Ambulatory surgery centers (ASCs) and other health care providers experienced pronounced payment disruptions earlier in 2024 due to the Change Healthcare cyberattack.
Many of these health care providers mitigated the financial impact of that disruption via a form of short-term loan from the government. This lifeline will soon go away, however.
The Centers for Medicare & Medicaid Services (CMS) recently announced that its advanced and accelerated payment program tied to the cyberattack will end July 12.
“In the face of one of the most widespread cyberattacks on the U.S. health-care industry, CMS promptly took action to get providers and suppliers access to the funds they needed to continue providing patients with vital care,” CMS Administrator Chiquita Brooks-LaSure said in a statement. “Our efforts helped minimize the disruptive fallout from this incident, and we will remain vigilant to be ready to address future events.”
As the entity that runs two of the largest health care payer sources in the nation, Medicare and Medicaid, CMS has the authority to give advanced and accelerated payments to certain providers that are in distress due to an extraordinary circumstance.
Effectively, these types of programs function as a short-term loan, giving ASCs and other providers access to capital at a time when their books are in disarray.
“Launched in early March, the [Change Healthcare] payments were designed to ease cash-flow disruptions experienced by some Medicare providers and suppliers, such as hospitals, physicians, and pharmacists, due to the unprecedented cyberattack that took health-care electronic data interchange Change Healthcare offline in February,” CMS explained in a June 17 announcement.
In total, Change-related accelerated payments have been issued to more than 4,200 Part A providers, such as hospitals, totaling more than $2.55 billion.
CMS also issued 4,722 advance payments, totaling more than $717.18 million, to Part B suppliers, including doctors, non-physician practitioners and durable medical equipment (DME) suppliers, according to the agency.
Many of the providers that capitalized on these pre-payments have already made good on their loans. In fact, of the thousands of payments disrupted, 96% have already been recovered, CMS noted in its announcement.
Change Healthcare, a part of UnitedHealth Group (NYSE: UNH) subsidiary Optum, reported enterprise-wide connectivity issues in late February. Not long after, health-care providers began experiencing technical difficulties.
On Feb. 26, a ransomware group took responsibility for the attack.
By March, CMS began offering relief to health-care providers, and lawmakers began to call out UnitedHealth Group leaders for how they handled the situation. At the start of May, UnitedHealth Group’s CEO, Andrew Witty, had to testify in front of Congress to answer questions about the cyberattack and his company’s response.
“This hack could have been stopped with cybersecurity 101,” Sen. Ron Wyden (D-Ore.) said during the Senate Committee on Finance hearing.