Health

The Economic Contours of the Change Healthcare Cyber Attack: Taking Stock So Far

On February 22, 2024, I went to a CVS Pharmacy-Inside-Target in my community to fill a prescription for benzonatate 200 mg capsules. I had caught a bad case of the flu the week before, and subsequently suffered a very long tail of a cough.

That’s TMI for me to write about in the Health Populi blog, but this story has a current-events twist: the pharmacist could not electronically link with my insurance company to transact my payment. He tried a few work-flows, and ended up using a discount card which in the moment worked for us, and I paid the marked-down discount price.

I asked what was going on, and he said the system hadn’t been working for the past day and was uncertain whether it would work “tomorrow.” I decided to pay the best cash price I could strike and get onto the meds to help abate my bothersome cough.

In the meantime, within a matter of hours, I learned that my little story was one of millions of other claims that were part of the Change Healthcare cyberattack. Here’s what I eventually read on the Change Healthcare website, posted at 11:32 am ET on February 22.

“Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. At this time, we believe the issue is specific to Change Healthcare and all other systems across UnitedHealth Group are operational.”

Today marks 20 days in the post-Change Healthcare environment, with some health executives already hypothesizing in Becker’s how this, the largest such health industry security breach ever, could re-shape American health care.

The Department of Health and Human Services finally weighed in on the situation on March 5th.

The American Medical Association has been updating a Change Healthcare cyber outage page, been on top of this for its deeply fiscally impacted physician constituents beginning February 21st, with ongoing reports and resource links to keep members current and supported.

The American Hospital Association is curating a similar page for the organization’s hospital members with updates and special reports and links.

My own thought-patterns have begun to organize and assess the economic impacts of this historic adverse event on the U.S. health care system. This post will be the first of at least a few. So I’ll share my preliminary template with you which will inevitably adapt over the coming days and weeks as we learn more and gather more complete information. For now, consider a range of impacts:

Financial losses: Axios reported that in aggregate, U.S. health care providers could have lost as much as $1 billion a day in daily revenue during the outage (compared with 2023). For the Massachusetts health care system, the Change Healthcare attack is costing about $24 million a day, reported by WBUR, impacting hospitals, health systems, physician groups, and other health care providers.

Cash flow disruption:  Cash flow has been a major concern for all providers due to their inability to submit claims and receive payments. Payments and money flows to providers have been significantly affected, which DHHS addressed in its update.

Provider viability: Some providers, who were just beginning to be in the black with a bit of positive margin, have been financially strained by the event. Billions of dollars of non-payments are challenging certain hospitals and medical practices to remain open and provide essential services.

The cost of patient data spillage:  We won’t know the estimate for this line-item for some time, but we must keep it in our accounting as a key line-item on patients’ minds and, potentially, in pocketbooks.

A future hit on providers’ credit ratings? Looking ahead, the financial repercussions of the cyberattack could also impact providers’ credit ratings, with Moody’s Ratings noting that, “even large providers with thin margins and weak liquidity are not immune to challenges and will eventually face liquidity hurdles if the disruption lingers.”

The cost of patient access to care: In a sort of post-pandemic clinical deja vu, the cyberattack has led to some patient care delays; some health care planners are forecasting patient safety implications that could persist for years.

I’ll leave you with thoughts on patients’ access to medicines, already a stress-inducing issue for families whether dealing with sick kids or older folks managing Medicare Part D and cash in retirement. The bright lights at Hayden, access consultants, put together this comprehensive view on the Change Healthcare cyberattack impacts on medicines. I was lucky to have a clued-in pharmacy and access to an available pill that I could afford via cash payment.

Others? Not so lucky.

Let’s also keep an eye on how this event might impact, for the worse, patients’ eroding trust in health care, technology, insurance, and perhaps even the pharmacy.