CMS Responds To Healthcare Cyberattack With Emergency Loans


Healthcare providers encountered significant financial difficulties following the Change Healthcare cyberattack, which caused prolonged payment disruptions.

A government-backed initiative offering support to organizations, including home medical equipment- HME providers, will soon end. On June 17, 2024, the CMS or Centers for Medicare & Medicaid Services announced that its advanced and accelerated payment program, linked to the cyberattack, would conclude on July 12, 2024.

CMS Administrator Chiquita Brooks-LaSure noted that in response to one of the largest cyberattacks on the U.S. healthcare sector, CMS acted swiftly to provide providers and suppliers with the funds needed to continue delivering essential care. She mentioned that their actions helped minimize the disruption’s impact and that CMS would remain vigilant to address future incidents.

CMS has the authority to issue advanced and accelerated payments to providers paid through Medicare or Medicaid whenever significant disruptions affect the healthcare system.

These programs act as short-term loans, offering HME providers and others access to capital during financial turmoil.

CMS explained in a June 17, 2024 announcement that the payments initiated in early March aimed to alleviate cash-flow issues experienced by some Medicare providers and suppliers, including hospitals, physicians, and pharmacists, due to the unprecedented cyberattack that disabled Change Healthcare’s electronic data interchange in February.

In total, accelerated payments related to the Change Healthcare incident were issued to over 4,200 Part A providers, such as hospitals, amounting to more than $2.55 billion.

CMS also distributed 4,722 advance payments totaling over $717.18 million to Part B suppliers, including doctors, non-physician practitioners, and durable medical equipment (DME) suppliers.

Many providers who received these pre-payments have already repaid their loans. Of the thousands of disrupted payments, 96% have been recovered, according to CMS.

Numerous HME companies, including some industry leaders, have highlighted the severe impact of the Change Healthcare disruption on their operations.

Todd Zehnder, COO of Viemed, indicated during the Q1 2024 earnings call that while they managed to quickly redirect some of their major carriers, the process to adjust all their payers was ongoing. He expressed confidence that most of the funds had been redirected and noted an uptick in payments over the past few weeks.

AAHomecare described the cyberattack’s fallout as an “unprecedented disruption.”

Change Healthcare, a part of UnitedHealth Group’s subsidiary Optum, reported widespread connectivity issues in late February. Shortly after, healthcare providers began facing technical difficulties.

On February 26, 2024, a ransomware group claimed responsibility for the attack.

By March, CMS started offering relief to healthcare providers, and lawmakers began questioning UnitedHealth Group leaders about their handling of the situation. In early May, UnitedHealth Group’s CEO, Andrew Witty, testified before Congress regarding the cyberattack and his company’s response.

Sen. Ron Wyden- D-Ore. remarked during the Senate Committee on Finance hearing that the hack could have been prevented with basic cybersecurity measures.