Multiple independent sources tell me CorVel has suffered some sort of internet outage that has affected its bill review and other services. Sources indicate this is corporate and not limited to a specific office or offices, and evidently began on or about Sunday. Whether this is due to a ransomware attack or other issue is unclear.
Evidently the internal phone system, email, provider lookups, and other services are also down. (as of this posting)
Here’s hoping problems get fixed very soon. A knowledgeable source indicated his/her clients affected by the outage have been informed this will not be resolved “this week.” A receptionist at CorVel said internal phones should be working Monday.
I’ve sent multiple emails and even a tweet to CorVel asking about this, and to date have received no response other than that noted above. In addition, I’ve looked high and low for some sort of public acknowledgement by CorVel of the issue, and haven’t seen anything yet.
(Before you start hurling brickbats, while I’m not exactly a fan of Corvel, I’ve publicly defended the company in the past.
I’m puzzled by the lack of public acknowledgement. When multiple people at AASCIF are aware of the issue, when competitors know about it, and when at least two customers are informed, I don’t see the logic in keeping it quiet. One could argue that CorVel management doesn’t want to go public about this as it may harm relations with current and prospective customers, or perhaps affect investor views of the company.
That, I would counter-argue, is nonsensical (forgive me for arguing against a self-constructed straw man, but absent any response from CorVel I have no alternative). This is a very small industry, word travels very quickly, and as any PR exec with any experience knows, when bad things happen by FAR the best option is to get out in front of the issue, tell your story, and thus manage the message.
Great ideas on this are here.
Then there’s the issue of Personal Health Information. If this was a hack that resulted in the capture of PHI – and we do NOT know it was or wasn’t – that’s problematic in and of itself.
I know it may be difficult for CorVel to get the message out, but there are cellphones, personal email addresses, and other means of communicating (twitter…).
If you don’t get in front of the problem, competitors will define the issue, its extent and potential impact. Sooner or later reporters will hear about it and it will become public. And, you may lose credibility with customers and prospects who are/will be relying on you.
For everyone else, this is going to be a big pain in the neck.
Over the near term, patients, adjusters, and case managers involved in any claims affected by communications issues will have work to do. Every day things go unresolved, issues – and the work to resolve them – compound.
Other work comp services suppliers are going to have to answer even more queries about data security, backup and storage protection, liability insurance and the like. Many may have to buy additional insurance coverage, agree to penalties for problems like this, beef up tech capabilities and expertise, and do whatever else hyper-risk-sensitive buyers can come up with.
As a result, it’s going to be even tougher for smaller service companies to acquire and manage the technology and expertise required by work comp payers. This isn’t good for anyone.
What does this mean for you?
Short-sighted competitors may see it as an advantage, when in reality it’s just going to make their own lives more complicated and the sales cycle even longer and more difficult.
Make damn sure your own web security is robust – and have one of those outside tech firms test your protections on an ongoing basis.
Here’s hoping this has minimal impact on CorVel and its customers, the company is back up and running quickly and completely, and we all learn a lesson from this.
UPDATE
received this from a current CorVel customer; it is from CorVel’s CEO
Dear Customers,
As previously reported, on Sunday July 21, 2019, we discovered a security incident that has impacted our systems and forced us to take some of those systems offline. Our team continues to work around the clock to safely repair and restore the systems impacted. As we learn more and execute recovery plans, a more accurate time frame is becoming clear. At this point, we estimate systems will begin to come back online on Monday July 29th. We are committed to mitigating disruption to the greatest degree possible and our staff is working to maintain business continuity. If you have questions, including how to contact someone at CorVel, please call 844-386-9556 or consult the contact information below.
To report a new claim e-mail customer@corvelcustomer.com, call 800-906-4461 or fax 877-284-2959 To request an indemnity payment or check status of a payment, call 503-795-3138 or e-mail treasury@corvelcustomer.com To refill a prescription, call 800-563-8438 or fax 866-688-9048 To request a referral for utilization management fax 866-552-9390If you need to send medical bills, mail to PO Box 6966, Portland, OR 97208
When our systems are back online, we will work nonstop to clear backlogs. Our number one priority is to continue servicing our clients and maintaining the trust and confidence of our customers. On behalf of the entire CorVel team, we thank you for your patience during this challenging time.
Michael Combs
President and CEO
CorVel Corporation
2010 Main Street
Suite 600
Irvine, CA 92614
That`s why I did not receive a bi-weekly deposit. The case worker said they would try to send out paper checks today( Friday), but just said there was an “issue” with their system. Not good when you live check to check.
The more the industry rolls up into very few, large international claim handling entities and service providers, the public policy question becomes to what extent does security of systems (particularly PHI) become regulated and overseen by regulators. Outages of this nature when there are for example a thousand TPA organizations impacts less on the number of recovering workers and jurisdictions. Conversely, when WC claims fall into the handling of only 30 (or perhaps fewer if the number of claims managed is used as the metric) then individual data breaches impact upon many hundreds of thousands of recovering workers and most all domestic jurisdictions. Second policy question is: at what point does the number of TPA entities (particularly those that share common ownership with ancillary service companies) drop to so few that it negatively impacts the grand bargain?
Doesn’t surprise me. Corvel is always hush hush when it comes to “problems’ shoot they dont even let people know that they are moving.
They were hit by the Ryuk virus, a ransomware worm that locks out the system. Allegedly, they caught it early and will only have 1 week of lockout, but I would be surprised if they are back up and running on Monday since it’s typically a minimum of two weeks. They will also lose all previous emails and other data from the server changes.
This information was super helpful! Thank you for posting.