A 2024 ransomware attack on a major processor of health insurance claims called Change Healthcare exposed the personal health information of more than 190 million people, left hospitals and clinics unable to submit claims or receive payment for the care they provided, and led to a cash-flow crisis that threatened their ability to make payroll and continue operations. In response to this unprecedented attack on the U.S. healthcare system, the Centers for Medicare and Medicaid Services (CMS) adopted an emergency relief program to assist providers affected by the unprecedented attack. Called the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment program (CHOPD), the initiative provided emergency funding to help providers weather the crisis and keep the lights on.

In a new study, School of Public Health (SPH) researchers provide the first detailed look at whether the funding CMS provided through the emergency program effectively reached hospitals affected by the cyberattack. Using data obtained via a Freedom of Information Act request, the research team investigated who benefited most from these relief payments—and how a future emergency funding program like this could be improved in the event of future attacks.

The program was voluntary and accessible to any provider of Medicare Part A or Part B services. To receive emergency funding, providers were required to apply for relief funds and attest that the Change Healthcare cyberattack disrupted their ability to submit or receive Medicare claims. To conduct their analysis, researchers examined these emergency payments and compared them with hospitals’ actual Medicare revenue disruptions stemming from the attack. In all, the analysis included data from nearly 4,400 hospitals.

The study, published in Health Affairs, found:

• Payments reached only a fraction of affected hospitals. In all, CMS provided $3.3 billion through the program, including $2.2 billion to hospitals, yet only 11% of U.S. hospitals applied for and received funds.
• Rural hospitals and those unaffiliated with a major healthcare system were disproportionately left out. More than 300 hospitals with comparable or worse revenue losses received no emergency relief. These organizations were more likely to be located in rural areas and to be unaffiliated with major health systems.
• Revenue losses from the attack were severe for hospitals that did receive emergency funding. Among hospitals that applied for and received CHOPD funding, incoming Medicare revenue fell by an average of 66% during the first six weeks of the cyberattack compared with the same six-week period a year earlier. However, the relief funding exceeded actual revenue losses for most hospitals.

“The Change Healthcare cyberattack was a wake-up call, demonstrating just how vulnerable the U.S. is to an attack on the behind-the-scenes infrastructure of our health care system,” said Hannah Neprash, SPH associate professor and lead author. “The increase in this kind of attack in recent years suggests that our healthcare system and policy makers need to prepare for future events like this. We believe this analysis will help CMS better respond to future attacks, and we are committed to providing further evidence that will help policy makers adapt to this emerging threat to our health care system.”

The paper suggests ways that future federal relief efforts could be improved, including incorporating real-time administrative data to identify disrupted providers more accurately, adjusting payments to reflect actual revenue losses, and conducting proactive outreach to ensure smaller and rural hospitals are not overlooked.

Future research will examine disruptions to clinical care that occurred as a result of the Change Healthcare attack.