Phia Group


Phia Group Media

The Indirect (But Significant) Impact of a Recent Massive Healthcare Breach on Benefit Plans

By: Andrew Silverio, Esq.

It’s not often we see a healthcare/health benefit story so big that it crosses into the mainstream. The recent cyberattack in the healthcare industry is just that type of story, however, and the American Hospital Association has already called it “the most significant cyberattack on the U.S. health care system in American history.” 

At stake were over 14 billion yearly transactions and this attack has seriously disrupted provider billing, interfering with patient care, and even preventing some providers from paying their employees. On top of that, a massive amount of patient information, protected under HIPAA, has been compromised.

Most of the focus among news outlets has been on the impact to providers, which is of course enormous. Those using the affected claim systems have essentially no way to be paid for their services, and many have seen cash flow come to a prompt and complete halt. The government has advised Medicare plans and related entities to relax prior authorization and timely filing requirements and the entity involved has announced a program to actually offer loans to affected providers.  However, those of us in self-funding know that it’s no simple matter to simply waive requirements like prior authorization and timely filing limits, and we have heard no word from stop-loss carriers on what action it will take if plans provide some allowances to safeguard patient care.  Plans are still able to enforce timely filing limits and other plan terms, but most don’t want to leave patients in the lurch with unpaid claims due to system disruptions entirely outside their control.  A plan that chooses to accept a late claim or waive a preauthorization requirement will be at real risk, since the stop-loss carrier is always free to enforce the terms of the plan, and its own policy, strictly and as-written. 

The industry is still scrambling to get the system “working” again and establish something resembling a normal claim submission pipeline and cash flow.  But once the dust settles, we would expect in the coming months to see some regulatory relief for plans and providers alike, to account for concessions and audibles that had to be made to keep the ship afloat. Looking ahead, hopefully precautionary systemic measures can be taken to account for future incidents. After all, healthcare and technology promise to be forever intertwined and there’s no telling when the next cybersecurity breach will rock the industry as it did last month.