Inside Rising Cyber Attacks: Tackling Insurance Hikes, Payment Disruptions at Nursing Homes

Health care cyber attacks have been an ever-present threat for providers, including nursing homes. But the most recent attacks on Change Healthcare have had ripple effects on the industry, prompting lobbying groups and federal agencies to action.

The attack in February has affected cash flow and claims processes for some nursing home operators, associations said, although federal programs to expedite payments have helped.

Cyber attacks have increased dramatically over the last several years going back to the beginning of the pandemic and the move toward a more virtual world, Steve Przybilla, principal for Plante Moran Living Forward, told Skilled Nursing News. Plante Moran has its own cybersecurity division and conducts assessments for its clients around good cybersecurity protocols.


The HIPAA Journal, which covers health care privacy issues, reported record data breaches in 2023, with 725 data breaches reported to the Office for Civil Rights (OCR). Across those breaches, more than 133 million records were exposed or impermissibly disclosed, the reports found.

More recently, a supposed second ransomware attack involved a group called RansomHub, which alleged it had four terabytes of data stolen from Change and was willing to sell the data if a ransom wasn’t paid, according to reports from PYMTs and Wired in April. However, a spokesperson for UnitedHealth Group said the company has seen no evidence of a new cyberattack.

Change Healthcare processes claims for and is a subsidiary of UnitedHealth.


Insurance hikes, staff training

Unlike other industries, hospitals and long-term care are seeing significantly more instances of malware and cyber security breaches, said Przybilla. That has led to a doubling and, in some instances, quadrupling of cybersecurity insurance pricing.

Those that issue cybersecurity insurance have increased protocols and items needed to keep insurance as a provider, he said. This could be outside security assessments, or making sure operators are meeting necessary thresholds in terms of screening software, and having a regular cybersecurity review to patch up any holes in the system.

“In long-term care, there are organizations that could potentially be targeted, smaller one-off [companies],” said Przybilla. “There’s always a risk because the cybercriminals out there, they’re going after anybody that will click on stuff. Then they can hold them ransom, or cause challenges, or take control of their automated systems, or their health networks or the [electronic medical records].”

Nursing home operators are starting to test their employees on a regular basis, Przybilla said, sending fake phishing attempts.

Cybersecurity training is generally becoming part of annual and ongoing training, especially among staff that have access to certain networks.

“We’re all working diligently to put in the proper measures, so that we are less vulnerable to cyber attacks,” said Stu Almer, CEO of Gurwin Senior Living in New York.

While Gurwin wasn’t affected by the Change attacks, he said there are too many health care organizations that have been attacked, and there isn’t enough support from the government for protection.

Meanwhile, the introduction of artificial intelligence (AI) in the nursing home space unlocks a whole other set of questions and concerns about how cybersecurity will be affected, he said.

“This is a significant area of concern and should be an even greater concern because it really can impact finances, operations. It affects patient care, an endless number of impacts,” said Almer.

Seeking federal relief

Nursing home associations including the American Health Care Association and National Center for Assisted Living (AHCA/NCAL) expressed concern for how the attack will affect its members, even penning a letter in February to the U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra.

AHCA/NCAL requested the agency, along with the Centers for Medicare & Medicaid Services (CMS) take specific actions following the attack, including issuing accelerated payments through the Medicare program. The agencies should encourage Medicare Advantage organizations to do the same, the association said.

The attack caused Change to shut down specific systems while many other integrated health care platforms disconnected from Change. As a result, some nursing home operators were experiencing issues with processing claim submissions and billing activities following the first attack in February.

“Timely payments are essential for facilities to maintain daily operations and to keep their doors open for residents and patients, and we request your support for providers to access accelerated payments,” AHCA/NCAL President and CEO Mark Pakinson said, in writing to CMS.

CMS in March agreed with the association’s request. Providers who can attest that their claims processing or payment operations were impacted by the attack should ask for an accelerated payment from their Medicare Administrative Contractor (MAC), the agency said in a statement.

A streamlined accelerated payment process was developed for impacted providers and MACs have been instructed to provide public information on how to submit a request for such payment on their websites. The temporary Change Healthcare/Optum Payment Disruption (CHOPD) fund will distribute Medicare Part A and B accelerated payments.

“We are continuing to monitor the situation, and we encourage HHS and CMS to continue to push all plans to make accelerated payments available to providers until all affected, delayed claims have been adjudicated and the claims processing systems are restored,” Martin Allen, senior vice president of reimbursement policy at AHCA/NCAL, said in an email to Skilled Nursing News.

Martin added that providers are dependent upon these financial resources to keep their doors open and ensure access to quality care for those who need it. At the same time, operators must be diligent and adhere to the best practices in protecting patient data, he said.

For Medicare Advantage payments, CMS strongly encouraged Medicare Advantage Organizations (MAOs) and Part D sponsors to exercise flexibility in prior authorizations and utilization management requirements, along with easing claim filing deadlines, while offering advance funding to affected providers.

“This event underscores the importance of robust business continuity plans that include preparations for cyber incidents,” the agency said in a statement. “CMS mandates that MA organizations and Part D sponsors have such plans. Providers should review continuity plans to ensure they can effectively respond to similar disruptions, safeguarding patient care and business operations.”

In terms of those with affected Medicaid claims, CMS said they are working closely with states and are urging Medicaid managed care plans to make prospective payments to providers. HHS has asked UnitedHealth Group to provide Medicaid agencies with a list of providers impacted in their states.

On the state level, Pennsylvania Health Care Association (PHCA) President and CEO Zach Shamberg said his team worked with the Governor’s office and members of the legislature to ensure officials were kept up to date on what long-term care providers needed throughout the cybersecurity incident.

“What we learned is that the average nursing home has 30 days cash on hand,” said Shamberg. “That’s got to not only pay staff, but it’s got to pay for essential services including food. Any delay in claim submissions billing and then payment could disrupt the operations of any given nursing home.”

The evolution of cybersecurity

If anything, the Change attack exposed how fragile the long-term care continuum really is to data breaches, and that missed reimbursement could force closure faster than anticipated, said Shamberg, referring back to the 30 days cash on hand for most operators.

“We need to bolster reimbursement rates, whether that’s Medicaid at the state level, or Medicare at the federal level. In Pennsylvania, we have a real Medicaid pending issue, where we have Medicaid payments that are waiting to be approved for 30, 60, 90, 120 days or more,” said Shamberg. “That is a real issue for providers who don’t have the cash on hand to sustain their operations for more than 30 days.”

He hopes that the attacks shine a light on this fragility, and spur action from government officials to support the industry with resources like the expedited payment program from CMS and open lines of communication in Pennsylvania, along with advice on how to improve cybersecurity protocols. That’s on top of improved reimbursement, he said.

In the wake of the Change attacks, Almer said nursing home operators are working to put in the proper measures to be less vulnerable in the future. But the issue is getting more complicated with AI, he said, and those in the industry have yet to see how it will affect protocols.

“We’re hearing that those who are creating cyber events can create a lot of disruption with the use of artificial intelligence. As quickly as we’re all coming up to speed and putting measures in place to be cyber ready, we now have a new item to deal with,” said Almer.

But a lot of operators have been investing in ensuring the right protections are in place with the information available. Sometimes it’s the use of the Cloud for storage, and other times it’s the training of staff to recognize phishing attempts, Almer noted.

“We’ve put many measures in place, certainly in this organization, to best protect us. But the Change Healthcare issue shows that no matter what measures you put in place, you’re still vulnerable, the hackers have become more sophisticated. And so we have to be ahead of that curve,” said Almer.

Companies featured in this article:

, , , , , , ,