A security incident led workers’ comp claims administrator CorVel to shut down systems nationwide last week, prompting credible rumors of a ransomware attack.
As of this writing, CorVel’s systems are only partially operational, and countless bills remain unprocessed. Both paper and electronic bills are affected. Providers should be aware that this issue may affect Corvel’s ability to timely respond to electronic bills within the 15-day timeframe (as well as second review appeals within the 14-day timeframe) mandated by California regulations.
CorVel, a major player in the national claims management industry, remains tight-lipped about exactly what happened. The nature and scope of the breach are unknown as CorVel responds to media requests for information with vague generalities — when they respond at all.
According to an email from CorVel’s director of marketing to workcompcentral, CorVel “discovered a security incident on Sunday and out of an abundance of caution, took some of our systems offline to preserve the integrity of our data and prevent further risk." CorVel refused to share any further specifics with workcompcentral, DaisyBill, and other understandably interested parties.
Whether or not sensitive data, such as patients’ personal medical information, was breached remains disturbingly unknown.
Until CorVel resolves the issue, many claims cannot be processed — a situation sure to create serious administrative hassle for providers in the near future. CorVel’s President and CEO, Michael Combs, sent an email to clients (later obtained by blogger and consultant Joe Paduda), in which he assured recipients of the utmost efforts to “maintain business continuity” and of CorVel’s commitment to “work nonstop to clear backlogs” once systems are operational.
Workcompcentral notes that CorVel’s annual report detailed worries about cybersecurity, specifically the impact on public perception of the company. As CorVel’s silence echoes across the industry, leaving experts to contemplate frightening possibilities, such fear may prove self-fulfilling.
We’ll keep our clients and readers updated on any further developments to this story.