Who pays the price of the Change Healthcare cyberattack?

When the cyberattack on Change Healthcare shut down the nation’s largest healthcare clearinghouse, Dr. Christine Meyer, for the first time in her career, wondered how she was going to make payroll.  

“Our daily ACH deposits from insurance companies are typically anywhere from $20,000-$70,000 per day,” the Philadelphia-based provider and business owner shared in a social media post. But after the attack, her business’s bank balance plummeted to a meager $1,614.  

 The Philadelphia-based provider’s typical monthly expenses reach about $580,000 and includes the cost of provider salaries, vaccines, and medical supplies. When she applied for Optum Financial’s Temporary Assistance Program, they offered her $4,000 a month.  

In a push to sustain her practice and continue providing patient care, she explored a Home Equity Line of Credit (HELOC) loan. The loan would leverage the home that she had paid off to obtain a large – and fast – sum of money.  

Dr. Meyer’s experience is certainly not an exception. The cyberattack – and parent United Healthcare’s subsequent response – has put providers, pharmacies, and hospitals across the country in a financial crisis.   

“We can only continue to operate for so long without any money coming in,” Dr. Meyer told DHI. “We have to continue to pay our staff so that we do not compromise patient care. Long term, we have to build in redundancies. It is also going to take months and months to clean up the mess of reconciling all of these ad hoc charges.”  

Some Change Healthcare services have come back online with continued restoration expected through the month of April, according to their website, but provider organizations aren’t able to bounce back so easily. According to a survey from the American Hospital Association (AHA), 94% of hospitals have been impacted by the Change Healthcare cyberattack and more than 60% are losing an estimated $1 million per day.  

Optum’s slow and predatory approach to offering financial assistance to providers has been criticized by the AHA and the Department of Health and Human Services (HHS). The AHA also expressed concerns about Optum’s and CMS’s assistance timelines and interest rates. 

In a letter to UnitedHealthcare, Richard Pollack, President and CEO of the AHA, criticized the loan terms that required healthcare organizations to allow Optum Financial Services “to recoup funds ‘immediately and without prior notification,’ “requires providers to give UnitedHealth Group and its subsidiaries access to past, current and future claims payment data,’ and allows Optum to change the loan terms at any time. 

Optum has since upped their loan offerings but it’s still not enough. Optum’s parent company, UnitedHealth Group, touted it’s paid more than $2 billion to providers since the cyber incident on February 21.  

Under normal circumstances, United Healthcare insurance group pays out $662 million daily for medical claims. Two billion dollars might sound sufficient, but for healthcare organizations, it’s equivalent to 3 days’ worth of money from just one insurance provider collectively.   

“UnitedHealth Group, which is a Fortune 5 company that brought in more than $370 billion in revenue and $22 billion in profit in 2023, can — and should — be doing more to address the far-reaching consequences that result from Change Healthcare’s inability to provide these essential hospital revenue cycle functions nearly two weeks after the attack,” shared Pollack in his letter to United Healthcare CEO Dirk McMahon. 

United Healthcare buys up struggling healthcare orgs

The lack of revenue going to hospitals, medical practices, and pharmacies appears to have given an expected pile of cash to the nation’s insurers, including United Healthcare, which has been quick to scoop up The Corvallis Clinic, an Oregon-based provider-owned healthcare organization that couldn’t survive due to the halt in revenue and lack of adequate assistance after the cyberattack. 

Despite public outrage, Oregon lawmakers approved an emergency application for the sale that would bypass state review. Optum is already the largest employer of physicians in the U.S., and now they own one of the largest primary and specialty care healthcare organizations in Oregon.  

Why did Oregon approve the sale? It’s possible that they were caught between two choices: allowing the merger to happen or losing over a key healthcare network in the state with over 600 employees. 

Known cybersecurity issues at Optum 

In a court document from the unsuccessful attempt by the Justice Department to prevent UnitedHealth’s $13.8 billion acquisition of Change in December 2021, it was revealed that UnitedHealth’s internal audit had previously given its data governance team a “Needs Improvement” rating.  

The document also associates Optum with a “heightened risk of data being mismanaged” and “no effective means of enforcement if or when data misuse is discovered or reported,” suggesting a potential inability of the Enterprise Data Management Office to effectively manage and improve data handling practices. 

Healthcare is nearly 20% of the U.S. economy. Change Healthcare touched 1 in 3 patient records in the country. If United Healthcare does not enhance its cybersecurity protocols and establish stronger accountability, its growth poses a risk to our healthcare system and to national security. 

 Who pays the price for the Change Healthcare cyberattack? 

Some states, like Washington, Maryland, and New Mexico, have scrambled to administer assistance that providers need to continue operations. The states hope to recoup the funds when delayed payments come in.  

In other states, providers are left to fend for themselves. In either case, the impact is far from over. 

“No. The Change Healthcare nightmare is not over for us,” shared Dr. Meyer in a post on April 2. “The carnage from this hack will remain long after it is out of the public eye.”