It’s been one year since the unprecedented Change Healthcare cyberattack crippled hospitals, medical groups, payers and pharmacies. For some providers, troubles linger.
The industry continues to grapple with the aftermath of the breach of UnitedHealth Group's technology subsidiary, which exposed data on 190 million consumers. Core functions, including claims processing, prescription management, payment, prior authorization and insurance verification froze after UnitedHealth disconnected systems Feb. 21, 2024, following the hack by ransomware group BlackCat.
Related: Finding some good news after a bad year for cyberattacks
Change Healthcare, which operates more than 100 online platforms and typically processes 15 billion transactions annually, was incorporated into UnitedHealth’s Optum brand following a merger in 2022. UnitedHealth is still working to bring at least three platforms fully online, according to its Change Healthcare status webpage Tuesday.
While clinical disruptions, such as some hospitals pushing elective procedures and pharmacies delaying prescriptions, have subsided, the fallout from the cyberattack is still affecting finances at a wide swath of companies.
The past year has been the most catastrophic in Fruth Pharmacy's nearly 75 years in business. The 22-store regional pharmacy chain based in Nitro, West Virginia, had a game plan for 2024 to take on the challenges facing independent pharmacies. Then the Change Healthcare attack happened.
Fruth Pharmacy, which mostly serves Appalachian communities, heavily depended on Change Healthcare’s platforms to power its pharmacy system, route claims, reconcile payments, enable electronic prescribing and apply drug copay coupons.
It lost about 5,000 customers who now get their prescriptions filled at pharmacies that relied less on Change or had backup systems in place, said President Lynne Fruth. That has added up to the loss of about 100,000 prescriptions in the past year. To keep the cash-squeezed company afloat last year, Fruth Pharmacy closed five locations, cut store hours, laid off staff and reduced store inventory, she said.
“Everything is not fine,” Fruth said.
Providers
Doctors face similar financial challenges.
Some medical groups are still paying off loans from UnitedHealth, other health insurers and the Centers for Medicare and Medicaid Services, which were offered to make up for stalled payments and help providers make payroll, purchase medical supplies, and cover other expenses, Anders Gilberg, senior vice president of government affairs at the Medical Group Management Association, wrote in an email. UnitedHealth said in an email the company advanced $9 billion to providers via its interest-free loan program.
Residual claims issues also persist for some of MGMA's more than 15,000 medical practice members, Gilberg wrote.
“Unfortunately, some medical groups have not been paid in full or been able to recoup what was lost from unpaid claims,” Gilberg wrote. “Resubmission of claims did garner payments but also resulted in claims being denied as duplicate payments, which had to be manually appealed. Then, claims would be denied due to timely filing requirements, which would entail a second-level redetermination and more work.”
Hospitals also are continuing to reconcile payments for some claims submitted through temporary systems, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
The cash crunch providers unexpectedly faced has led some to delay projects and other investments. “When you have a revenue interruption, it is going to impact budgeting, planning, capital projects, and, at a very minimum, force organizations to reprioritize projects, and so forth. I'm sure there is some lingering disruption that would probably carry on in budgeting for 2025,” Riggi said.
Vendors
The widespread disruptions following the cyberattack cast a spotlight on how dependent healthcare organizations were on one company — and that may not shift.
The AHA, MGMA and National Community Pharmacists Association said it’s mixed whether their members reconnected to Change.
“We did the right thing in terms of protecting the system and encouraging people to find alternatives. We're now bringing them back,” UnitedHealth CEO Andrew Witty said on an October earnings call.
A UnitedHealth spokesperson did not answer questions about whether Change lost customers over the past year. The company has said the cyberattack cost it more than $2.4 billion last year.
Even after the devastating year Fruth Pharmacy experienced, it continues to use Change for its pharmacy software and payment reconciliation systems, Fruth said. The pharmacy is, however, working with a different vendor to route claims.
“Your choices are limited,” Fruth said. “You have to do business with Optum. There are certain aspects that just Change Healthcare does with some of these platforms.”
Gilberg said some medical groups that opted to drop Change are still dealing with headaches as they move to new partners. “There was, and often continues to be, a significant lack of response from Change via phone or email to facilitate or initiate these transitions,” Gilberg wrote.
Rival revenue cycle management companies, including Availity, Inovalon and Waystar, have seen interest tick up as providers look to diversify vendors.
Availity has inked new or expanded contracts with about 350 clients that used its free assistance program to process claims while Change's systems were down, CEO Russ Thomas said. Inovalon's core transaction volume tripled in 2024, and the company has retained about 98% of customers added as a result of the cyberattack, said Karly Rowe, interim president of the provider business. Waystar CEO Matt Hawkins said on a November earnings call the company had signed standard multiyear contracts with many of Change's former customers.
Cybersecurity
Since the Change hack, data breaches have continued to plague the healthcare industry, with little relief in sight.
The AHA recommends hospitals reevaluate third-party vendors’ cybersecurity measures and advises against accepting contracts that prohibit them from securing backup partners for critical operations.
Availity is taking measures to minimize the clinical and financial impact for its provider and payer customers if a large-scale cyberattack were to happen again.
On Wednesday, the company announced the launch of Availity Rapid Recovery, a program that would allow it to bring platforms online in five days if Availity's entire system was compromised. The program is a replicated version of the company's entire source code that will be updated and certified by an independent cybersecurity vendor each quarter, Thomas said.
UnitedHealth has been rebuilding Change's systems from scratch, collaborating with cybersecurity companies to scan systems for vulnerabilities, and providing third-party verifications to customers that it’s safe to connect.
“I hope they're in a position to be more resilient if it happens again, but that’s hope,” said Lisa Schwartz, senior director of professional affairs at the National Community Pharmacists Association.
