3/11/24 Update: Change Healthcare Cyber Attack and Preparing for Its Effects

Update (3/11/24): Insurance Claims and Litigation Considerations for organizations impacted by the Change Healthcare cyber-attack

The impact of the unfortunate cyber-attack upon Change Healthcare has had a profound financial impact on many healthcare providers cash flows and operations. Many providers are having significant challenges processing claims, billing, and fulfilling prescriptions which is threatening the financial viability of these providers and compromising patient care. Many providers are finding themselves without sufficient cash reserves or access to capital to manage this crisis much longer.

Advocacy efforts to support affected providers are growing at federal, state and regional levels, yet details regarding what relief may be offered, who will provide it, and when it will be available remain vague.

Financial relief associated with this event may eventually come in various forms and will likely include short-term and long-term sources. In the short term, sources would likely include provider advances, governmental support, or even advances directly from Optum/Change Healthcare. Providers may also turn to lines of credit or delay payment of accounts payable and other liabilities.

In the long-term, it is very possible that impacted providers may consider filing a business interruption claim, participating in litigation against Change Healthcare, or both.

To learn what steps you can take now to protect your organization’s financial health in light of the Change Healthcare cyber-attack, watch our webinar "Protecting Your Financial Health: Considerations for Insurance Claims and Litigation Related to the Change Healthcare Cyber-Attack."

Original Post (2/22/24)

On February 21, 2024 at 2:15am EST, Change Healthcare (Change), which is owned by Optum, initially reported that some applications were “currently unavailable”. Several hours later (5:05 am EST) Change provided an update and reported that they were “currently experiencing enterprise-wide connectivity issues”. Emerging details about the system disruption point to a cybersecurity issue.

In an SEC filing, UnitedHealth Group (parent company to Optum) identified "a suspected nation-state associated cyber security threat actor" on Feb. 21 had gained access to some Change IT systems. Updates provided by Change on February 22, 2024 state that the disruption is expected to last “at least through the day”.

On February 22, 2024 the American Hospital Association issued guidance to its members related to the potential for “significant cascading and disruptive effects on revenue cycle, certain healthcare technologies and clinical authorizations provided by Optum” and is “recommending that all health care organizations should also consider disconnection from Optum as well, until independently deemed safe to reconnect to Optum. It is also recommended that organizations which utilize Optum's services prepare related downtime procedures and contingency plans should Optum's services remain unavailable for an extended period."

Freed Maxick’s View: What Should Your Organization Do Now?

This attack is unprecedented.

Although the impact of the Change Healthcare cyber attack is still being understood it is clear its impact is far reaching. As such, it is imperative that healthcare providers mobilize quickly to minimize the impact to their organization and patients and continue operations as normally as possible.

Accordingly, we recommend organizations consider the following steps:  

• Assess overall impact due to the breadth of services provided by Change Healthcare and determine where key points of exposure reside relative to all aspects of operations.
• Follow the guidance of the American Medical Association. Disconnect from Change Healthcare services and begin to prepare for executing downtime contingency plans.
• Monitor updates from Change carefully. Consult with your Association and key legal and business advisors as well.
• Dedicate a member of Senior Management to gather and educate key management team members, identify potential disruptions, and begin to plan and execute your response. Communicate constantly.
• Inventory the possible clinical, financial and other challenges this disruption may pose to your organization.
• Document the impacts of the disruption. Consider your legal rights with respect to insurance (i.e. business interruption) as well as with Change Healthcare. Consider your legal/contractual obligations as well, especially if they are impacted (or created) by this disruption.

How we can help: Supporting your organization

Freed Maxick has experience navigating healthcare disruptions and can support your organization during this challenging time. Our team of industry and subject matter experts, specializing in revenue cycle, operations, corporate finance, and cyber security, can collaborate with your organization to help assess operational and financial impacts and develop a comprehensive response plan to sustain your operations.

The following may be helpful to you and your organization as you determine your response to this outage:

Revenue Cycle Considerations:

• Notify Payers of Impact
  • Consider if billing waivers are necessary for timely filing, prior authorization, denial appeals, etc.
  • Consider requesting cash payments in anticipation of claims to be filed.
• Report event effects to the necessary regulatory authorities and patients.
• Routine revenue cycle management activities impacts:
  • Implement charge entry, payment posting, and reconciliation procedures for all transactions impacted.
  • Consider impact on inpatient eligibility determinations, prior authorizations, payment denial notices, etc. and implement mitigation procedures.
  • Prioritize claims based on timely filing limits and lack of any waivers for manual processing.
  • Follow up billing for claims processing.
• Plan for restarting of systems including backloading of data, testing interfaces and controls, and reconciliation of data pre and post outage.

• Quantify the impact of potential delays in payment on current cash flow requirements:
  • Determine amount, if any, of payer cash advances that will be necessary.
  • Determine impact on other obligations (payroll, taxes, debt, leases, etc.) if cash flow is significantly disrupted and implement mitigation measures.

• Understand the impacts of outage on physician contracts and compensation arrangements.
• Understand the impacts from lost revenue on physician contracts due to:
  • Increases in claim denials.
  • Potential lost revenue from volume of services and revenue cycle yield.

• Monitor direct costs for sustaining operations during the outage, and restoring operations post-outage, such as:
  • Operational disruptions.
  • Staff costs including overtime.
  • Third-party contractor support costs.
  • New capital/IT costs necessary to continue operations.
  • Restoring data, entering data, and validating integrity.
  • Patient, Payor, and other notice requirements.
  • Lost revenue due to reduced volumes as well as revenue cycle yield.

These and other costs may be recoverable via business interruption insurance and/or a future damages claim.