New analysis shows CMS' payments following the Change Healthcare outage overcompensated most hospitals, underpaid others, and left some without any support.
After the Change Healthcare cyberattack left affected providers in financial disarray, the federal government failed to provide adequate relief to many hospitals in need, according to a new study published in Health Affairs.
Researchers from the University of Minnesota examining the federal response to the incident found that CMS overpaid a significant portion of hospitals through its accelerated and advance payment program, while hundreds of other facilities that experienced significant financial losses did not receive assistance.
The largest healthcare data breach in history took place in February 2024 and disrupted claims submissions and payments across the country. To stabilize provider finances, CMS offered accelerated and advanced Medicare payments based on 30 days of typical reimbursement, resulting in $3.3 billion paid out through the Change Healthcare/Optum Payment Disruption (CHOPD) program.
However, that flat payment structure did not reflect actual revenue losses, resulting in the program funding hospitals unevenly, the study highlighted. Most hospitals that participated received more relief than needed, with the median hospital ending up with a surplus of $314,302 relative to its actual losses. About one-third of participating hospitals received $1 million or more than their losses. Another one-third though, saw losses that exceeded the payments they received.
At the same time, 312 hospitals that experienced meaningful revenue declines did not receive any federal support. The study noted that participation in the program required hospitals to proactively apply, which may have disadvantaged smaller or resource-constrained organizations that were heavily affected by the billing disruption.
For hospitals that received CHOPD funding, Medicare revenue during the first six weeks of the cyberattack dropped by an average of 66% compared with the same period the year before.
Researchers said the uneven distribution highlights gaps in how emergency financial relief is deployed during industry-wide system failures. They recommend that future programs reflect providers’ actual financial impact and include stronger outreach to hospitals that may lack administrative capacity during a crisis.
“The Change Healthcare cyberattack was a wake-up call, demonstrating just how vulnerable the U.S. is to an attack on the behind-the-scenes infrastructure of our health care system,” Hannah Neprash, University of Minnesota School of Public Health associate professor and lead author, said in a news release.
“The increase in this kind of attack in recent years suggests that our healthcare system and policy makers need to prepare for future events like this. We believe this analysis will help CMS better respond to future attacks, and we are committed to providing further evidence that will help policy makers adapt to this emerging threat to our health care system.”
Jay Asser is the CEO editor for HealthLeaders.
KEY TAKEAWAYS
CMS' program provided uneven relief to hospitals impacted by the Change Healthcare cyberattack, overpaying many hospitals while 312 affected facilities received no support.
The flat 30-day payment model led to major discrepancies, with the median hospital receiving a $314,302 surplus and one-third getting $1 million or more above their losses.
Researchers say future relief efforts must reflect actual financial impact and better reach smaller, resource-strained hospitals.