The Centers for Medicare & Medicaid Services (CMS) has announced the conclusion of a program that provided billions in early Medicare payments to those affected by the Change Healthcare/UnitedHealth Group cyberattack last winter.
CMS reported that the program advanced more than $2.55 billion in Medicare payments to > 4200 Part A providers, including hospitals, and more than $717.18 million in payments to Part B suppliers such as physicians, nonphysician practitioners, and durable medical equipment suppliers.
According to CMS, the Medicare billing system is now functioning properly, and 96% of the early payments have been recovered. The advances were to represent ≤ 30 days of typical claims payments in a 3-month period of 2023, with full repayment expected within 90 days through “automatic recoupment from Medicare claims” — no extensions allowed.
The agency took a victory lap regarding its response. “In the face of one of the most widespread cyberattacks on the US health care industry, CMS promptly took action to get providers and suppliers access to the funds they needed to continue providing patients with vital care,” CMS Administrator Chiquita Brooks-LaSure said in a statement. “Our efforts helped minimize the disruptive fallout from this incident, and we will remain vigilant to be ready to address future events.”
Ongoing Concerns from Health Care Organizations
Ben Teicher, an American Hospital Association spokesman, said that the organization hopes that CMS will be responsive if there’s more need for action after the advance payment program expires. The organization represents about 5000 hospitals, health care systems, and other providers.
“Our members report that the aftereffects of this event will likely be felt throughout the remainder of the year,” he said. According to Teicher, hospitals remain concerned about their ability to process claims and appeal denials, the safety of reconnecting to cyber services, and access to information needed to bill patients and reconcile payments.
In addition, hospitals are concerned about “financial support to mitigate the considerable costs incurred as a result of the cyberattack,” he said.
Charlene MacDonald, executive vice-president of public affairs at the Federation of American Hospitals, which represents more than 1000 for-profit hospitals, sent a statement to this news organization that said some providers “are still feeling the effects of care denials and delays caused by insurer inaction.
“We appreciate that the Administration acted within its authority to support providers during this unprecedented crisis and blunt these devastating impacts, especially because a vast majority of managed care companies failed to step up to the plate,” she said. “It is now time to shift our focus to holding plans accountable for using tactics to delay and deny needed patient care.”
Cyberattack Impact and Response
The ransom-based cyberattack against Change Healthcare/UnitedHealth Group targeted an electronic data interchange clearing house processing payer reimbursement systems, disrupting cash flows at hospitals and medical practices, and affecting patient access to prescriptions and life-saving therapy.
Change Healthcare — part of the UnitedHealth Group subsidiary Optum — processes half of all medical claims, according to a Department of Justice lawsuit. The American Hospital Association described the cyberattack as “the most significant and consequential incident of its kind” in US history.
By late March, UnitedHealth Group said nearly all medical and pharmacy claims were processing properly, while a deputy secretary of the US Department of Health & Human Services told clinicians that officials were focusing on the last group of clinicians who were facing cash-flow problems.
Still, a senior advisor with CMS told providers at that time that “we have heard from so many providers over the last several weeks who are really struggling to make ends meet right now or who are worried that they will not be able to make payroll in the weeks to come.”
Randy Dotinga is a freelance health/medical reporter and board member of the Association of Health Care Journalists.
A version of this article appeared on Medscape.com.