AAOS Leader Speaks to Congress about Cyberattack

When Change Healthcare, the nation’s largest clearinghouse for processing medical claims, was struck by a ransomware cyberattack in February, the ensuing outage exposed significant weaknesses in the U.S. healthcare infrastructure. Although the ripple effects of the attack reached nearly every corner of the healthcare system, the disruption presented unique challenges for small, independent practices.

Given the unique experience of Adam Bruggeman, MD, FAAOS, FAOA, chair of the AAOS Advocacy Council, in guiding his own practice through the crisis, the House Energy and Commerce Subcommittee on Health asked him to testify at its April 16 hearing examining health-sector cybersecurity and potential solutions to prevent future disruptions.

Dr. Bruggeman began his testimony by walking lawmakers through the “life cycle” of patient billing and how the clearinghouse outage affected practices’ ability to send claims to insurers early in that lifecycle, effectively cutting off their ability to receive payments for the care they were providing. Dr. Bruggeman was fortunate that his practice had sufficient cash reserves to continue operating; however, his testimony detailed the severe and costly disruptions his practice faced as staff worked overtime to manually submit claims via insurers’ individual online portals and establish connections with alternative clearinghouses.

The attack disrupted not only the business side of Dr. Bruggeman’s practice but also patient care. “Some [patients] received bills erroneously,” Dr. Bruggeman explained. “My support staff had to spend countless hours trying to figure out which patients owed money, which did not. Every minute my staff spends trying to reconcile electronic remittance advice (ERA) with received payments, assessing which patients received incorrect bills, or resubmitting prior authorizations is time taken away from patient care.”

Dr. Bruggeman’s practice was not alone. An informal survey by the American Medical Association taken shortly after the attack revealed that one-third of the 1,400 physicians surveyed reported an inability to submit claims, receive payments, or access ERAs. Eighty percent of practices reported lost revenue from unpaid claims, and 55 percent had to use personal funds to cover their regular practice expenses. Some patients also faced difficulty obtaining medications due to pharmacies’ inability to confirm eligibility for coverage.

These statistics underscore a key theme throughout Dr. Bruggeman’s testimony: Improving cyber security and protecting patient data must be important aspects of the national response to this attack, but they cannot be the only lessons learned. Policymakers and stakeholders within healthcare also must investigate how the U.S. healthcare system came to be consolidated around a handful of large companies, meaning that a single point of failure within one of those companies could lead to widespread issues across the entire system.

One factor that contributed to this single point of failure, Dr. Bruggeman argued, was the structure of Change’s relationships with the practices and physicians it serves. Physicians are at the mercy of contractual agreements between electronic health record (EHR) vendors and clearinghouses and have no control over which clearinghouse is used for a given record. In fact, these contracts often include exclusivity clauses that explicitly prevent EHRs from establishing backup connections with other clearinghouses. “Going forward,” Dr. Bruggeman told lawmakers, “we need to investigate whether it is possible to have multiple clearinghouses for a given electronic medical record and build in the redundancies on the front end, so that physicians are not left vulnerable.”

Unfortunately, UnitedHealth Group (UHG) CEO Andrew Witty declined the committee’s invitation to testify alongside Dr. Bruggeman and address these issues directly. However, Mr. Witty’s later appearance at a pair of May 1 hearings made clear that Dr. Bruggeman’s recommendations broke through. During those hearings, Mr. Witty confirmed that UHG will stop using these exclusivity clauses in its contracts going forward and will not enforce existing ones.

Exclusivity clauses were not the only part of UHG’s contracting practices that drew scrutiny from lawmakers. Rep. John Sarbanes (D-Md.) highlighted how companies like Change “offload their liability and protect their bottom line” in their contracts by unfairly limiting the company’s own liability for the costs of rectifying a breach. This system leaves physician practices responsible for the remaining costs, even though physician practices have nothing to do with the failures that left patients’ data exposed.

Dr. Bruggeman asked lawmakers for help limiting the use of these liability restrictions in contracts because physicians lack the bargaining power to negotiate more favorable terms themselves. “As physicians, we have no way of negotiating with companies that touch one-third of every single healthcare dollar in the United States,” Dr. Bruggeman said.

As the healthcare system moves toward value-based care, Dr. Bruggeman expressed his concern that the amount of patient information that physicians must track and share will increase, leaving patient data more exposed to cyber threats. This may serve as a barrier for smaller and rural physician groups looking to participate in alternative payment models, potentially leading to further consolidation with larger health systems.

Citing the recent acquisition of the Oregon-based Corvallis Clinic by Optum, another UHG subsidiary, Dr. Bruggeman explained that his concerns about cyber threats driving further consolidation in healthcare were not just hypothetical. Media reports stated that Optum used the financial emergency caused by the cyberattack on its own subsidiary as legal justification to ask Oregon regulators to expedite an emergency approval of the Corvallis acquisition, which they ultimately granted.

“I find it hard to believe that Optum could not have found other ways to support those practices, rather than buying them at a discount and further consolidating that market,” Dr. Bruggeman argued. Rep. Buddy Carter (R-Ga.) also expressed concern with this “alarming” practice during the hearing and called on the committee to take steps to address consolidation.

Looking ahead to how a crisis like this can be prevented from happening again, Dr. Bruggeman urged Congress to clarify agencies’ authority to respond to future disruptions and ensure that the Centers for Medicare & Medicaid Services and the U.S. Department of Health and Human Services can quickly deploy financial lifelines to physician practices during emergencies. He also called on the Federal Trade Commission to look closely at whether vertical integration is making large companies greater targets for cyberattacks.

AAOS is grateful to the committee for seeking Dr. Bruggeman’s insights and ensuring that the voice of the broader musculoskeletal care community is being represented as Congress begins crafting its response to the Change cyberattack. As subsequent hearings have shown, this is just the beginning of this conversation, and AAOS looks forward to continuing to work with lawmakers to prioritize the interests of members’ patients and ensure the stability and security of the U.S. healthcare infrastructure.

Brian Doty is senior government relations manager for the AAOS Office of Government Relations.