Change Healthcare cyberattack fallout could hurt credit ratings of smaller providers: Fitch

The ripple effects continue from the Change Healthcare cyberattack.

Smaller healthcare organizations could see their credit ratings affected due to the fallout of the Change Healthcare cyberattack, according to Fitch Ratings.

Smaller providers, pharmacies and healthcare companies could see weaker credit ratings as a result of the cyberattack, Fitch Ratings said Monday.

“We are assessing the degree to which companies’ cash flows have been disrupted following the cyber-attack on Change on Feb. 21, the adequacy of existing liquidity sources, and the likelihood and sufficiency of other sources, such as shareholder and lender support, and whether and when issuers switched to other service providers,” Fitch said in a note to investors.

The Change Healthcare attack has impacted hospitals and other organizations in a host of ways, including submitting and paying claims, securing approvals from insurers for treatment, and scheduling, Fitch noted.

Hospitals and health systems are seeing reduced cash flow from delays in claims and said problems in scheduling appointments could be leading to lower volumes. They could also be seeing higher denials if they provided care without prior authorization from payers, Fitch said.

Organizations with higher credit ratings should have the means to make it through the disruptions and interruptions in cash flow, according to Fitch.

“We believe any credit implications are likely to be limited to smaller companies due to their limited financial flexibility to withstand even temporary cash flow disruptions,” Fitch said.

• Read more: Lessons from the Change Healthcare cyberattack

The clearer impact of the toll of the cyberattack will become more apparent when companies post their financial results for the first quarter of 2024, Fitch said.

Kevin Holloran, senior director of Fitch Ratings, noted the cyberattack’s impact on health systems during a conference call about nonprofit hospitals earlier this month.

“I've already heard a whole lot of people saying, ‘Hey, we're redoubling our efforts on cybersecurity,’” Holloran said. “But this is a risk we've called about many, many times. You can harden your own house, but sometimes things are outside of your control with vendors.”

Nationwide, 94% of hospitals said they are seeing some financial impact from the Change Healthcare attack, according to a survey released last week by the American Hospital Association. Nearly 60% of hospitals said they have seen revenues fall by $1 million per day, or more. About three-quarters of hospitals said they are seeing patient care affected as well.

In light of the attack, the U.S. Department of Health & Human Services said it has begun an investigation of Change Healthcare and UnitedHealth Group, its parent company. The health department noted the “unprecedented magnitude” of the attack and the threat to patient care.

UnitedHealth Group has offered financial assistance to some providers; the company said Monday it had distributed $2 billion. The federal government has also accelerated Medicare payments. The health department has urged insurers to advance money to providers and relax restrictions on filing deadlines.

Change Healthcare has restored its pharmacy services. On Monday, UnitedHealth said it was releasing medical claims preparation software, which it said was a key in restoring services.

“We continue to make significant progress in restoring the services impacted by this cyberattack,” Andrew Witty, CEO of UnitedHealth Group, said in a statement Monday. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”

The company has said the ransomware group known as “Blackcat” is behind the cyberattack. Federal officials have said Blackcat has been known to target healthcare organizations.

Cybersecurity experts say the attack indicates that all organizations are vulnerable to ransomware groups.

“No matter how large or how small the entity is, no one is immune,” said Lee Kim, senior principal of cybersecurity and privacy for HIMSS.

Read more: Nonprofit hospital sector has negative outlook, but Fitch projects better times ahead