Skip to main content

Medical providers still grappling with UnitedHealth cyberattack: ‘more devastating than Covid’

UnitedHealth says money is flowing after a massive hack to a payment network. But providers say they're still struggling to get paid
April 23, 2024

Two months after a cyberattack on a UnitedHealth Group subsidiary halted payments to some doctors, medical providers say they’re still grappling with the fallout, even though UnitedHealth told shareholders on Tuesday that business is largely back to normal.

“We are still desperately struggling,” said Emily Benson, a therapist in Edina, Minnesota, who runs her own practice, Beginnings & Beyond. “This was way more devastating than covid ever was.”

Change Healthcare, a business unit of the Minnesota-based insurance giant UnitedHealth Group, controls a digital network so vast it processes nearly 1 in 3 U.S. patient records each year. The network is a critical conduit for shuttling information between most of the nation’s insurance companies and medical providers, who submit claims through it to get paid for treating patients.

For Benson, the cyberattack continues to significantly disrupt her business and her ability to pay her seven other clinicians.

Before the hack brought down the system, an insurance company would process a provider’s claim, then send a type of receipt known as an “electronic remittance,” which details the amount the provider was paid and whether the claim was denied. Without it, providers don’t know if they were paid correctly or how much to bill patients. 

Now, instead of automatically handling those receipts digitally, some insurers must send forms in the mail. The forms require manual entry, which Benson said is a time-consuming process because it requires her to match up service dates and details to divvy up pay among her clinicians. And from at least one insurer, she said, she has yet to receive any remittances.  

“I’m holding on to my sanity by a thread,” Benson said.

The situation is so dire, Alex Shteynshlyuger, a urologist who owns a practice in New York City, said he had to transfer money from his personal accounts to pay his office bills.  

“Look, I am freaking out,” Shteynshlyuger said. “Everyone is freaking out. We are like monkeys in a cage. We can’t really do anything about it.”

Roughly 30% of his claims were routed through Change’s platform. Except for Medicare and certain Blue Cross plans, he said, he has been unable to submit claims or receive payment from any insurers.

The company is encouraging struggling providers to reach out to the company directly via its website, said Tyler Mason, vice president of communications for UnitedHealth Group.

“I don’t think we’ve had a single provider that hasn’t been helped that’s contacted us.” As part of that help, Mason said, UnitedHealth has sent providers $7 billion so far.

Ever since the February cyberattack forced UnitedHealth to disconnect its Change platform, the company has been working “day and night to restore services” and has made “substantial progress,” UnitedHealth CEO Andrew Witty told shareholders April 16. 

“We see a fairly normal claims receipts and payments flow going on at this point,” Chief Financial Officer John Rex said during the shareholder call. “But we’ll really want to be careful on that because we know there are certain care providers out there that may have been left out of it.”

Rex said the company expects full operations to resume next year.

The company reported that the hacking has already cost it $870 million and that leaders expect the final tally to total at least $1 billion this year. To put that in perspective, the company reported $99.8 billion in revenue for the first quarter of 2024, an 8.6% increase over that period last year.

Meanwhile, the House Energy and Commerce Health Subcommittee held a hearing April 16 seeking answers on the severity and damage the cyberattack caused to the nation’s health system.

Subcommittee chair Brett Guthrie (R-Ky.) said a provider in his hometown is still grappling with the fallout from the attack and losing staff because they can’t make payroll. Providers “still haven’t been made whole,” Guthrie said.

Rep. Frank Pallone Jr. (D-N.J.) voiced concern that a “single point of failure” reverberated around the country, disrupting patients’ access and providers’ financial stability.

Lawmakers expressed frustration that UnitedHealth failed to send a representative to the Capitol to answer their questions. The committee had sent Witty a list of detailed questions ahead of the hearing but was still awaiting answers.

As providers wait, too, they are trying to cover the gaps. To pay her practice’s bills, Benson said, she had to take out a nearly $40,000 loan — from a division of UnitedHealth.

KFF Health News is a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF—an independent source of health policy research, polling, and journalism. 


Submitted by Debra Bartel on Tue, 04/23/2024 - 16:36 Permalink

The situation continues to be devastating to the business side of our industry, but few seem to care.  Things are NOT back to normal.  Sure, some things are working again but not all.  Local payers say they are waiting for Change Healthcare to get back online.  Seriously?  Do they really care so little about the privacy of the patients they are paid to serve?  Optum/UHC/Change is NOT back up and running nor should they be until they can prove their ability to protect the data they've been collecting - largely without most in the industry knowing about it.  Most clinics have zero contracts with Change.....yet we now know they've been intimately involved in the flow of our patient information.  Why and how was that allowed to happen?  Will they be allowed to continue 'business as usual' without being held accountable?  They stated February 21 was the date they 'discovered' the breach.  Perhaps.  Many of us started noticing things weeks prior to that date.  In any case, once they notify the Feds there was a breach, they have 60 days to research and 'cure' it, whatever that means.  It's been more than 60 days and we still do not have answers about what happened and what specific data was stolen.....and when they'll begin to notify all parties with information removed from their system and not just dump it on those who had no idea they were even involved.  As of last week, we do know a lot of this personal data was dumped out onto the web.  Great.  As clinics continue to close doors and/or lay people off, perhaps the news media will start paying more attention and call for a true investigation.  We've not seen any of that yet.