Source: RSM US LLP. 


Some providers and physician groups are facing an existential cash flow crisis as the problems pile up due to the recent cyberattack on Change Healthcare, one of the world’s largest healthcare clearinghouses for medical claims transactions. Outcomes of this event could disrupt health care transactions for months to come.

Based on a recent survey by the American Hospital Association, nearly 60% of survey respondents indicated the impact to revenue could be $1 million or more per day and 94% reported they were financially affected.

As a result, many organizations have indicated they are struggling to meet payroll, pay current liabilities and execute on strategic priorities as incoming cash flows have halted for some who rely on Change Healthcare to process claims transactions.

Some providers and physician groups are now drawing on lines of credit, requesting capital calls from owners or using advance payment programs from insurers to manage the short-term cash flow obligations. Providers are struggling to obtain prior authorization, fill pharmacy orders and validate coverage, while health insurance companies are struggling to reimburse providers for claims and provide explanations of benefits to members.

Organizations beyond the healthcare ecosystem are affected, too, as third-party administrators that process medical claims for self-funded health insurance plans also use Change Healthcare.

In 2023, 65% of U.S. workers were covered by self-funded health insurance plans, according to data compiled by Statista. Half of U.S. medical claims go through Change Healthcare’s electronic data interchange clearinghouse according to an anti-trust lawsuit in 2022, thus it’s likely one in three workers in the U.S. could be affected.

Staying resilient

Unwinding and clearing out the unpaid claims will be labor intensive for many organizations and could take a considerable amount of time. Providers and those who have alternative clearinghouse relationships or direct payment relationships with payors may have already made the switch to receive or pay claims, but for those that don’t have this access, the time and cost can be extensive. The longer an organization waits to decide the path forward, the more complex and significant the issue becomes.

Cyber risks will accelerate as the digitization of the economy and age of artificial intelligence matures. For healthcare organizations, the concern is only growing. Through March 19, mentions of cyberattacks by healthcare organizations had reached nearly half of last year’s record total.

Organizations should reflect on how to enhance their safeguards to mitigate these risks. Key considerations include:

  • Do we have sufficient business continuity planning in place? Does this include a ransomware response?
  • Have we tested our recovery plans to ensure they will work and that our teams are trained?
  • Does our third-party/vendor risk management program sufficiently protect us from cyber breaches?
  • Does our enterprise risk program account for events affecting our critical vendors or suppliers?
  • Have we evaluated our cyber program against leading practices to ensure it sufficiently protects the organization?
  • Does our cybersecurity insurance policy cover both domestic and foreign attackers and is the coverage sufficient?
  • Is our investment in cyber protections aligned with our investments in technology and our revenue growth?

The takeaway

The cyberattack on Change Healthcare has roiled the healthcare ecosystem and will take a considerable amount of time to resolve. These risks will continue to persist given patient data is some of the most valuable data that bad actors seek out. As the age of artificial intelligence and the digitization of the healthcare ecosystem matures, risks will continue to rise. Organizations should continue to evaluate if their data governance, vendor management and business continuity practices will be resilient enough to weather the storm when a cyberattack occurs.

RSM US LLP contributor: Greg Vetter

This article was written by Danny Schmidt and originally appeared on 2024-03-26.
2022 RSM US LLP. All rights reserved.


RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.