Change Healthcare Cyberattack: CMS Relief Program Missed Hundreds of Hospitals, Overpaid Others
Table of Contents
A new study reveals notable inequities in the distribution of $3.3 billion in federal relief funds intended to mitigate the financial fallout from the 2024 Change Healthcare cyberattack, with many hospitals receiving excess payments while hundreds more were left unsupported.
The cyberattack on Change Healthcare, a UnitedHealth-owned payment processor and technology firm, triggered widespread disruption across the healthcare sector in early 2024. The breach, which exposed the data of over 192 million people – marking the largest healthcare data breach ever reported to federal regulators – upended critical administrative functions like claims processing, eligibility checks, and prior authorizations. In response, the Centers for Medicare & Medicaid Services (CMS) launched a relief program offering advanced funds to Medicare providers.
However, research published last week in Health Affairs indicates the program was far from a perfect solution. The study found that the majority of hospitals received payments exceeding thier actual Medicare revenue loss during the initial six weeks of the cyberattack. Simultaneously, over 300 hospitals did not participate in the program despite experiencing comparable financial setbacks.
“Our findings also indicate the importance of provider outreach if CMS continues with an opt-in approach to relief payments,” researchers wrote.”This approach is appealing because of its ability to target relief payments to providers attesting to their need, but we found strong evidence that many hospitals experiencing revenue disruptions during the Change Healthcare cyberattack did not recieve [Change Healthcare/Optum Payment Disruption] program relief payments.”
Uneven Distribution of Funds
The CMS distributed the $3.3 billion in relief funds to Medicare providers in early 2024. The program allowed providers to apply for a one-time payment equivalent to 30 days of their average Medicare reimbursement, with the option to request a smaller amount. These payments were ultimately recouped by the CMS without interest.
The Health Affairs research revealed a significant imbalance in how these funds were allocated. Hospitals received over two-thirds of the total payments,while physicians accounted for nearly 19%. The median hospital experienced a surplus of $314,302, with roughly one-third receiving payments exceeding their revenue loss by $1 million or more.
Rural and Small Hospitals Left Behind
the study highlighted a concerning trend: hospitals that didn’t participate in the relief program were disproportionately small and rural facilities. These hospitals experienced revenue disruptions comparable to those that did receive aid. The median hospital participating in the program saw a 66% decrease in Medicare revenue compared to the same period in 2023. In contrast,the median non-participating hospital experienced similar revenue levels.
Specifically, 312 hospitals were identified as having experienced revenue disruptions equal to or greater than the median participating facility, yet they did not receive relief payments.These facilities were more likely to be smaller, independently owned, and located in rural areas.
Implications for Future Relief Efforts
The findings suggest the CMS should re-evaluate its approach to provider relief programs. Researchers recommend adjusting payment amounts to avoid overcompensation and prioritizing additional support for providers facing the most severe disruptions. A more proactive outreach strategy is also crucial to ensure that all eligible providers, particularly those in rural and underserved communities, are aware of and can access available resources.
The Change Healthcare cyberattack underscored the vulnerability of the healthcare system to cybercrime. As the sector continues to grapple with increasing threats, a more equitable and effective relief mechanism is essential to protect providers and ensure continued access to care. .
