On February 21, 2024, the healthcare sector faced a seismic disruption when Change Healthcare, a cornerstone in the healthcare data exchange ecosystem, fell victim to a sophisticated cyberattack. Orchestrated by the notorious ransomware group known as ALPHV/Blackcat, this attack not only compromised the integrity of Change Healthcare's systems but also sent shockwaves across the entire healthcare landscape, affecting providers, insurers, and patients alike. Change Healthcare, now part of Optum under the umbrella of UnitedHealth Group thanks to a controversial $13 billon dollar acquisition, plays a central role in processing medical claims, verifying insurance eligibility, and facilitating electronic prescriptions for as many as half of all claims processed in the U.S. The immediate fallout from this cyberattack has spotlighted the fragility of our interconnected healthcare infrastructure and raised urgent questions about cybersecurity, patient care continuity, and the broader implications of healthcare consolidation.

As of March 6, 2024, the situation surrounding the Change Healthcare cyberattack remains critical. UnitedHealth Group has made strides in implementing workarounds and temporary solutions to restore some level of functionality to pharmacy, claims, and payment systems. While progress in providing temporary solutions is a positive development, the absence of a definitive timetable for fully restoring all affected services continues to pose significant challenges for providers, independent pharmacies, and patients alike. The financial strain on these entities persists, compounded by UnitedHealth Group's continued collection of patient premiums amidst the outage. With UnitedHealth Group's net worth standing at $433,790,000,000, the contrast between the corporation's financial standing and the ongoing struggles within the healthcare sector is stark, underscoring the urgent need for a comprehensive resolution to this unprecedented crisis.

Direct Impact on Patient Access and Care

The cyberattack on Change Healthcare has not only disrupted the healthcare data exchange ecosystem but has also led to significant patient distress and financial uncertainty. This crisis has been further compounded by the emergence of potential litigation from patients left to grapple with whether insurance will cover their treatments or medications. Patients, regardless of their plan type, are finding themselves at a heightened risk of incurring unexpected bills, exacerbating the already dire situation.

Take, for instance, the experience of Mara Furlich. Battling escalating Covid-19 symptoms and unable to get her claim processed due to the cyberattack, Furlich was forced to pay $1,600 out of pocket for Paxlovid. Similarly, one of the Community Access National Network’s (CANN) very own board members was confronted with a balance bill of over $2,000 from CVS Specialty Pharmacy for HIV medication when their Patient Assistance Program benefits were unable to be processed, illustrating the financial and access barriers erected by the cyberattack. This scenario, emblematic of the difficulties in processing Patient Assistance Programs (PAPs), underscores the significant disruptions to medication access, especially critical for managing chronic conditions.

Jen Laws, President & CEO of CANN, articulates the broader ramifications for people living with HIV (PLWH). "We've been in contact with our partners, including funders, to raise the concern around maintaining continuous access to care for PLWH, regardless of their payor," Jen states. "The reality is patients need to be aware their pharmacies, providers, and labs may be struggling to communicate and deliver timely service because of the sheer breadth of Change's reach."

This incident, alongside the litigation threats reported by Axios, underscores the acute disruptions to medication access and the financial jeopardy faced by patients. Kathy Oubre, CEO of Pontchartrain Cancer Center in Louisiana, shares similar concerns, noting the center has had to dispense drugs at risk due to the benefits verification process being down, leaving providers and patients "flying blind."

These developments signal a critical juncture in the healthcare sector's response to the cyberattack, highlighting the urgent need for systemic solutions to restore patient access to care and address the financial uncertainties exacerbated by this crisis.

The Role and Response of UnitedHealth Group

UnitedHealth Group found itself at the heart of this crisis. The conglomerate's response has been a blend of damage control and strategic measures aimed at mitigating the fallout. UnitedHealth Group's acknowledgment of the cyberattack was swift, with public assurances of their commitment to rectify the situation and restore full services. Part of their response has been the launch of a temporary financial assistance program, as outlined on UnitedHealth Group's website. This program, offering interest-free loans to affected healthcare providers, has been promoted as a means to ease the financial burden wrought by the cyberattack, facilitating the recovery of disrupted cash flows and delayed payments.

Yet, this initiative has not been universally welcomed. Criticism from the American Hospital Association (AHA) and other healthcare stakeholders has been vocal, with many decrying the financial assistance terms as burdensome, highlighting the disconnect between UnitedHealth's proposed solutions and the actual needs of the healthcare providers struggling in the cyberattack's aftermath.

The plight of Dr. Christine Meyer's primary care practice in Exton, PA, as reported by The New York Times, exemplifies the dire straits many healthcare providers find themselves in due to the cyberattack on Change Healthcare. Dr. Meyer's account of resorting to mailing "hundreds and hundreds" of pages of Medicare claims highlights the drastic measures providers are forced to take to navigate the bureaucratic maze in the absence of functional digital systems. The stark reality of having to consider cuts to essential services, like vaccine supplies, to conserve cash underscores the severity of the situation. Through Optum’s temporary funding assistance program, Dr. Meyer said she received a loan of $4,000, compared with the roughly half-million dollars she typically submits through Change. “That is less than 1 percent of my monthly claims and, adding insult to injury, the notice came with this big red font that said, you have to pay all of this back when this is resolved,” Dr. Meyer said. “It is all a joke.”

Moreover, UnitedHealth Group's continued collection of patient premiums amidst this turmoil has sparked further controversy, raising ethical questions about corporate responsibility versus profitability during a healthcare crisis. UnitedHealth Group's role in this crisis and its response to the cyberattack highlight the complex interplay between healthcare infrastructure, corporate governance, and patient care. As the healthcare sector navigates the aftermath of the cyberattack, the actions taken by UnitedHealth Group will likely continue to be a focal point for analysis and discussion, underscoring the need for robust, patient-centered solutions in the face of unprecedented challenges.

ADAPs and PAPs: Navigating the Cyberattack Crisis

The cyberattack has exposed the vulnerabilities of essential healthcare support systems, notably AIDS Drug Assistance Programs (ADAPs) and Patient Assistance Programs (PAPs). These programs, a critical safety net for providing vulnerable populations with access to necessary medications, have faced significant challenges in maintaining their operations amidst the cyberattack's disruptions.

In response, NASTAD issued guidance to ADAP administrators in an email, indicating that, due to delays in prescription fills caused by the outage, programs might need to temporarily cover medication costs directly, later seeking reimbursement from pharmacies. This measure, while ensuring that ADAP remains the 'payer of last resort,' highlights the operational and financial complexities these programs are navigating to keep access to care uninterrupted.

The repercussions of the cyberattack go beyond operational disruptions, threatening the very fabric of the healthcare safety net. The interim 'full pay' solution underscores the delicate balance between ensuring immediate access to medications and the long-term sustainability of these programs.

Amidst this crisis, the collective action of healthcare stakeholders is imperative. The NASTAD memo not only outlines immediate actions for ADAP administrators but also calls for widespread support to uphold these critical programs, encouraging ready communication to case managers and patients regarding the situation, status updates, and navigating alternative access to care as needed. As the sector continues to address the fallout from the cyberattack, the adaptability and resilience of ADAPs and PAPs are paramount in ensuring continuous care for those who depend on them most.

Reassessing Healthcare's "Too Big to Fail" Doctrine

This unprecedented disruption of critical services has exposed serious vulnerabilities associated with the healthcare sector's consolidation, particularly following UnitedHealth Group's acquisition of Change Healthcare. This event has reignited the debate over the "too big to fail" concept within healthcare, a concern that the Federal Trade Commission (FTC) had previously filed suit over due to potential risks of market dominance and a centralized point of failure.

The FTC's apprehensions about the merger highlighted fears of creating an overly centralized healthcare data exchange ecosystem, susceptible to significant disruptions from single points of failure. These theoretical concerns have been realized in the wake of the cyberattack, illustrating the tangible systemic risks of such consolidation. The incident underscores the precarious balance between efficiency gains through consolidation and the increased risk of widespread service disruptions. It should also seriously call into question prioritizing corporate profits and shareholder value over patient care and access.

The U.S. Department of Justice's recent launch of an antitrust investigation into UnitedHealth Group, as reported by The Wall Street Journal, adds a new layer to the ongoing debate. This investigation, focusing on UnitedHealth's expansive reach across the healthcare sector and its potential effects on competition and consumer choice, signals a critical moment in the U.S. government's efforts to address monopolistic consolidation practices within the healthcare industry.

Furthermore, the disproportionate impact on smaller entities, such as independent pharmacies and patient assistance programs, underlines the broader implications of healthcare consolidation. These challenges highlight the need for a healthcare infrastructure that values diversity and decentralization, fostering resilience against such cyber threats.

In light of the antitrust investigation and the fallout from the cyberattack, there's a pressing need for a comprehensive reassessment of healthcare consolidation trends. Strategic regulatory oversight, significant investments in cybersecurity, and comprehensive contingency planning are essential to mitigate the "too big to fail" risks. The healthcare system's integrity, resilience, and commitment to patient care in an increasingly digital age demand a vigilant approach to ensuring that consolidation does not compromise the sector's ability to serve the public effectively.

Call for Policy Intervention and Sector-wide Reforms

The cyberattack on Change Healthcare has catalyzed a unified call for urgent policy interventions and comprehensive sector-wide reforms from leading healthcare organizations, including the American Hospital Association (AHA) and the Medical Group Management Association (MGMA). These calls to action emphasize the critical need to fortify cybersecurity defenses, guarantee equitable patient access to care, and critically evaluate the prevailing trends of healthcare consolidation that have left the sector vulnerable.

The AHA has been at the forefront, advocating for robust support to help healthcare providers weather the storm caused by the cyberattack. Their public statement underscores the profound operational and financial challenges healthcare providers are facing, urging for greater flexibility from payers and governmental intervention to alleviate the crisis's immediate impacts.

Echoing this sentiment, the MGMA has highlighted the dire circumstances medical groups are navigating, as detailed in their communication to HHS Secretary Xavier Becerra. The association's plea for comprehensive support from the Department of Health and Human Services (HHS) reflects the broader necessity for guidance, financial aid, and regulatory leniency to ensure the sustainability of medical practices during these turbulent times.

Both organizations also spotlight the broader issue of healthcare consolidation, critiquing the increased centralization of healthcare services as a significant factor exacerbating the cyberattack's impact. This consolidation not only poses heightened cybersecurity risks but also threatens the diversity and resilience of the healthcare ecosystem. In response, there's a pressing demand for policy reforms that address both the immediate cybersecurity vulnerabilities and the long-term implications of healthcare consolidation, aiming to cultivate a more robust, diverse, and equitable healthcare system.

Urgent Calls to Action:

1. UnitedHealth Group must significantly expand its financial assistance program to offer real relief to the affected healthcare providers, pharmacies, and patients, ensuring the aid is substantial and derived from its vast resources, not at the expense of American taxpayers.

2. Regulatory bodies, including the FTC, must critically assess healthcare consolidation's impact, implementing measures to mitigate the risks of such centralization and prevent future vulnerabilities.

3. A united front of healthcare providers, associations, and advocacy groups is essential to demand accountability and transparency from UnitedHealth Group and similar entities, ensuring commitments to cybersecurity and continuity of care are upheld.

4. Legislators and policymakers are called upon to enact stringent cybersecurity regulations for the healthcare sector, emphasizing the need for comprehensive security protocols, consistent audits, and effective contingency planning.

5. A broader dialogue on healthcare consolidation's future is necessary, advocating for a healthcare model that prioritizes patient welfare, system resilience, and equitable access above corporate profitability.

In the wake of the Change Healthcare cyberattack, the path forward requires not just immediate remedial actions but also a deep, systemic reevaluation of the healthcare sector's structure and policies. It's time for decisive action and meaningful reform to ensure a secure, resilient healthcare system that serves the needs of all patients, safeguarding against future crises and fostering a healthcare environment where patient care is paramount.

On July 20th, the United States extended its existing declaration of Public Health Emergency (PHE) in response to the COVID-19 pandemic for 90 days. Previously, the PHE had been renewed 6 times under the previous and current administrations. The PHE declaration may be extended past October 20th, 2021, should the Secretary of Health and Human Services (HHS), Xavier Becerra, renew the declaration.

Pandemic response and relief funding from the federal government has come with strings attached in order to ensure those funds are directed toward those who need the help the most. Most of these strings operate as both “stick and carrot” and one of the more interesting “carrots” was the increase of federal dollars supporting state Medicaid programs for the trade-off of maintaining those Medicaid rolls, temporarily ceasing redetermination and reenrollment activities, allowing people to remain on Medicaid rolls through the PHE without having to go through the usual hoops of proving their eligibility on a more regular basis.

While the previous administration directed states to anticipate a return to usual work after the PHE, engaging in a massive redetermination effort inside of 6 months of the PHE ending, earlier this month, the Biden administration informed states that redetermination period would be extended to 12 months in order to avoid an artificial “bulge” of redeterminations and eligibility checks and, ultimately, a potential annual cycle of concentrated renewals in a short window of time. It’s important to remember, as we discuss Medicaid redetermination, rules vary by state and those disenrolled during redetermination are not necessarily ineligible, they may merely not have had an opportunity to respond to a request for information for a variety of reasons.

The guidance from the Biden Administration speaks directly to this issue, stating states should consider providing a “reasonable” amount of time for clients to provide additional information for redetermination. The administration’s idea of a reasonable amount of time is 30 days. Louisiana, as an example, typically only allows for 10 days from the date in which a paper letter has been mailed to a Medicaid recipient for that same recipient to respond. If the recipient is ill, needs to gather supporting evidence from multiple sources, the mail is slow, or any number of factors outside of their control, they may be unceremoniously disenrolled. A mass redetermination effort in a shortened period of time runs a significant risk of disenrolling otherwise eligible clients but for a process that leaves less than no room for delay or mistake. Indeed, a 2019 report from Louisiana’s Health department found that 85% of eligibility cases were closed for a lack of response to a request for information. Louisiana isn’t alone in these burdensome processes, which on the surface, appear to be aimed at discouraging residents from accessing Medicaid by way of process burden.

Overall, Medicaid and the Children’s Health Insurance Program (CHIP) saw an increase in enrollment starting in March 2020 and continuing today, though with a slower pace, after at least 2 years of decreasing enrollment, according to a Kaiser Family Foundation report. The same report shows Medicaid program enrollment has increased by about 20% - to about 81 million people – since February 2020 and expects many remain on Medicaid and CHIP rolls as a result of economic uncertainty and instability. 

At the intersection of Medicaid, COVID, and economic uncertainty are vulnerable communities, experiencing some of the highest rates of viral hepatitis and HIV. A tertiary benefit of Medicaid’s maintenance of coverage through the public health emergency is those living with viral hepatitis and HIV have been able to more readily seek coverage and care. The problem is a complete lack of “warm hand-off” between Medicaid programs and other assistance programs clients could be significantly advantaged by. Particularly, because of the overlap in intersections of oppression and risk (which some more readily recognize as “social determinants of health”), AIDS Drug Assistance Programs, Ryan White services, and other support services (both publicly and privately funded) are critical tools in our public health safety net.

Tossed off the front burner of public health efforts, “Ending the HIV Epidemic” activities have still been chugging along throughout the COVID-19 crisis. The only other concurrent running pandemic didn’t suddenly go away because COVID-19 came rushing to the forefront of our public health efforts. One of the things these other support programs struggle the most with is ensuring the public (and even health department and hospital case managers) know these programs exist. State Medicaid programs, AIDS service organizations, Ryan White Clinics, and all other safety net programs should be coordinating for the shift in patient load across appropriate programs now. These planning activities should not wait until the midnight hour. For county run COVID-19 testing sites and vaccination sites should be providing information to every, single person seeking a vaccine about available programming to meet the needs of community members. From rental assistance to food pantries to ADAPs, programs already reaching communities and families are the most ideal for starting the process of maintain care after the PHE ends. That starts with passive efforts like brochures and should continue with more active efforts, like engaging a state’s 311 information system with linkage to care tools, and more active still by employing navigators at the Medicaid level to assist clients in finding services, should those clients find themselves ineligible post-PHE.

While we’re not there yet (and it make take significantly longer than any of us like due to a lack of equitable global vaccine access and variant development), advocates, states, service providers, and patients should be planning for what comes next when the PHE eventually comes to an end. We cannot afford to lose people to care at this critical juncture.

[Editor’s Note: This blog is, in part, a replication of a blog hosted by the ADAP Advocacy Association. Supplementary policy analysis on hepatitis treatments continues in this blog]

It shouldn’t be a surprise to anyone that many AIDS Drug Assistance Program advocates are in favor of Medicaid expansion. Indeed, as noted here, those same advocates view Medicaid expansion as an opportunity to strengthen health care access for the most vulnerable people living with HIV, meet needs unaddressed by a state’s ADAP coverage, and help ADAPs remain financially stable. For ambitious advocates (I’m talking about myself), when sufficient support exists to support those at or below the expanded Medicaid eligibility threshold of 138% of the federal poverty level, state ADAPs could consider expanding income eligibility above 400% of the federal poverty level. Indeed, Louisiana is one such state.

However, like all health care policy, the details matter.

In Arizona, the state’s Medicaid formulary is restrictive and slow to adapt to the needs of qualified people living with HIV, shifting financial pressure to the state’s ADAP and requiring the most impoverished clients to manage interacting programs in order to achieve coverage of certain medications. As the payer of last resort, when ADAP clients have other coverage (ie. Medicaid), conflicting payment processes are most often felt at the point of medication delivery or when a client gets told, inadvertently, their medication is not paid for. The process of correcting this mistake can take a matter of days or weeks, depending on a pharmacy’s experience with co-occurring payers.

In that time, patients can fall out of care, drastically reducing their likelihood of achieving an undetectable viral load.

For ADAP formulary advisory committees, for states that have them, the process of adding and adjusting formularies is sometimes relatively expedient. Relatively, in part, because those medical experts and community experts understand the need and nature for ensuring access to an expansive list of antiretroviral medications and modern advancements. Arizona’s Medicaid formulary lacks several single tablet regimens and, in the opinion of Glen Spencer, executive director of Aunt Rita’s Foundation, favor outdated “cocktails” (or multi-tablet regimens), complicating daily care for people living with HIV and accessing Medicaid, often subjecting clients to greater experiences of toxicity, and ultimately interjects an unnecessary interruption in both patient choice and provider care.

In aiming to impress the need of Arizona’s Medicaid formulary to expand in both supporting the sustainability of the state’s ADAP and meeting national initiatives Mr. Spencer stated, “It is critically important that Arizona’s Medicaid program include all single-tablet regimens on its formulary to offer patients the right medication for them, and to provide medical providers with the flexibility they need to prescribe the right medication for each patient.”

To this end, Aunt Rita’s advocacy efforts are also expanding with proposed legislation addressing the failure of Arizona’s Health Care Cost Containment System (AHCCCS) to take up the issue. According to Mr. Spencer, the bill is not likely to make it out of committee this year and lacks any great deal of interest for legislators battling over other budgetary and policy concerns and does not currently have a companion bill in the state Senate. On the other hand, the bill is sponsored in the Arizona House by a bipartisan coalition of 9 legislators.

“In order to end the HIV epidemic, both the patient and provider community will need all therapies available to them to support persons living with HIV, save lives, and get patients to an undetectable viral load.” Mr. Spencer added, “This policy not only promotes patients’ ability to lead a robust life, but also prevents new infections given the science behind U=U.”

The state’s ADAP and Medicaid formularies also present a similar situation for medications used to treat Hepatitis C, leaving a critical gap in available health care services and treatment for those at risk of contracting Hepatitis C. While the state’s ADAP coverage includes most direct acting agents, Arizona’s Medicaid formulary only covers Epclusa, Mavyret, Ribovirin, and Peginterferon.

Arizona’s situation offers a critical reminder that even with the value of Medicaid expansion, in order to achieve the greatest reach of ADAPs, tackle the absolutely critical inclusion of treatment and retention in prevention efforts, and to eliminate viral hepatitis, the details matter and advocates will need to adapt old fights to new environments.