The Biden administration has hit on a strategy to deal with the massive, industry-paralyzing cyberattack on a UnitedHealth Group unit: pressuring insurers to fix it.
Federal officials have been in constant conversation with senior leaders at UnitedHealth and across the industry, including at a Monday meeting where Department of Health and Human Services and White House officials again pressed UnitedHealth to be more transparent about its timeline for restoring services.
Many insurers have committed to “making accelerated or advance payments,” an HHS official told reporters on a media call after yesterday’s meeting, declining to specify which plans had done so. The plans have also committed to making interim payments to Medicaid providers, a second official added, as well as providing other support, including payment for pending claims, loans and assistance switching to other electronic clearinghouses when needed.
“We have seen significant improvement between last week and this week,” a third official told reporters, but “we have a last mile to go — we are still hearing from small, rural safety-net providers who need cash assistance.”
UnitedHealth’s Change Healthcare is still struggling to recover from a ransomware attack by hackers believed to be part of a Russia-based group called ALPHV, or Blackcat. Change, little known outside the health-care industry, processes billions of transactions a year on behalf of hospitals, physician practices, pharmacies and the insurers that pay them.
Both UnitedHealth and the federal government have come under fire from health-care providers and lawmakers for being unprepared for the attack and too slow to respond.
“Neither UnitedHealth Group nor federal agencies were prepared for the attack on Change Healthcare and its fallout,” Senate Finance Committee Chairman Ron Wyden, an Oregon Democrat, said last Thursday.
The byzantine structure of the U.S. health-care system has created obstacles for regulators to navigate as they help the industry recover. For example, said Chip Kahn, president of the Federation of American Hospitals, which represents for-profit hospitals: Because hospitals and doctors receive many payments from commercial insurers operating Medicare Advantage plans, over which HHS has limited authority, the agency can’t necessarily force those payers to make the providers whole.
Instead, the administration is applying public pressure — including a tense White House meeting with UnitedHealth CEO Andrew Witty and other insurers last week. (HHS’ Office for Civil Rights, which enforces some of the agency’s privacy and security regulations, has also announced an investigation of the hack.)
HHS has “taken the actions they can, within the constraints of the law,” Kahn said in an interview.
Accelerated payments from Medicare may also make a difference. Brad van Pelt, president of the Palm Beach Institute of Sports Medicine, a physical therapy group in South Florida, told me those patients are about half his caseload.
The payments “will make us a little bit whole,” he said, though he took out a loan on Monday to cover payroll. The federal money hadn’t yet arrived.
Longer-term, HHS has signaled it wants mandatory cybersecurity standards imposed through Medicare and Medicaid. That’s not popular with hospitals.
“The trouble with penalties is that at the end of the day, you could penalize institutions that are mission-critical to a community,” Kahn said.
Wyden floated his own more populist approaches on Thursday. Health-care companies, he argued, have become too large.
A federal judge appointed by then-President Donald Trump ruled in September 2022 that UnitedHealth’s $13 billion acquisition of Change could proceed over the Biden administration’s opposition.
“Negligent CEOs” should be held accountable for the mess, Wyden said.
The Washington Post’s Dan Diamond contributed to this report.
This article is not available for syndication due to republishing restrictions. If you have questions about the availability of this or other content for republication, please contact NewsWeb@kff.org.