The American Medical Association is pressing Optum to avoid using a “one-size-fits-all” loan repayment approach with providers following the cyberattack on its Change Healthcare subsidiary in early 2024.
On April 11, the association sent a letter to Optum Insight CEO Roger Connor, urging the UnitedHealth Group company to ensure physicians can decide for themselves when to start repaying their loans. The letter follows reports from physicians alleging they are being forced to repay large loans under the threat of withheld reimbursements from UnitedHealthcare, despite previous assurances to Congress from UnitedHealth Group CEO Andrew Witty that repayment would not be required until providers determined they were financially stable.
“Each practice will have distinct levels of patient volumes, revenue generation, and cost pressures and needs a repayment plan that does not recreate the same dire financial straits experienced during the cyberattack when CHC’s systems were non-functional,” AMA CEO James Madara, MD, wrote in the letter.
“Optum has and will continue to actively work with providers to identify flexible repayment plans based on the individual circumstances of providers and their practices,” a spokesperson for the company told Becker’s. “We have also worked with UnitedHealthcare to ensure the claims it receives are reviewed in light of the challenges providers experienced, including waiving timely filing requirements for the plans under its control. We have asked the AMA to join us in encouraging flexibility from all payers and plan sponsors.”
The February 2024 ransomware attack on Change Healthcare was described as “the worst cyberattack in healthcare history” by the American Hospital Association.
Change, responsible for processing one-third of all U.S. healthcare transactions, was targeted by the ALPHV (BlackCat) ransomware group. The attackers exploited stolen credentials and a lack of multi-factor authentication to infiltrate the company’s systems, exfiltrate data, and deploy ransomware. Mr. Witty said during congressional hearings that it was his decision to pay a $22 million ransom to the hackers.
The breach left Change Healthcare offline for months, paralyzing claims processing and delaying payments for thousands of providers.
“These issues with loan repayment are further compounded by the fact that many practices continue to see claims rejected because they could not meet timely filing deadlines from the period associated with the cyberattack when CHC was not operational,” the AMA wrote. “Practices recently described to us how they were not able to file any claims for eight months after the cyberattack, and now that their systems are fully functional, they are receiving timely filing denials and rejected appeals for the claims that they are submitting.”
Smaller practices were disproportionately affected, with some struggling to pay employees, rent, and medical supply bills. UnitedHealth sought to mitigate the fallout by distributing more than $9 billion in financial assistance through loans and advance payments.
“Healthcare practices and pharmacies like ours absorbed the cost of keeping the doors open through the chaos,” Christine Meyer, MD, a Pennsylvania internist, wrote on LinkedIn in April. “We haven’t even discussed the added expenses: overtime, new computers, a new clearinghouse, more paper statements with postage etc, etc. But for now we are focusing on the losses. They are real — and permanent.”
Dr. Meyer said her practice lost about $1.2 million in revenue due to the cyberattack and received a loan of more than $750,000 from Optum. In an April 1 letter she posted, Optum warned that if the loan wasn’t repaid within five business days, they would withhold all reimbursements.
Since the attack, providers, states, and insurers have filed lawsuits against Change Healthcare over the various aftermath effects.
