CMS relief funding for healthcare providers affected by the Change Healthcare ransomware attack was inconsistently distributed, a new study found.
Here are five things to know from the December Health Affairs paper analyzing 8,538 organizations that received advanced and accelerated Medicare payments after the UnitedHealth Group claims processing subsidiary was hacked in February 2024:
1. From Feb. 19, 2024, to March 31, 2024, Medicare revenue for 476 acute care hospitals that got relief funding was dramatically lower than the same period in 2023. Revenue rebounded above 2023 levels in April and May, showing pent-up claims and processing delays.
2. CMS overpaid many hospitals for temporary Medicare losses during the first six weeks following the cyberattack — often by wide margins. The median hospital surplus was $314,302. About a third of hospitals received $1 million more than their actual losses.
3. Over 300 hospitals experienced major Medicare revenue losses (over a 66% drop) during the IT outage yet did not receive payments.
4. The funding recipients tended to be larger, urban and system-affiliated, suggesting the aid program favored better-resourced, more administratively sophisticated hospitals.
5. Because every applicant automatically received 30 days of their average Medicare revenue, hospitals with minimal disruption received excess funds while facilities with severe losses — some missing more than 70% of Medicare revenue for six weeks — were underpaid relative to need.
