Unpacking the Change Healthcare Cyberattack and Its Ripple Effects in Healthcare

HUDDLED WITH

Change Healthcare, which process nearly $2 trillion worth of claims each year, has been hacked, placing a de facto freeze on claims and payments. The February 21st ransomware attack has caused chaos among billing functions, prior authorizations, and prescription fulfillment—a complete, utter mess.

In this article, I’ll highlight Change Healthcare, dive into the cyberattack, and dissect the impact on patients, physicians, and the healthcare system.

The Deets: Change Healthcare

Change Healthcare uses technologies like blockchain to enhance the efficiency, transparency, and integrity of healthcare processes. Hundreds of thousands of physicians, hospitals, other healthcare providers, as well as commercial and government payers all rely on Change Healthcare for processing claims, payments, and other critical healthcare data services. These stakeholders rely on Change Healthcare every single second to process claims and receive reimbursements.

The company processes approximately 15 billion healthcare transactions per year, impacting one in every three patient records in the U.S.

That’s around $2 trillion worth of claims annually—nearly 50% of total healthcare spending!

Safe to say, Change Healthcare plays a significant role in this healthcare system. The company hasn’t gone unnoticed. UnitedHealth’s Optum Insights recognized the financial value of Change Healthcare, and acquired them for $13 billion in 2022. They defeated the DOJ who tried stopping the deal. For good reason… UnitedHealth Group rules healthcare—just look at all the verticals they dominate:

Change Healthcare Ransomware Attack and Response

Change Healthcare was hit by a ransomware attack on February 21st, causing major disruptions to its operations used by just about everyone in the healthcare system. These disruptions have impacted claims processing, reimbursements, prescription fulfillments—all the essential things needed to keep the healthcare system running.

A hacker group known as AlphV or BlackCat is behind this chaos. It’s reported UnitedHealthcare paid the hacker group $22 million payment in bitcoin.

The impact of the attack has been profound due to the integral role Change Healthcare plays in the system. Hospitals, health systems, and independent physicians rely on Change Healthcare for daily reimbursements from health insurers. On the flip side, these insurers rely on Change Healthcare to process claims from hospitals, health systems, and independent physicians. While large hospitals and health systems have some cash runway to sustain operations, smaller physician groups and independent physicians don’t! I’ll talk more about this in my dissection.

Shortly after the attack, UnitedHealth Group (again, they own Change Healthcare) launched a temporary financial assistance program for physicians unable to receive payments due to the attack. The program is run through Optum Financial Services (owned by UnitedHealth Group) and provides temporary funding based on historic claim volumes, which would need to be repaid after things start working again. This program only addresses the problem of providers receiving reimbursements from Change Healthcare, not providers sending claims to Change Healthcare to be processed.

No one really applauded UnitedHealth for this program because of its onerous requirements such as repayment of loans within five days notice and allowing Optum Financial Services to recoup funds immediately and without prior notice. As eloquently stated by AHA CEO Richard Pollack:

Providers have been left with figuring out manual workarounds to process claims and deal with prior authorization. These manual workarounds are grossly inefficient and require more labor and resources. Imagine if my email service provider went down and I had to write out this whole email and send it via letter mail to all 30,000 of you!

Major organizations like AHA and AMA have called on the government to step in and provide guidance. Again, providers have very little cash reserves. A few days without payments, let alone two weeks, can cause significant financial distress. HHS has responded, announcing/encouraging several key flexibilities:

• Medicare providers affected by outages and needing to switch clearinghouses for claims processing should contact their MAC for fast-tracked EDI enrollment, with CMS urging other payers to similarly expedite or waive related requirements.

• CMS will urge MA, Medicaid, and CHIP plans as well as Part D sponsors to remove or relax prior authorization and other utilization management restrictions. They also urge MA plans to offer advance funding.

• CMS will ensure Medicare Administrative Contractor (MAC) accept paper claims submissions.

• CMS will provide accelerated payments to affected Part A subscribers and advance payments to Part B suppliers under the Change Healthcare/Optum Payment Disruption (CHOPD).

UnitedHealth is providing updates here. As of March 8th:

• Pharmacy: operating at 100% with claim submission and payment transmission.

• Claims: 90% of claims are flowing undisrupted due to workarounds, but systems are still not running 100%. Estimated time to return is March 18th.

• Payments: See the temporary funding program above. Systems are not close to running 100%. Estimated time to return is March 15th.

Dashevsky’s Dissection

The scenario with Change Healthcare may be compared to JPMorgan Chase, one of the largest banking institutions globally, experiencing a comprehensive system failure. This would disrupt a vast array of financial transactions and services, causing widespread chaos for individuals and businesses relying on its infrastructure for daily operations, similar to the impact of the cyberattack on Change Healthcare in the healthcare sector.

Now, could you imagine JPMorgan Chase being down for two weeks?

The repercussions of the ransomware attack are profound:

Patients

Patients whose insurers use Change Healthcare have been unable to obtain needed prior authorization approval or medications, forcing many to pay out of pocket. Since the outage affects billing, too, there have been disruptions to needed copay assistance and coupon card processing at pharmacies, leaving patients paying hundreds if not thousands of dollars for previously affordable meds.

Physicians

The Change Healthcare ransomware attack has deeply impacted physician groups and independent physicians, reminiscent of financial strains during the early pandemic due to reduced patient volumes. Particularly for smaller physician groups, the lack of a substantial financial buffer means that any interruption in the cash flow, such as that caused by the cyberattack, can quickly lead to operational sustainability issues, underscoring the vulnerability of healthcare providers to disruptions in payment systems. These groups rely on daily reimbursement from Change Healthcare to pay staff, medical supplies, overhead, etc..

The latest CHOPD accelerated and advance payments are slightly akin to CARES Act-esque policy, which provided financial relief to affected physicians. Dr. Christine Meyer has been documenting her Change Healthcare journey on LinkedIn. Luckily, companies like Aledade are providing advances based on shared savings from 2023.

In contrast to smaller physician groups, hospitals and health systems might be better positioned to weather the disruptions caused by the Change Healthcare ransomware attack, thanks to their extensive resources, such as large billing departments, and greater financial reserves. These institutions are often more equipped to manage and mitigate the impacts of payment system interruptions, highlighting the disparity in resilience among healthcare providers of different sizes.

Healthcare System

The ransomware attack, where $22 million was paid (chump change for UnitedHealth Group, but a lot for a hacker organization!), exposes the healthcare sector's vulnerabilities, particularly the lack of robust contingency plans for such crises. Cyberattacks are a growing trend in healthcare: over the past five years, there’s been a 264% increase in ransomware attacks. This trend underscores the dangerous precedent of paying ransoms, potentially encouraging more such attacks and highlighting the urgent need for improved cybersecurity measures and response strategies within the industry.

If you learned anything from my newsletters, you know healthcare pays well. Unfortunately, it looks like ransomware attacks pay well, too. Cyberattacks threaten the integrity of this healthcare system, which is already vulnerable as is. This Change Healthcare fiasco should force healthcare organizations to beef up their cybersecurity to protect all healthcare functions.