Dire Consequences of the Change Healthcare Cyberattack

On February 21, 2024, the healthcare sector faced a seismic disruption when Change Healthcare, a cornerstone in the healthcare data exchange ecosystem, fell victim to a sophisticated cyberattack. Orchestrated by the notorious ransomware group known as ALPHV/Blackcat, this attack not only compromised the integrity of Change Healthcare's systems but also sent shockwaves across the entire healthcare landscape, affecting providers, insurers, and patients alike. Change Healthcare, now part of Optum under the umbrella of UnitedHealth Group thanks to a controversial $13 billon dollar acquisition, plays a central role in processing medical claims, verifying insurance eligibility, and facilitating electronic prescriptions for as many as half of all claims processed in the U.S. The immediate fallout from this cyberattack has spotlighted the fragility of our interconnected healthcare infrastructure and raised urgent questions about cybersecurity, patient care continuity, and the broader implications of healthcare consolidation.

As of March 6, 2024, the situation surrounding the Change Healthcare cyberattack remains critical. UnitedHealth Group has made strides in implementing workarounds and temporary solutions to restore some level of functionality to pharmacy, claims, and payment systems. While progress in providing temporary solutions is a positive development, the absence of a definitive timetable for fully restoring all affected services continues to pose significant challenges for providers, independent pharmacies, and patients alike. The financial strain on these entities persists, compounded by UnitedHealth Group's continued collection of patient premiums amidst the outage. With UnitedHealth Group's net worth standing at $433,790,000,000, the contrast between the corporation's financial standing and the ongoing struggles within the healthcare sector is stark, underscoring the urgent need for a comprehensive resolution to this unprecedented crisis.

Direct Impact on Patient Access and Care

The cyberattack on Change Healthcare has not only disrupted the healthcare data exchange ecosystem but has also led to significant patient distress and financial uncertainty. This crisis has been further compounded by the emergence of potential litigation from patients left to grapple with whether insurance will cover their treatments or medications. Patients, regardless of their plan type, are finding themselves at a heightened risk of incurring unexpected bills, exacerbating the already dire situation.

Take, for instance, the experience of Mara Furlich. Battling escalating Covid-19 symptoms and unable to get her claim processed due to the cyberattack, Furlich was forced to pay $1,600 out of pocket for Paxlovid. Similarly, one of the Community Access National Network’s (CANN) very own board members was confronted with a balance bill of over $2,000 from CVS Specialty Pharmacy for HIV medication when their Patient Assistance Program benefits were unable to be processed, illustrating the financial and access barriers erected by the cyberattack. This scenario, emblematic of the difficulties in processing Patient Assistance Programs (PAPs), underscores the significant disruptions to medication access, especially critical for managing chronic conditions.

Jen Laws, President & CEO of CANN, articulates the broader ramifications for people living with HIV (PLWH). "We've been in contact with our partners, including funders, to raise the concern around maintaining continuous access to care for PLWH, regardless of their payor," Jen states. "The reality is patients need to be aware their pharmacies, providers, and labs may be struggling to communicate and deliver timely service because of the sheer breadth of Change's reach."

This incident, alongside the litigation threats reported by Axios, underscores the acute disruptions to medication access and the financial jeopardy faced by patients. Kathy Oubre, CEO of Pontchartrain Cancer Center in Louisiana, shares similar concerns, noting the center has had to dispense drugs at risk due to the benefits verification process being down, leaving providers and patients "flying blind."

These developments signal a critical juncture in the healthcare sector's response to the cyberattack, highlighting the urgent need for systemic solutions to restore patient access to care and address the financial uncertainties exacerbated by this crisis.

The Role and Response of UnitedHealth Group

UnitedHealth Group found itself at the heart of this crisis. The conglomerate's response has been a blend of damage control and strategic measures aimed at mitigating the fallout. UnitedHealth Group's acknowledgment of the cyberattack was swift, with public assurances of their commitment to rectify the situation and restore full services. Part of their response has been the launch of a temporary financial assistance program, as outlined on UnitedHealth Group's website. This program, offering interest-free loans to affected healthcare providers, has been promoted as a means to ease the financial burden wrought by the cyberattack, facilitating the recovery of disrupted cash flows and delayed payments.

Yet, this initiative has not been universally welcomed. Criticism from the American Hospital Association (AHA) and other healthcare stakeholders has been vocal, with many decrying the financial assistance terms as burdensome, highlighting the disconnect between UnitedHealth's proposed solutions and the actual needs of the healthcare providers struggling in the cyberattack's aftermath.

The plight of Dr. Christine Meyer's primary care practice in Exton, PA, as reported by The New York Times, exemplifies the dire straits many healthcare providers find themselves in due to the cyberattack on Change Healthcare. Dr. Meyer's account of resorting to mailing "hundreds and hundreds" of pages of Medicare claims highlights the drastic measures providers are forced to take to navigate the bureaucratic maze in the absence of functional digital systems. The stark reality of having to consider cuts to essential services, like vaccine supplies, to conserve cash underscores the severity of the situation. Through Optum’s temporary funding assistance program, Dr. Meyer said she received a loan of $4,000, compared with the roughly half-million dollars she typically submits through Change. “That is less than 1 percent of my monthly claims and, adding insult to injury, the notice came with this big red font that said, you have to pay all of this back when this is resolved,” Dr. Meyer said. “It is all a joke.”

Moreover, UnitedHealth Group's continued collection of patient premiums amidst this turmoil has sparked further controversy, raising ethical questions about corporate responsibility versus profitability during a healthcare crisis. UnitedHealth Group's role in this crisis and its response to the cyberattack highlight the complex interplay between healthcare infrastructure, corporate governance, and patient care. As the healthcare sector navigates the aftermath of the cyberattack, the actions taken by UnitedHealth Group will likely continue to be a focal point for analysis and discussion, underscoring the need for robust, patient-centered solutions in the face of unprecedented challenges.

ADAPs and PAPs: Navigating the Cyberattack Crisis

The cyberattack has exposed the vulnerabilities of essential healthcare support systems, notably AIDS Drug Assistance Programs (ADAPs) and Patient Assistance Programs (PAPs). These programs, a critical safety net for providing vulnerable populations with access to necessary medications, have faced significant challenges in maintaining their operations amidst the cyberattack's disruptions.

In response, NASTAD issued guidance to ADAP administrators in an email, indicating that, due to delays in prescription fills caused by the outage, programs might need to temporarily cover medication costs directly, later seeking reimbursement from pharmacies. This measure, while ensuring that ADAP remains the 'payer of last resort,' highlights the operational and financial complexities these programs are navigating to keep access to care uninterrupted.

The repercussions of the cyberattack go beyond operational disruptions, threatening the very fabric of the healthcare safety net. The interim 'full pay' solution underscores the delicate balance between ensuring immediate access to medications and the long-term sustainability of these programs.

Amidst this crisis, the collective action of healthcare stakeholders is imperative. The NASTAD memo not only outlines immediate actions for ADAP administrators but also calls for widespread support to uphold these critical programs, encouraging ready communication to case managers and patients regarding the situation, status updates, and navigating alternative access to care as needed. As the sector continues to address the fallout from the cyberattack, the adaptability and resilience of ADAPs and PAPs are paramount in ensuring continuous care for those who depend on them most.

Reassessing Healthcare's "Too Big to Fail" Doctrine

This unprecedented disruption of critical services has exposed serious vulnerabilities associated with the healthcare sector's consolidation, particularly following UnitedHealth Group's acquisition of Change Healthcare. This event has reignited the debate over the "too big to fail" concept within healthcare, a concern that the Federal Trade Commission (FTC) had previously filed suit over due to potential risks of market dominance and a centralized point of failure.

The FTC's apprehensions about the merger highlighted fears of creating an overly centralized healthcare data exchange ecosystem, susceptible to significant disruptions from single points of failure. These theoretical concerns have been realized in the wake of the cyberattack, illustrating the tangible systemic risks of such consolidation. The incident underscores the precarious balance between efficiency gains through consolidation and the increased risk of widespread service disruptions. It should also seriously call into question prioritizing corporate profits and shareholder value over patient care and access.

The U.S. Department of Justice's recent launch of an antitrust investigation into UnitedHealth Group, as reported by The Wall Street Journal, adds a new layer to the ongoing debate. This investigation, focusing on UnitedHealth's expansive reach across the healthcare sector and its potential effects on competition and consumer choice, signals a critical moment in the U.S. government's efforts to address monopolistic consolidation practices within the healthcare industry.

Furthermore, the disproportionate impact on smaller entities, such as independent pharmacies and patient assistance programs, underlines the broader implications of healthcare consolidation. These challenges highlight the need for a healthcare infrastructure that values diversity and decentralization, fostering resilience against such cyber threats.

In light of the antitrust investigation and the fallout from the cyberattack, there's a pressing need for a comprehensive reassessment of healthcare consolidation trends. Strategic regulatory oversight, significant investments in cybersecurity, and comprehensive contingency planning are essential to mitigate the "too big to fail" risks. The healthcare system's integrity, resilience, and commitment to patient care in an increasingly digital age demand a vigilant approach to ensuring that consolidation does not compromise the sector's ability to serve the public effectively.

Call for Policy Intervention and Sector-wide Reforms

The cyberattack on Change Healthcare has catalyzed a unified call for urgent policy interventions and comprehensive sector-wide reforms from leading healthcare organizations, including the American Hospital Association (AHA) and the Medical Group Management Association (MGMA). These calls to action emphasize the critical need to fortify cybersecurity defenses, guarantee equitable patient access to care, and critically evaluate the prevailing trends of healthcare consolidation that have left the sector vulnerable.

The AHA has been at the forefront, advocating for robust support to help healthcare providers weather the storm caused by the cyberattack. Their public statement underscores the profound operational and financial challenges healthcare providers are facing, urging for greater flexibility from payers and governmental intervention to alleviate the crisis's immediate impacts.

Echoing this sentiment, the MGMA has highlighted the dire circumstances medical groups are navigating, as detailed in their communication to HHS Secretary Xavier Becerra. The association's plea for comprehensive support from the Department of Health and Human Services (HHS) reflects the broader necessity for guidance, financial aid, and regulatory leniency to ensure the sustainability of medical practices during these turbulent times.

Both organizations also spotlight the broader issue of healthcare consolidation, critiquing the increased centralization of healthcare services as a significant factor exacerbating the cyberattack's impact. This consolidation not only poses heightened cybersecurity risks but also threatens the diversity and resilience of the healthcare ecosystem. In response, there's a pressing demand for policy reforms that address both the immediate cybersecurity vulnerabilities and the long-term implications of healthcare consolidation, aiming to cultivate a more robust, diverse, and equitable healthcare system.

Urgent Calls to Action:

1. UnitedHealth Group must significantly expand its financial assistance program to offer real relief to the affected healthcare providers, pharmacies, and patients, ensuring the aid is substantial and derived from its vast resources, not at the expense of American taxpayers.

2. Regulatory bodies, including the FTC, must critically assess healthcare consolidation's impact, implementing measures to mitigate the risks of such centralization and prevent future vulnerabilities.

3. A united front of healthcare providers, associations, and advocacy groups is essential to demand accountability and transparency from UnitedHealth Group and similar entities, ensuring commitments to cybersecurity and continuity of care are upheld.

4. Legislators and policymakers are called upon to enact stringent cybersecurity regulations for the healthcare sector, emphasizing the need for comprehensive security protocols, consistent audits, and effective contingency planning.

5. A broader dialogue on healthcare consolidation's future is necessary, advocating for a healthcare model that prioritizes patient welfare, system resilience, and equitable access above corporate profitability.

In the wake of the Change Healthcare cyberattack, the path forward requires not just immediate remedial actions but also a deep, systemic reevaluation of the healthcare sector's structure and policies. It's time for decisive action and meaningful reform to ensure a secure, resilient healthcare system that serves the needs of all patients, safeguarding against future crises and fostering a healthcare environment where patient care is paramount.