Health systems still missing payments from Change Healthcare cyberattack

The Change Healthcare cyberattack continues to affect U.S. health systems, with smaller hospitals still experiencing significant revenue shortfalls six months after the incident.

What happened

Six months after a cyberattack on Change Healthcare, many U.S. health systems are still grappling with its consequences, particularly in receiving payments for patient encounters from February. Larger health systems, which initially faced the most significant financial impacts, were among the quickest to recover. However, smaller health systems continue to struggle, with an ongoing shortfall of 3% to 5% in expected net revenue from February patient encounters.  

See also: HIPAA Compliant Email: The Definitive Guide

The backstory

Change Healthcare experienced a significant cyberattack on February 21, 2024, shutting down over 100 applications critical to healthcare operations. The ransomware group BlackCat was identified as the perpetrator, posing significant challenges to traditional detection methods. The attack caused delays in claims processing and revenue management services. UnitedHealth Group mobilized resources to mitigate the impact, prioritizing access to care and medications. Funding support programs were initiated to bridge short-term cash flow needs. The healthcare industry's collaborative efforts with industry leaders and government agencies are crucial in addressing the cyberattack's aftermath.

Go deeper: Going deeper: The Change Healthcare attack

By the numbers

According to Strata Decision Technology:

• Health systems with annual operating expenses below $500 million are experiencing an estimated payment deficit of 11.1% when comparing total Medicare inpatient service payments provided in February against missing payments.
• Healthcare organizations with yearly operational expenditures ranging from $500 million to $1 billion witnessed a minor deficit of merely 1.5% in their Medicare payments for February.
• Medicare inpatient payments for health systems operating between $1 billion to $2.5 billion incurred a deficit of 4.3%, while those with over $2.5 billion registered a shortfall of 5.5%.

Related: Why hackers target small and midsize businesses

What was said

“Health systems nationwide felt the repercussions of missing and delayed payments throughout the first half of 2024, but many larger systems were able to narrow those gaps by the end of the second quarter,” Steve Wasson, chief data and intelligence officer at Strata Decision Technology, said in a statement. “Even with the help of bridge payments and accelerated payments offered by some payers, smaller health systems continue to feel the impacts as they have fewer resources to absorb these types of disruptions.”

Why it matters

Financial loss is a consequence of cyberattacks, and Change Healthcare is a prime example of how devastating these incidents can be for the healthcare industry. The incident not only disrupted payment processing, leading to substantial revenue shortfalls, but also exposed vulnerabilities in the healthcare sector's infrastructure, particularly for smaller health systems that lack the resources to quickly recover from such disruptions.

The ongoing challenges smaller health systems face emphasize the disproportionate impact that cyberattacks can have on organizations with limited financial and operational flexibility. While larger health systems have largely managed to close the payment gaps caused by the attack, smaller institutions continue to struggle, with lingering revenue shortfalls threatening their financial stability and ability to provide care.

Moreover, the incident has prompted a reevaluation of cybersecurity practices and the need for more robust infrastructure across the healthcare industry. As cyber threats become more sophisticated, the importance of investing in security measures and disaster recovery plans has become increasingly apparent. The Change Healthcare attack serves as a reminder that the healthcare sector must prioritize cybersecurity to protect patient data and maintain the financial health of its institutions.

See also: 

• The economic reality of cybersecurity attacks in healthcare
• Recovering from a cyberattack

FAQs

What is the role of cybersecurity in mitigating cyberattacks?

Cybersecurity involves implementing policies, technologies, and practices to protect systems, networks, and data from cyberattacks. Effective cybersecurity reduces the risk of attacks, minimizes damage if an attack occurs, and ensures quicker recovery.

See also: What is cybersecurity in healthcare?

How can organizations protect themselves against cyberattacks?

Organizations can protect themselves by implementing strong cybersecurity measures such as:

• Firewalls: Protecting networks from unauthorized access.
• Encryption: Securing sensitive data to prevent unauthorized access.
• Regular software updates: Keeping systems and applications up-to-date to defend against vulnerabilities.
• Employee training: Educating staff about cybersecurity best practices and how to recognize phishing attempts.
• Access controls: Limiting access to sensitive data based on role and need.

How can small organizations protect themselves with limited resources?

Small organizations can enhance cybersecurity by:

• Using cloud services with built-in security features.
• Implementing basic security controls like strong passwords, firewalls, and two-factor authentication.
• Partnering with cybersecurity firms that offer affordable services for small businesses.
• Regularly training employees on recognizing cyber threats.