Payers are reporting significant reductions in the volume of claims they receive from providers following the ransomware attack on Optum's Change Healthcare in late February, but the effect on prior authorization processes has been limited.
Since Feb. 21, many of Change's applications, including revenue cycle management and prescription processing, have been down. The attack is complicating operations for hospitals, insurers, physician practices and pharmacies, and the issue is expected to last weeks. The American Hospital Association has called the event the "most significant cyberattack" on healthcare in American history as UnitedHealth Group works to get its systems back online.
HHS said March 5 it would help accelerate payments to hospitals affected by the attack and institute other workarounds for providers. One cybersecurity firm estimated that large health systems were bleeding more than $100 million per day.
In addition, CMS is encouraging Medicare Advantage organizations and Part D sponsors to remove or relax prior authorizations, asking MA plans to extend advanced funding to affected providers, advising providers to request new electronic data interchanges from their Medicare Administrative Contractors for claims processing, and notifying those contractors to accept paper claims.
At least five federal lawsuits have been filed this month against Change, court records show. The complaints include three in Tennessee and two in Minnesota from individual patients seeking class-action status.
What four payers have said about the attack:
Aetna
In a Feb. 27 message to providers, Aetna said it is "aware that some providers across our lines of business and affiliates may not be getting timely payments at this time."
"We take this very seriously. At this time, we're exploring contingency payment options, particularly for providers in our Medicaid plans who receive payment via paper check and are enrolled in the Virtual Credit Card program," the payer said.
Aetna said it is working to assess the impact to claim payments and advised practices to submit claims using another of its approved transaction vendors. The payer said it would not liberalize any prior authorization requirements at this time.
"We have assessed the situation over the last few days and the alternative processes in place — in addition to available Aetna phone call support — should help us manage this important utilization management step with our network providers during this time. If this changes, we will provide an update."
Elevance Health
At TD Cowen's Healthcare Conference on March 5, Elevance Executive Vice President and CFO Mark Kaye said the company initially saw a 15% to 20% reduction in the daily volume of data it receives from providers following the attack and now is down about 10% relative to normal daily volumes.
"Some providers are now submitting claims directly to Availity, while others have switched their clearinghouse," he said. "Over this past weekend, we saw a significant increase in activity levels relative to recent weeks, which suggests, in large part, that providers are starting to catch up in terms of their submissions back to Elevance"
Mr. Kaye said prior authorization volumes have not been affected at Elevance because it does not use Change for those requirements. The company plans to adopt a reserving approach during the first quarter as it waits for claims volumes to recover.
Humana
Humana CFO Susan Diamond said March 5 at the TD Cowen conference that about 20 percent of the company's medical claims submitted by providers go through Change Healthcare's system before they reach the payer, making it difficult to gauge total medical expenses. Humana also uses Change within its dental and D-SNP businesses. Ms. Diamond said the company is still evaluating the effects of the hack.
CEO Bruce Broussard said the company primarily uses Availity and companies are moving to work with other services while Change's systems are offline.
Kaiser Permanente
A Kaiser spokesperson told Becker's on March 7 that there has been no known impact to its members' and patients' data, or to the system's cybersecurity. The system did not say whether claims coming in or getting paid out have been delayed.
"Upon learning of the incident, we immediately began mitigation actions and launched our own investigation to determine the scope of impact on Kaiser Permanente's operations," the spokesperson said.
While some Kaiser members seeking retail pharmacy prescriptions might experience delays, Kaiser pharmacies have not been affected by the attacks.
"We are assisting members with alternatives when this happens," the spokesperson said. "The vendor's issue could also delay the processing of some claims, or getting bills to some third-party payers for services provided to patients."