HMN 2025: What is the impact of federal relief program after major health care cyberattack

New research from the University of Minnesota School of Public Health provides the first detailed look at whether funding provided through a federal relief program effectively reached hospitals affected by a ransomware attack on Change Healthcare, a major processor of health insurance claims.

The 2024 cyberattack exposed the personal health information of more than 190 million people. It left hospitals and clinics unable to submit claims or receive payment for the care they provided, and led to a cash-flow crisis that threatened their ability to make payroll and continue operations.

In response to this unprecedented attack on the U.S. health care system, the Centers for Medicare and Medicaid Services adopted an emergency relief program to assist affected providers. Called the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment program, the initiative provided emergency funding to help providers weather the crisis.

Using data obtained via a Freedom of Information Act request, the research team investigated who benefited most from these relief payments—and how a future emergency funding program like this could be improved in the event of future attacks.

The research team analyzed data from nearly 4,400 hospitals across the U.S. that had applied for the emergency relief program, citing the attack’s disruption of their ability to process Medicaid claims. The researchers compared emergency payments from the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment program to the hospitals’ actual Medicare revenue disruptions stemming from the 2024 attack.

The study, published in Health Affairs, found:

• Payments reached only a fraction of affected hospitals. Centers for Medicare and Medicaid Services provided $3.3 billion through the program, including $2.2 billion to hospitals, yet only 11% of hospitals received funds.
• Rural hospitals and those unaffiliated with a major health care system were disproportionately excluded from the program. More than 300 hospitals with significant revenue losses likely related to the cyberattack received no emergency relief.
• Revenue losses from the attack were severe for hospitals that did receive emergency funding. Among hospitals that applied for and received funding, incoming Medicare revenue fell by an average of 66% during the first six weeks of the cyberattack compared with the same six-week period a year earlier. However, relief funding exceeded actual revenue losses for most hospitals.

“The Change Healthcare cyberattack was a wake-up call, demonstrating just how vulnerable the U.S. is to an attack on the behind-the-scenes infrastructure of our health care system,” said Hannah Neprash, lead author and an associate professor in the School of Public Health. “The increase in this kind of attack in recent years suggests that our health care system and policymakers need to prepare for future events like this. We are committed to providing further evidence that will help policymakers adapt to this emerging threat to our health care system.”

The researchers suggest that future federal relief efforts could be improved by incorporating real-time administrative data to identify disrupted providers more accurately, adjusting payments to reflect actual revenue losses and conducting proactive outreach to ensure smaller and rural hospitals are not overlooked. Future research will examine disruptions to clinical care that occurred as a result of the Change Healthcare attack.

The content is provided for information purposes only.