In retrospect, the Change Healthcare cyberattack that wrought havoc on the health care sector earlier this year was a disaster waiting to happen. The UnitedHealthcare Group-owned electronic health payment clearinghouse, the nation's biggest, processes 15 billion transactions each year, touching one in three patient records. When hackers used stolen credentials to breach its systems in February 2024, exploiting a lack of multi-factor authentication, their intrusion exposed a single point of failure in the American health care system. It was only inevitable that when Change took its platforms offline, millions of patients across the country would suffer the consequences.
Indeed, the attack's impacts were swift, severe, and far-reaching. More than 96 percent of health care providers in the U.S. were affected, according to one cybersecurity expert. A March survey by the American Hospital Association (AHA) found that 80 percent of hospitals reported disruptions to their cash flow, with 60 percent reporting disruptions of at least $1 million per day. Claims processing was disrupted across the sector, with pharmacies unable to fill patients' prescriptions or redeem their coupons, and many patients were forced to pay out-of-pocket prices. One children's hospital reported that its patients were unable to receive chemotherapy; at a cancer center in Louisiana, according to Bloomberg, the chief executive officer said that it would take “months" to recover from the damage.
A Devastating Toll
Unfortunately, skilled nursing facilities were hardly immune to the damage. The attack affected delays in claims processing through Medicaid, Medicare, and commercial payers, forcing nursing homes to spend substantial time and labor submitting claims manually, in some cases even hiring extra employees to handle the task.
In Pennsylvania, the Jefferson Hills Healthcare and Rehabilitation Center closed briefly when it was unable to process payroll. As one New York-based provider told McKnights Long-Term Care News, meanwhile, the need to manually submit Medicaid claims for 400 patients resulted in the facility missing its weekly submission deadline, and therefore its payments. While many facilities transitioned to alternative billing platforms, this was often a timely and costly process. For patients unable to fill their prescriptions, considerable harm was already done.
“The staggering loss of revenue has meant that some hospitals and health systems had to seek alternate ways to ensure they could pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary, and environmental services," said John Riggi, the AHA's National Advisor for Cybersecurity and Risk, at a Congressional hearing in April 2024. “In addition, replacing previously electronic processes with manual processes has often proved ineffective and is adding considerable administrative costs for providers, as well as diverting team members from other tasks."
The attack had devastating effects even on massive national operators. When Peterson, whose 90 nursing homes across the U.S. serve nearly 7,000 residents, filed for bankruptcy in March 2024, it said the Change Healthcare attack compounded existing financial difficulties—including a previous ransomware attack in October 2023. As Reuters reported, the revenue disruption was one reason Petersen defaulted on government-backed loans, which led to 19 of its properties entering receivership.
Still, it was small providers who disproportionately bore the brunt of the ransomware attack's damage, according to a March 2024 analysis by Moody's. Whereas providers were more likely to use multiple clearinghouses—and have the means to switch when Change went offline—this was less likely to be the case for their counterparts. “Providers with small scale, a weak financial profile, who only use Change and have little headroom in meeting debt covenants stand to suffer the most from the disruption," a Moody's analyst wrote, as Healthcare Dive reported. “Larger providers with more resources are in a better position to weather cash flow difficulties."
Daniel Ciolek, AHCA/NCAL's associate vice president for therapy advocacy, noted that this held true for many of AHCA's members. "More than half our owners have 10 or fewer buildings, and some have only one building," he said. “They don't have time to get a clearinghouse agreement."
Flexibilities and Relief for Providers
As news of the attack spread in late February 2024, advocacy organizations across the health care sector moved swiftly to secure relief from the federal government. On February 29, 2024, AHCA/NCAL sent a letter to Health and Human Services (HHS) Secretary Xavier Becerra to announce that the incident met the criteria for HHS to issue accelerated payments through Medicare; instruct Medicare Administrative Contractors (MACs) to notify providers of this policy; and to encourage Medicare Advantage plans to provide a similar advanced payment option.
“The nation's nursing homes are experiencing significant challenges with claims submissions, timely payment for services provided, and reconciling remittances within standard workflows while Change Healthcare's services remain offline," AHCA/NCAL CEO Mark Parkinson wrote. “Timely payments are essential for facilities to maintain daily operations and to keep their doors open for residents and patients, and we request your support for providers to access accelerated payments."
HHS acted on AHCA/NCAL's requests within a matter of days. On March 5, 2024, HHS announced a number of flexibilities, including Centers for Medicare and Medicaid Services (CMS) guidance that would encourage Medicare Advantage organizations and Medicare Part D sponsors to remove or relax prior authorization. It also informed providers that they could submit accelerated payment requests to their MACs.
A few days later, on March 9, 2024, HHS announced the availability of accelerated payments for Part A providers and advanced payments for Part B suppliers, while again encouraging Medicare Advantage organizations to offer advance payments. At the same time, CMS was working closely with state agencies and encouraged Medicaid managed plans to offer payment options to affected providers.
As AHCA/NCAL pushed the federal government for decisive action—like extended temporary pre- and post-pay audit flexibility for impacted providers—it also provided necessary information and resources to its members. “This event underscores the importance of robust business continuity plans that include preparations for cyber incidents," the organization noted in a March 2024 blog post. “Providers should review continuity plans to ensure they can effectively respond to similar disruptions, safeguarding patient care and business operations."
Looking Forward
While Change Healthcare's systems were largely restored by mid-March, the attack's ramifications stretched well beyond that. It was not until mid-May 2024, for instance, that the U.S. Department of Veterans Affairs announced that its direct Veterans Care Agreements claims processing systems were back online—welcome news to providers that had been submitting paper claims since the systems went down (and which were permitted to continue doing so if their own systems were still affected).
As the federal government continues to provide resources to impacted organizations, trade organizations like AHCA/NCAL are turning their eyes to the future. What are the most important learnings from the Change Healthcare attack? What can providers do to protect themselves from future cybersecurity breaches, and what steps should the federal government take to protect millions of SNF residents and their data? Stay tuned to Provider for another article discussing these questions.
Steve Manning is a journalist based in New York City.