Some providers and physician groups are facing an existential cash flow crisis as the problems pile up due to the recent cyberattack on Change Healthcare, one of the world’s largest health care clearinghouses for medical claims transactions. Outcomes of this event could disrupt health care transactions for months to come.
Based on a recent survey by the American Hospital Association, nearly 60% of survey respondents indicated the impact to revenue could be $1 million or more per day and 94% reported they were financially affected.
As a result, many organizations have indicated they are struggling to meet payroll, pay current liabilities and execute on strategic priorities as incoming cash flows have halted for some who rely on Change Healthcare to process claims transactions.
Some providers and physician groups are now drawing on lines of credit, requesting capital calls from owners or using advance payment programs from insurers to manage the short-term cash flow obligations. Providers are struggling to obtain prior authorization, fill pharmacy orders and validate coverage, while health insurance companies are struggling to reimburse providers for claims and provide explanations of benefits to members.
Organizations beyond the health care ecosystem are affected, too, as third-party administrators that process medical claims for self-funded health insurance plans also use Change Healthcare.
In 2023, 65% of U.S. workers were covered by self-funded health insurance plans, according to data compiled by Statista. Half of U.S. medical claims go through Change Healthcare’s electronic data interchange clearinghouse according to an anti-trust lawsuit in 2022, thus it’s likely one in three workers in the U.S. could be affected.
Staying resilient
Unwinding and clearing out the unpaid claims will be labor intensive for many organizations and could take a considerable amount of time. Providers and those who have alternative clearinghouse relationships or direct payment relationships with payors may have already made the switch to receive or pay claims, but for those that don’t have this access, the time and cost can be extensive. The longer an organization waits to decide the path forward, the more complex and significant the issue becomes.
Cyber risks will accelerate as the digitization of the economy and age of artificial intelligence matures. For health care organizations, the concern is only growing. Through March 19, mentions of cyberattacks by health care organizations had reached nearly half of last year’s record total.
Organizations should reflect on how to enhance their safeguards to mitigate these risks. Key considerations include:
- Do we have sufficient business continuity planning in place? Does this include a ransomware response?
- Have we tested our recovery plans to ensure they will work and that our teams are trained?
- Does our third-party/vendor risk management program sufficiently protect us from cyber breaches?
- Does our enterprise risk program account for events affecting our critical vendors or suppliers?
- Have we evaluated our cyber program against leading practices to ensure it sufficiently protects the organization?
- Does our cybersecurity insurance policy cover both domestic and foreign attackers and is the coverage sufficient?
- Is our investment in cyber protections aligned with our investments in technology and our revenue growth?
The takeaway
The cyberattack on Change Healthcare has roiled the health care ecosystem and will take a considerable amount of time to resolve. These risks will continue to persist given patient data is some of the most valuable data that bad actors seek out. As the age of artificial intelligence and the digitization of the health care ecosystem matures, risks will continue to rise. Organizations should continue to evaluate if their data governance, vendor management and business continuity practices will be resilient enough to weather the storm when a cyberattack occurs.
RSM US LLP contributor: Greg Vetter
Learn more about cybersecurity and the health care industry.