Nearly all hospitals feel financial impact of Change Healthcare cyberattack

Nearly all of the nation’s hospitals have suffered financially due to the Change Healthcare cyberattack, and most say it has affected patient care.

Those are the key takeaways from a new survey released Friday by the American Hospital Association. The poll gathered responses from about 1,000 hospitals, the association said.

More than 9 in 10 hospitals (94%) said they have had a financial impact due to the cyberattack, the survey found. In addition, 82% of hospitals report impacts to their cash flow.

Nearly 60% of the hospitals said the impact on their revenue has been $1 million per day or greater. That’s noteworthy since the survey was conducted from March 9-12, and the Change Healthcare cyberattack was first reported Feb. 21. So many health systems have seen revenue losses of $10 million or more during the attack.

More than 1 in 3 hospitals say that more than half their revenue has been impacted, while nearly half (44%) say they expect the negative impact on their finances to persist for two to four months, the survey found.

Beyond the financial impact, hospitals say the cyberattack has also interfered with their ability to care for patients. About 3 in 4 hospitals (74%) said the attack has interfered with patient care. Almost 40% have said patient care is being affected by delays in fulfilling requirements with health plans, such as securing approval from payers before pursuing treatment.

• Read more: Hospitals should see cybersecurity as a part of their business strategy | HIMSS 2024

Change Healthcare works with hospitals and other medical providers in a variety of areas, including billing, processing claims, handling prescriptions and clinical decision support. Health systems have developed workarounds, but as the survey indicates, many continue to see an impact financially.

In the wake of the cyberattack, the U.S. Department of Health & Human Services said this week it's launching an investigation of Change Healthcare and its parent company, UnitedHealth Group. The health department said it will look to determine if there has been any violation of federal regulations.

The health department also noted the “unprecedented magnitude” of the cyberattack and the direct threat to patient care.

Kodiak Solutions released a report this week that estimated $6.3 billion in payments to hospitals have been delayed through March 9 due to the disruption. Kodiak says its software monitors patient financial transactions from more than 1,850 hospitals and 250,000 physicians across the country.

UnitedHealth Group said last week that it expects to begin testing connectivity to the medical claims network and software on March 18, and hopes to restore service that week.

The cyberattack generated a great deal of discussion at the HIMSS Global Health Conference & Exhibition this week. Lee Kim, senior principal of cybersecurity and privacy for HIMSS, said the attack underscores the growing sophistication of ransomware groups.

“No matter how large or how small the entity is, no one is immune,” Kim said at the conference.

Within days of the cyberattack, the American Hospital Association called it the “most significant” healthcare cyberattack in U.S. history.

Mary Mayhew, president and CEO of the Florida Hospital Association, told Chief Healthcare Executive® earlier this month that smaller hospitals are struggling due to the attack.

“You've got small hospitals with razor thin margins,” Mayhew said. “They don't have significant reserves to lean into during a crisis.

Ransomware attacks have risen by 264% over the past five years, according to the health department.