care provider had to revert to paper billing following a cyberattack that disrupted billions in payments nationwide.
Amelia Templeton / OPB
Hospitals and clinics across Oregon are facing a big dip in their cash flow this month — the fallout of a ransomware attack on a national company that connects health care providers with insurers.
The Feb. 21 hack took Change Healthcare, based in Nashville, offline.
Knocking out that one company caused chaos nationwide, including in Oregon.
Change runs a popular clearinghouse, a service health care providers use to electronically bill insurers, including Medicare and Medicaid. Providers also use Change’s services to standardize and securely transmit patient data and prescriptions.
Change’s largest clearinghouse went back online the weekend of March 23, and insurers have been reconnecting to it since. Claims processing remains slower than usual and some services are still experiencing outages.
But health care providers across Oregon are still sorting through reams of bills to see if they will be reimbursed for care given during the hack.
Leaders also say shakeup has them newly considering the risks posed by consolidation and vertical integration in the health care industry.
And the attack has drawn additional attention to Change’s parent company, UnitedHealth Group, an industry giant that’s been recently acquiring primary care clinics in Oregon.
“I don’t think many organizations realize the monopoly with UnitedHealth Group,” said Sonney Sapra, chief information officer with Samaritan Health Services.
Bills pile up
Oregon Specialty Group is one of the many medical practices in the state that relied on that clearinghouse to bill all of its largest payers. Its clinics in the Willamette Valley care for patients with cancer and other serious illnesses.
For more than three weeks in February and March, Oregon Specialty Group had to switch to printing its bills and mailing or faxing them.
“That’s 1990s, you know,” said Shelly Carlson, the revenue cycle manager.
Back-office staff were working overtime. Carlson’s team would try to fax bills to insurers, only to get busy signals. Other clinics across the country had reverted to faxing, too. In the time it took to submit one or two claims, Carlson said, “just a month and a half ago, we could have put through maybe 200.”
The slowdown in billing cut Oregon Specialty Group’s revenue by about 50%, a big challenge for an independent practice that relies on cash flow.
The bill for the practice’s drugs, for example, runs between $500,000 and $1 million daily.
Members of the financial counseling team at Oregon Specialty Group. The massive disruption in claims processing has made it harder for them to help patients get qualified for copay assistance.
Amelia Templeton / OPB
“Our business — cancer care, primarily — is a very expensive type of health care to be in,” said Mel Davies, Oregon Specialty Groups’ chief financial officer.
Davies said their supplier, McKesson, immediately stepped in with help so patients’ access to cancer drugs wasn’t in jeopardy. McKesson waived some fees and offered extended payment timelines.
Oregon Specialty Group also looked into getting help from UnitedHealth Group.
UnitedHealth Group is the parent company of Change Healthcare, the tech company that got hacked. It is the largest for-profit health care company in the U.S.
United announced on March 1 a temporary funding assistance program. Davies immediately sought a loan. She said United indicated the practice would qualify for less than $8,000.
Davies was incensed.
“I find that to be cavalier, putting information out to make it seem like they’re offering support when it wasn’t meaningful enough,” she said.
Other providers had similar experiences with the aid program in the days following the cyberattack. A survey by the American Hospital Association, for example, found that few hospitals were participating in United’s aid program “largely due to unexpectedly low amounts offered and one-sided terms,” the AHA wrote in a letter to Congress.
Related: Update: Oregon approves controversial Corvallis Clinic, Optum merger
A spokesperson for United acknowledged that its initial loan offers were small. UnitedHealth Group based its offers of aid on the difference between providers’ historical payment levels and the payment levels following the attack.
But United only considered reduced payments from its own divisions, even as the attack had brought a halt to payments from thousands of insurers across the country. At the same time, United suggested that other insurers should be extending loans too.
“We urge all payers to do the same, as this is the fastest, most efficient way to address provider short-term cash flow needs,” the company wrote in a press release posted March 7.
Davies said the opposite happened. After United announced its aid program, one of Oregon Specialty Group’s largest payers, Regence, said it wouldn’t be providing advance payments.
UnitedHealth Group launched a second program then, providing much larger amounts “evaluated on a case-by-case basis,” according to the press release, particularly for small and regional providers.
Oregon Specialty Group tried a second time to apply for assistance.
Davies and her staff said the process was slow and hard to navigate. It required signing up for a payer portal, getting documents notarized, and hours on the phone with customer service.
That changed, Davies said, after OPB reached out to United with questions for this story.
A day later, a CEO with a UnitedHealth Group subsidiary contacted Davies and helped Oregon Specialty Group apply for a $1.2 million loan.
United’s spokesperson said the company wants to help providers, and has advanced more than $3 billion in loans to date. More than 40% have gone to safety net hospitals and federally-qualified health centers serving many of the patients and communities at the highest risk.
Future issues
A little further south in the Willamette Valley, Samaritan Health Services runs nonprofit hospitals in Corvallis, Newport and Lincoln City. Samaritan delayed submitting about $150 million in claims, after they severed their connections to Change Healthcare.
“It only took a few hours for me to come to the realization that this is not going to be a couple of days or a week event, this could be months,” said Dan Smith, Samaritan’s chief financial officer. “From a cash flow perspective, we don’t have months to wait.”
Samaritan did not wait. Smith’s team had been looking into switching clearinghouses prior to the attack. They fast-tracked that process and signed a new deal with one of Change Healthcare’s competitors. After three weeks without being able to send a single claim, Samaritan resumed billing in mid-March.
But Smith is concerned that insurers could reject claims that were delayed following the hack. Most insurance companies use algorithms to approve claims, according to Smith. And many of the claims dating from the weeks after the cyberattack will have irregularities.
Change’s electronic services that went temporarily offline included much more than just the insurance billing clearinghouse. The system Samaritan used to transmit prescription information to its pharmacies went down for several days too, and the hack interrupted other electronic communications with insurers.
It was a ton of work to make sure patients in the hospital were getting the right drugs on time. So, Samaritan temporarily suspended the usual process to seek pre-authorization from insurers for procedures.
Related: Data breach affects 1.7 million Oregon Health Plan members
Smith wants the federal government to intervene and guarantee that providers will be paid fairly.
“Some way to not have 100% denial on all these claims that happened in this three-week period,” Smith said.
He believes it’s possible some insurance companies have profited from the attack. They’ve paid out billions less in claims this month, and as a result are likely holding on to more cash — and earning interest on it.
“That should have been in our bank account,” Smith said. “When you add that up, nationwide, who’s paying the bill on that? Where is that going?”
One company that may have earned more interest is UnitedHealth Group. It’s insurance division, United Healthcare, controls more of the health insurance market than any other private company.
A spokesperson did not answer a question about how much less money United Healthcare had paid out in claims since the cyberattack, and whether it had earned additional interest.
United Healthcare, the spokesperson said, was not a top user of Change’s clearinghouse, and the insurers’ claims “were moving some time ago.”