Dive Brief:
- The CMS overpaid many hospitals in a relief program during the Change Healthcare cyberattack last year, while missing hundreds of hospitals that also faced significant financial disruption, according to a study published last week in Health Affairs.
- The federal government distributed $3.3 billion to Medicare providers in early 2024 as payments were disrupted by the attack on the UnitedHealth-owned payment processor and technology firm, the research found.
- But most hospitals received payments that exceeded their Medicare revenue loss during the first six weeks of the cyberattack, according to the study. Additionally, more than 300 hospitals didn’t participate in the relief program, even though they saw similar losses — and were more likely to be small and rural facilities.
Dive Insight:
The cyberattack on Change was a major disruption to the healthcare sector, already a significant target for cybercriminals. The attack ultimately exposed the data of more than 192 million people — the largest healthcare data breach ever reported to federal regulators.
The attack roiled the healthcare sector for weeks in early 2024, upending typical administrative work, such as claims processing, eligibility checks, prior authorization requests and prescription fulfillment.
Many providers were unable to submit claims and receive reimbursement for services. Change, which was acquired by healthcare giant UnitedHealth’s Optum unit in 2022, handles billions of transactions each year.
In a move to alleviate some of the financial pressure that arose in the wake of the cyberattack, the CMS set up a relief program that allowed Medicare providers to apply for advanced funds.
Providers would receive a one-time payment equal to 30 days of their average Medicare reimbursement, or less if requested. The payments weren’t adjusted for severity of disruption, and the CMS eventually recouped the payments without charging interest.
Overall, hospitals received more than two-thirds of total payments from the CMS under the relief program, followed by physicians who received nearly 19% of payments, according to the Health Affairs research.
However, most hospitals received more funds than needed to offset their losses. The median hospital had a surplus of $314,302, according to the research. However, about one-third saw their revenue loss exceed their payment from the relief program, while another one-third received a payment of $1 million or more above their revenue loss.
Additionally, some hospitals didn’t participate in the program, even though they likely faced financial disruption during the cyberattack.
The median hospital in the program received about 66% less Medicare revenue amid the attack compared with the same period in 2023. In comparison, the median hospital that didn’t participate had very similar Medicare revenue during the two periods.
However, the research found 312 hospitals that didn’t receive relief payments, but saw a revenue disruption equal to or larger than the median participating facility. Those hospitals were more likely to be smaller, less likely to be nonprofit-owned or part of a health system, and much more likely to be located in a rural area.
The study suggests the CMS could improve future provider relief programs, researchers wrote. For example, the agency could lessen payments given many hospitals were overpaid, but add additional support for providers that faced particularly severe disruption.
“Our findings also indicate the importance of provider outreach if CMS continues with an opt-in approach to relief payments,” researchers wrote. “This approach is appealing because of its ability to target relief payments to providers attesting to their need, but we found strong evidence that many hospitals experiencing revenue disruptions during the Change Healthcare cyberattack did not receive [Change Healthcare/Optum Payment Disruption] program relief payments.”
