On a Sunday in early March, Dr. Angeli Maun Akey discovered an alarming issue while processing payroll for her private practice in Gainesville, Florida: she was short $19,000.
Dr. Akey runs a primary care practice that caters to approximately 3,500 patients, many of whom have chronic conditions.
Since opening in 2000, she has managed a staff of nearly 20 and considers her practice and patients an extension of her family.
“There’s no better life,” she shared in an interview.
Upon initially noticing the discrepancy, Akey suspected embezzlement, a problem she had encountered three times since medical school. However, a deeper investigation revealed a more significant issue.
The health-care technology firm Change Healthcare had been compromised in a cyberattack.
Change Healthcare provides various services, including payment and revenue cycle management tools, as well as electronic prescription software.
On February 21, UnitedHealth Group, which owns Change Healthcare, discovered that hackers had breached some of the unit’s IT systems.
UnitedHealth reported to the U.S. Securities and Exchange Commission that it isolated and disconnected the affected systems “immediately upon detection” of the breach.
In its April first-quarter earnings report, UnitedHealth projected that the total cost of the cyberattack could reach up to $1.6 billion for the year, with the company’s stock down nearly 8% year to date.
The attack has had severe repercussions across the U.S. health-care system, leaving many doctors, including Akey, temporarily unable to receive payments for their services.
Akey described how the attack had reduced her practice’s cash flow by over 80% for six weeks. By early April, she had accumulated more than $130,000 in insurance claims awaiting reimbursement.
With payroll becoming a pressing issue, Akey said she stopped drawing her own salary to support her staff. Her bank offered a loan to sustain her practice, but the 11% interest rate was deemed too high.
She sought help from her patients, requesting voluntary $45 advances, which were often exceeded with generous contributions.
“I’ve had patients for like a quarter century, so a lot of them have been like, ‘No, no, I need to give you more.’ So there’s $100 checks, $200 checks, $500 checks, $2,000 checks,” Akey recounted.
“They have had 0% responsibility for this situation, and they’re fronting the money to keep us going.”
Earlier this month, Akey also liquidated her retirement investments as a precaution. She expressed frustration and vulnerability, particularly with rumors suggesting a potential second breach.
UnitedHealth assured earlier this month that there was “no evidence of any new cyber incident at Change Healthcare.”
“I just decided I can’t do this again,” Akey said.
UnitedHealth stated in a press release on April 22 that efforts were underway to restore systems, with Change Healthcare making “continued strong progress.”
Medical claims across the U.S. were processing at “near-normal levels,” and payment processing had returned to over 85% of pre-incident levels.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said UnitedHealth CEO Andrew Witty in the release.
Akey reported that payments had started to return to her practice, though they remained 30% to 40% below normal levels.
The resumption of payments had alleviated a “humongous weight” from her shoulders, but she acknowledged the path forward would be challenging.
Nonetheless, she is optimistic about her practice’s recovery and hopes to restore her retirement investments in the coming months.
“We love our patients, and that’s why I’m fighting so hard,” Akey said.
Change Healthcare is not widely recognized by the general public or even many health-care professionals. The company’s technology primarily supports billing, payments, benefits evaluations, and information exchanges behind the scenes.
As the largest U.S. clearinghouse for medical insurance claims, Change Healthcare acts as an intermediary between providers—such as doctors, hospitals, and pharmacies—and payers, including insurance companies, Medicare, and Medicaid.
The company facilitates accurate billing to appropriate payers and manages substantial cash flow within the health-care sector.
With more than 15 billion billing transactions processed annually and 1 in 3 patient records passing through its systems, Change Healthcare’s influence extends beyond UnitedHealth’s extensive customer base.
When the company’s systems were disrupted by the cyberattack, a crucial revenue stream for thousands of U.S. providers came to a halt.
Dr. Barbara McAneny, who founded a multidisciplinary private practice in New Mexico in 1987, experienced significant challenges.
The practice, which now supports 280 staff members and provides various services, including cancer care, felt the immediate impact of the attack.
McAneny, who also served as president of the American Medical Association (AMA) from 2018 to 2020, had prepared for potential cyberattacks with contingency plans and funds. However, she was unprepared for the scale of the breach.
“The cash flow for the practice went to zero that day,” McAneny told CNBC.
She reported that partner physicians stopped taking salaries and that overtime pay was halted.
Her primary concern was ensuring the continued supply of chemotherapy for cancer patients. The practice faced a $6 million debt for chemotherapy alone.
“If the flow of chemotherapy stops from the GPOs that supply our chemotherapy, people will die,” McAneny said.
Despite the distress, by mid-April, payments began to trickle back into McAneny’s practice, allowing her to address the $15 million claims backlog.
While progress has been made, the practice’s cash flow remains around 70% to 80% of its usual level. McAneny is concerned about accumulating debt and late fees but is relieved by the signs of improvement.
“I might actually sleep through the night,” she said.
In early March, UnitedHealth launched a temporary funding assistance program to support providers affected by the cyberattack.
The program provides funds with no additional fees, interest, or costs, and allows providers 45 days to repay the funds once regular payment operations resume.
Eligible providers receive weekly payments based on the difference between their historical weekly claims or payment volume before and after the breach.
UnitedHealth noted that it has “partial visibility” into most providers’ histories and may not fully capture their needs. Providers can submit a temporary assistance inquiry form for additional support if there is a funding gap.
For doctors like Akey, the program has been frustrating. As of Thursday, Akey had been approved for approximately $31,000 in funding, which she described as “woefully inadequate” and insufficient for even two weeks of support.
Akey mentioned she was unaware of additional funding opportunities despite reviewing the website and making numerous attempts to contact UnitedHealth.
Sarah Carlson, who owns a marriage and family therapy practice in Boulder, Colorado, faced similar challenges with the funding program.
By early April, Carlson’s practice had accumulated a $75,000 claims backlog due to the cyberattack. She had used her own money to cover payroll and temporarily stopped accepting new clients.
Carlson received minimal assistance from UnitedHealth’s program, with one week’s payment amounting to just $10.
“It was comical. Literally, I think I laughed,” Carlson said.
UnitedHealth responded that Carlson had not applied for additional funding. Carlson believed she had submitted a new form detailing her total claims.
McAneny had approximately $28,000 from UnitedHealth by mid-April, barely enough to cover two drugs. She has since obtained additional funding to address chemotherapy bills.
UnitedHealth stated that it has issued over $6.5 billion in assistance to providers and continues to encourage providers to reach out for support.
UnitedHealth’s acquisition of Change Healthcare has been contentious. UnitedHealth’s two main business units, Optum and UnitedHealthcare, have significant reach.
Optum provides pharmacy services and medical care, while UnitedHealthcare offers insurance coverage and benefit services.
The $13 billion merger with Change Healthcare raised concerns from organizations like the AMA, which warned of potential “significant anticompetitive effects” on the health-care sector.
The DOJ attempted to block the merger, arguing it would harm competition, but was unsuccessful. Optum and Change Healthcare completed their merger in October 2022.
In April, UnitedHealth CEO Andrew Witty stated that Change Healthcare’s integration was “important for the country” and that the cyberattack would have occurred regardless of ownership.
Witty emphasized that UnitedHealth’s resources helped bring Change Healthcare’s systems back online and that they aim to enhance the company’s capabilities.
The AMA expressed concerns about the breach’s impact on physician practices, particularly those that are small, rural, or less-resourced.
In March, the DOJ launched an antitrust investigation into UnitedHealth, examining issues related to its acquisitions and the relationships between Optum and UnitedHealthcare.
There is no quick solution for providers affected by the breach. Switching clearinghouses can be a lengthy process, and submitting claims manually creates additional work for practices already burdened with administrative tasks. Some payers no longer accept paper claims.
Dr. Tyler Kisling, who runs an orthodontic and pediatric dentistry practice in California with his wife, has been using personal savings to maintain operations since the breach.
Kisling said the cyberattack has caused significant stress and has required him to manage bills and due dates manually.
While their practice’s patient management software provider is working on a new clearinghouse setup, Kisling said the system was still not operational as of April 19.
The workaround involves manually filling out claims and mailing them to insurers.
“It’s not been fun,” Kisling said.
McAneny’s practice switched to another clearinghouse during the breach but encountered various issues, including 5,000 rejected claims that required detailed review.
“It’s been a ‘huge amount’ of work