When doctors at the New Mexico Cancer Center got to work on Thursday, February 22, they immediately knew something was very wrong. As they attempted to treat their patients, they found themselves unable to complete essential administrative tasks on their computers, from electronically filling prescriptions to verifying a patient’s eligibility for treatment to submitting insurance claims so they could get paid for their work. As they soon learned, the third-party service they use to facilitate those transactions, Change Healthcare, had been hit with a cyberattack the day before. For the cancer center, that meant that business, in effect, was at a standstill — though their patients’ illnesses were not. Anxieties began to swirl around the office: How could they make sure this wouldn’t interrupt anyone’s treatment? And how long could they afford to stay in business without any money coming in?
“We can make it two to three weeks, and then we’re out of money,” New Mexico Cancer Center’s CEO, Dr. Barbara McAneny, told me last week, adding that some physicians on staff have agreed to forgo their salaries until this is over. “Then I don’t know what we will do, because our patients are depending on us for their chemotherapy.”
Two weeks after the attack, the outage is ongoing with no clear end in sight, affecting thousands of medical practices, hospitals, and pharmacies across the country, which rely on Change Healthcare’s services to varying degrees — as the company boasts on its own website, it handles records for one in three patients in the U.S. At minimum, it has meant that businesses that contract with Change have had to scramble to switch to one of its few competitors (a process that can take weeks) or devise labor-intensive workarounds, which often involve old-school tools like paper prescriptions and fax machines. For pharmacies that contract with Change, the outage has disrupted their ability to conduct transactions with doctors and insurance companies, forcing some pharmacists to either hand out medication and trust insurers to pay them back later or make their customers pay for the full cost of their drugs out of pocket. If the outage lasts long enough, though, its ultimate legacy may be the number of small medical providers it puts out of business entirely.
When news of the cyberattack began to trickle out, UnitedHealth Group — the health-care behemoth that owns Change through yet another subsidiary, Optum — claimed the culprit was associated with a “nation-state,” though it turned out to be the ransomware gang BlackCat, which appears to have stolen data about patients, encrypted it, then demanded payment for its safe return. Cyberattacks on the health-care sector have been on the rise, but the Change Healthcare attack is “unprecedented” in terms of how widespread its impact has been, according to the American Hospital Association’s cybersecurity adviser, John Riggi. While Change is little-known outside of the industry, its status as a dominant hub for insurance approvals and reimbursements made it a ripe target, guaranteeing that a single attack could threaten not only the well-being of patients, but the financial solvency of health-care providers across the country. For patients, the attack might also constitute a massive data breach of personal information.
Amid what Riggi calls a “slow-rolling disaster,” it’s still too early to calculate the attack’s damage in terms of delayed treatments, leaked data, and cash-starved medical practices. (One estimate suggested U.S. health-care providers are hemorrhaging $100 million per day.) To the array of industry professionals that I spoke with, though, what is already clear is that the devastating scope of the attack is a direct product of industry consolidation, particularly at UnitedHealth Group, Change’s owner and the country’s largest health-care provider.
“This is what happens when everything merges and you only have one option,” McAneny said. “When we have one option, then the hackers have one big target that they know if they bring that down, they can grind U.S. health care to a halt.”
Understanding how Change got its tendrils in almost every facet of the health-care industry requires taking a peek at the literally dozens of acquisitions that formed it (which Maureen Tkacik compiled over at The American Prospect). In short, it originated as a subsidiary of Aetna, which was then bought by a claims-processing company called Envoy in 1997 that was itself bought by Healtheon/WebMD in 2000. When WebMD executives got indicted in a kickback scheme, the company rebranded as Emdeon and proceeded to gobble up other health-technology companies, getting acquired along the way by the private-equity giant Blackstone, which rebranded it as Change Healthcare in 2015.
Most of those moves could be considered par for the course in an acquisition-happy industry, but UnitedHealth Group turned heads among both health-care professionals and government regulators when it moved to buy Change in 2021. By that point, UnitedHealth Group had expanded well beyond the insurance business, primarily through its subsidiary Optum, which owns everything from pharmaceutical services to physician practices. (Optum is now the country’s largest employer of physicians, with 90,000 on staff.) At the time, Optum and Change were two of the biggest providers of health IT services in the country, and medical trade groups, including the AHA, protested that the merger would result in UnitedHealth Group having near-monopolistic control over certain services. The Justice Department agreed and sued to block the merger in 2022, alleging that United might also use Change’s data to access sensitive info about its rivals. The suit failed, and the $13 billion merger went through.
Change was important to the daily operations of the U.S. health-care system before UnitedHealth bought it, but the merger turned it into critical infrastructure — providing a target that, if hit correctly, could simultaneously postpone a surgery in Milwaukee, delay a teenager’s prescription refill in New York, and choke the revenue stream of an oncology practice in Albuquerque. The attack’s “cascading effects,” as Riggi calls them, are too numerous to list — Utah’s Medicaid office, which uses Change to handle prescriptions, is giving out 30-day refills for free and instructing pharmacists to fill out this Google form for reimbursement. Ken Raske, the president of the Greater New York Hospital Association, says some New York hospitals will be out of cash in a week. If providers who opposed the Change acquisition weren’t currently struggling to keep their heads above water, this might’ve made for an apt moment to tell UnitedHealth Group “I told you so.”
“In the letter we wrote, we pointed out our concerns of when you have this level of consolidation of a far-reaching system failure impacting the health-care system,” said American Medical Association president Jesse Ehrenfeld. “And here it is.”
As Raske points out, though, UnitedHealth Group is not yet bearing the brunt of its own mistakes. With Change down, the company is paying out fewer insurance claims than usual, meaning that — while medical practices verge on bankruptcy — UnitedHealth Group may just be stockpiling more cash. (Last year, the company raked in $371.6 billion in revenue.) The company did set up a loan program to help out providers with cash-flow issues amid the outage, but providers have called it insufficient, with the AHA saying it provides “very limited relief” under “shockingly onerous terms and conditions.”
Short-term relief, ultimately, may come in other forms. The trade groups are lobbying for government intervention, both at the state and federal level. Some ideas involve suspending certain regulations until this is over, such as relaxing requirements around Medicare prescriptions or accelerating some Medicare payments to providers. (The Department of Health and Human Services implemented those two changes on Tuesday.) Health-care providers, however, have made clear that what they need is cash, fast. Groups like the AMA have asked the federal government to make emergency funds available, while McAneny is advocating for a COVID-like bailout package, even if the relief funds are just a loan.
“We’re not asking for a handout,” she said. “But we can’t wait for a month or six weeks to get the money in the door that keeps this practice alive.”
While it has yet to pay much of a price for the cyberattack, UnitedHealth isn’t off the hook. Last week, the Justice Department announced an unrelated antitrust investigation into the company, which is primarily focused on Optum’s acquisitions of physician practices but will likely be influenced by the ongoing Change crisis. Even if the company emerges relatively unscathed from the investigation, it’s currently facing a crisis on multiple fronts: Earlier this week, someone paid BlackCat $22 million in bitcoin, which could mean that UnitedHealth paid its hackers the ransom they were demanding. And when the Change outage is eventually resolved, lawsuits will inevitably fly in UnitedHealth’s direction, meaning the providers currently struggling to keep afloat could see a payout several years down the line. For now, health-care providers like McAneny are just trying to stay in business.
“Will we ever get paid? I certainly hope so,” McAneny said. “Will we get paid in time to keep all these practices alive and well? I certainly hope so.”