At the beginning of 2020, the city of Marathon was hit with a ransomware cyberattack. The perpetrators found a way into the city’s main computer server, and they even found a path to the city’s offsite backup server. The perpetrators demanded a ransom be paid or the city’s records and data would forever be lost. The city paid, the data was recovered, and the investigation may still be ongoing.
Cyberattacks have become far too commonplace in today’s technology-reliant world. A huge part of the information technology market is driven by cybersecurity and protection of information assets. As fast as new protective strategies and techniques are developed, hackers seem to find ways around them.
On Feb. 21, Change Healthcare revealed that it suffered a cyberattack. Change Healthcare is owned by insurance giant UnitedHealth Group, one of the nation’s largest insurers. Change Healthcare’s mission is processing billions of health care transactions nationwide, aligning billing with insurance coverage and ensuring prompt payment to providers.
This attack has basically paralyzed the nation’s health care payment system, affecting hospitals, providers and patients. The American Hospital Association has called it “the most significant cyberattack against the country’s health care system in history.” If that isn’t enough, Change Healthcare also has a relationship with state government programs and Medicaid, processing eligibility determinations and long-term assessments. According to the American Hospital Association, 94% of America’s hospitals have been financially affected by the cyberattack.
And if even that isn’t enough, Mary Mayhew, president and CEO of the Florida Hospital Association, says that there’s no doubt that patient data was compromised in this cyberattack. Dean Sittig, a professor at the University of Texas Health School of Biomedical Informatics, said that once hackers have that data, they can use it themselves to scam or hack those consumers, their banks or credit cards.
How does this affect us locally? Local providers (hospitals, doctors, therapists, etc.) are unable to bill for services provided. That lack of cash flow affects their ability to meet staff payrolls and make vendor payments. Patients may be unable to get life-saving medications, or have to pay out-of-pocket to get them. And they now need to be worried about what might have happened to their private information.
Larger providers may have reserves that will help them cover expenses until billing can resume. Smaller providers may have a much tougher time riding this cyberattack out, some not having any insurance income since January. Change Healthcare originally estimated its operations would be back online by mid-March; its timeline now extends through April 29.
At least two dozen class action lawsuits have been filed against Change Healthcare by law firms representing providers and patients. There likely will be more as the attack’s influence spreads and delays in service resumption mount.
What’s puzzling is the lack of a coordinated response from the federal and state governments. If this had been an attack on the nation’s energy grid or air traffic control system, there’s no doubt that there would have been a significant response from the authorities. Health care is a major part of the American economy, and an incident of this magnitude merits a real response. Strangely, this story hasn’t made headlines, even though it will most certainly negatively affect millions of people.
The federal government should immediately streamline the process for approving SBA loans to providers and offer whatever assistance possible to try to solve this attack and prevent future cyber-disasters. When one considers that our health care workers were the ones who put themselves on the frontlines during the pandemic — and are the ones who take care of us all the time — it’s the least we as a society can do.
