{"subscriber":false,"subscribedOffers":{}} Will The Change Healthcare Incident Change Health Care? | Health Affairs
Advertisement: Icahn School of Medicine

Doi: 10.1377/forefront.20240314.298538
A close-up image of a stethoscope lying on top of a computer keyboard.

Sometimes, the biggest problems in the world are created by solutions. On February 21, 2024, cybercriminals affiliated with hacker collective AlphV infiltrated and crippled the nation’s largest medical claims clearinghouse, Change Healthcare, interrupting the flow of perhaps as much as a third of all US health payments from health insurers to care providers. The multi-billion-dollar Change Healthcare cyberattack exploited a technically fragile “solution” to the problem of excess paperwork in health care payment. As many as 85 million patients’ medical records might have been “exfiltrated’ from Change’s vast databases and possibly destroyed. 

The Change cyberattack has precipitated financial crises for care providers large and small and for patients, as well as for Change’s immense owner, the $371 billion UnitedHealth Group. It has graphically demonstrated the vulnerability of a bewilderingly complex proprietary medical payment system. It is a “Deepwater Horizon” moment in American health care finance. 

What Is Change Healthcare And Where Did It Come From?

Change Healthcare’s payment framework can be traced back to the dawn of Internet-based e-commerce in health care. Up until the mid-1990s, health care claims were paper and fax-transmitted, costly and unreliable. In 1996, the Healthcare Insurance Portability and Accountability Act (HIPAA) markedly accelerated the use of electronic data interchange (EDI) in health care. Though HIPAA is mainly known for its confidentiality protections for patient data, its Administrative Simplification provisions set data standards to encourage electronic submittal and payment of medical claims. HIPAA markedly accelerated electronic data interchange through dedicated T-1 lines, hardwired ancestors of today’s VPNs—high-capacity, secure physical links between hospitals and their major payers.

HIPAA spawned a whole ecosystem of small companies who served as financial intermediaries between health insurers and care providers—aggregating, transmitting, and processing medical claims and paying providers for their care. These health care e-commerce companies proliferated during the first Internet investment bubble, which began after Netscape’s historic IPO in 1995. When the Internet bubble burst in 2000, these companies were sold by their private equity and venture owners in an ensuing multi-year fire sale. 

A large cluster of Internet health data companies came to be owned by a health tech “roll up” called Emdeon, which was built around Internet darling WebMD. Some of Emdeon’s companies faced consumers (giving them access to health information or helping them with health problems), some faced employers (helping them promote healthier workforces or managing their health benefits), some faced doctors and hospitals (helping improve efficiency or get paid for their services), and some faced health plans (helping them organize and manage the flow of health claims. 

After acquiring seven small medical payment companies serving one or another customer segment, Emdeon was taken private by the Blackstone Group in 2011. In 2014, it acquired a Nashville-based company named Change Healthcare, focused on helping employers and health plans “enhance consumer engagement.” And in 2016, the resulting conglomeration was merged with the health information technology division of McKesson, which used the transaction to divest its ill-starred electronic health record and a host of other small firms McKesson had acquired. The resulting agglomeration was then taken public in 2019 as Change Healthcare.

United Consolidates Control Over Medical Payments

In January 2021, Change Healthcare, which had grown to a $3.1 billion business, was acquired by UnitedHealth Group’s Optum subsidiary for $13 billion. Change’s companies were folded into OptumInsight, United’s business intelligence and services subsidiary. OptumInsight was built around a scandal-plagued business intelligence operation formerly known as Ingenix that tracked physician prescribing patterns and payment rates for all manner of health care services. 

Change Health joined another large claims management company, Equian (for which United paid $3.2 billion in 2019), and naviHealth, a post-acute care managed care enterprise (which United purchased in 2020 for $2.5 billion). With this succession of lightning strikes, United suddenly owned a substantial fraction of the claims management software in the US, triggering an unsuccessful Justice Department anti-trust challenge.

At almost $19 billion a year in revenues, OptumInsight is United’s most profitable business, generating an operating margin of 22.5 percent in 2023, almost four times the margin on United’s vast health insurance business. OptumInsight is really a financial services conglomerate inside the larger conglomerate that is Optum—a roll up of roll ups of roll-ups. It not only provides claims management services, but also health care transaction data, management consulting, and business process outsourcing services.

Owing to the spate of acquisitions, OptumInsight has more than tripled in size since 2018. Optum Insight’s largest customer is the United Healthcare’s health plan business, accounting for nearly $11 billion, or 58 percent of OptumInsight’s revenues in 2023. But the other 42 percent are generated by United’s health plan competitors (!) and by hospitals and physician groups both inside and outside United’s networks. Change Healthcare processes well more than a third of all medical and pharmaceutical transactions in the US, 15 billion a year, with a dollar value of $1.5 trillion a year.

OptumInsight’s claims management toolset uses AI-driven rules engines and machine learning to scrub and process medical claims, with a third of hospitals reporting denial rates of more than 10 percent, for problems like incomplete documentation or not meeting medical necessity criteria. OptumInsight is also the locus of United’s AI strategy. OptumInsight is thus a valuable toolset enabling United to manage the cash flow for its insurance business, as well as squeeze profits from the administrative services component of their insurance activities. The profit contribution to United of OptumInsight’s inhouse services provided to United’s health plans is unknown, i.e. not disclosed, but is suspected to be substantial.

The IT infrastructure that makes all this possible is an agglomeration of the acquired companies’ IT systems, with hundreds of thousands of user interfaces and vast interconnected databases. OptumInsight presides over an immense kluge of IT infrastructure, a pulsing circulatory system through which flows billions of dollars a day in medical payments. It may be the most lucrative cyberterrorism target in the US economy. Since United has over $25 billion in cash and over $77 billion in total investment assets, it had a huge resource base to be extorted. Whether United paid the attackers ransom and under what circumstances is unconfirmed as of this writing. 

The AlphV attackers, who also masterminded the 2021 attack on the Colonial gas pipeline system, are suspected of using a “social engineering” hack—using phony user credentials to log into the system, mimicking a fairly high level Change employee or contractor with broad network access and obtaining credentials which enabled them to locate and exfiltrate huge data files containing Change’s provider directories, claims histories and the personal health records. As much as 8 terabytes of data containing confidential medical records of over 85 million Americans were reportedly stolen and United’s backup files likely destroyed. 

United has been working overtime to develop workarounds to the Change blockade and has offered temporary loans to care systems and providers to replace the cash flow from claims it is unable to process due to the hacking incident. Whether these loans will be sufficient to stave off cash flow crises for health providers large and small remains to be seen. United may also have to rebuild its datafiles and create new and more secure interfaces to access these data files to enable processing future claims, a process that could take months. 

United’s reputational damage from this incident is likely to be considerable. It could lose Change health plan customers due to this incident, as well as care systems being unwilling to participate in their payment system. United’s legal liability for failing adequately to protect its data systems from this attack is also likely to be substantial, but it is unknown as of this writing.

Policy Issues Raised By The Change Incident

It is this analyst’s opinion that the concentration of ownership of health care payment infrastructure in the hands of a single company poses a significant threat to the financial viability of the US health care system and requires a policy response. It does not make national security sense for more than 5 percent of US GDP to flow through a single company’s pipes. No provider of administrative services to health plans or care systems should be permitted to control a third of total US health care payments. Assuring the stability and safety of this payment infrastructure is a legitimate and substantial policy challenge.

For reasons similar to those which argue against nationalizing the health insurance system (e.g. “single payer”), it is not clear that the federal government has the political or administrative capability to own and manage the payment infrastructure (e.g. “single clearinghouse”) through which health care funding flows. Congress cannot even reliably pass an annual budget for the federal government or meet its security commitments to its allies. The federal government’s track record in directly managing health care information technology, from the Affordable Care Act’s shambolic Healthcare.gov website rollout to the Department of Veterans Affairs’ ill-starred electronic health records conversion, does not inspire confidence in the ability of the federal government to operate health data systems.

However, there is a successful precedent for federal contracting with private entities to process medical claims that could serve a model for regulating this activity systemwide: the Medicare Administrative Contractor system. Remarkably, from Lyndon Johnson’s signing Medicare into law to Medicare in 1965 to actually paying providers for caring for Medicare patients took less than two years. 

This is because Medicare’s administrators at what was then the federal Department of Health, Education and Welfare decided to contract with established private sector firms as “fiscal intermediaries”—mainly Blue Cross plans at the time—to provide administrative services including eligibility determinations and claims processing to the new federal program. This program has evolved significantly in the ensuing nearly sixty years as Medicare has grown to a trillion dollars. But the program has been successful and largely trouble free.

Consideration should be given to expanding the MAC concept to the entire US health care payment system. Any health insurer that received federal health care payments (from the VA, Department of Defense, Medicare, or any other source) would be required to use a federally approved and regulated payment intermediary for all their medical claims, federal, state or private.

Data Security And Administrative Simplification Are Compatible Health Policy Objectives

The US should be divided into a minimum of six non-geographical groupings of provider entities across sectors, to whom contracting entities would provide claims management services. A non-geographic basis of dividing the market is probably stronger from a health system security standpoint than using physical geographic regions.

Administrative services providers should bid competitively to provide claims management and payment processing services for each grouping. Those providers should post a substantial bond to receive a contract and be required to adhere to National Security Agency quality data system security protocols to guard against future cyberterrorism incidents. These protocols would specify standards for data architecture and quality, credentialling, and claims processing minimum performance. They should be subject to regular audits and aggressive “white hat” hacker challenges.

Crucially, these contracting service providers should also be required to use not only a common set of forms (per HIPAA’s Admin Simplification provisions) and a common medical record structure but also a single set of business rules for processing claims. This means that rather than having 1,100 different rule sets/data requirements—one set for each health insurer—to document and justify medical claims, there should be a single set of rules and data requirements that apply uniformly to all health insurers, including federal and state governments, and all health insurance market segments.

The present regime of a myriad of business rule sets applied capriciously and unpredictably to each care episode depending on the insurer is a major reason why some health systems spend north of 10 percent of their total costs on revenue cycle functions (many tens of billions of dollars in excess administrative spending per year), and why the typical physician spends as much or more time justifying their clinical decisions as they do taking care of patients. The only practical way to reduce this huge amount of administrative waste is to eliminate the pointless variation in documentation requirements created by the current multi-payer payment system.

The common rule set would be evidence-based and cover eligibility, service coverage, and medical necessity provisions, yet provide flexibility for different payment rates and models, discounts, and rebates depending on the health plan. It would also acknowledge that medical knowledge is incomplete and cannot be relied upon in 100 percent of cases. Performance standards would also assure prompt and secure payment and assure patients’ recourse in the event of systemic error.

New regulations would limit the application of prior authorization to clinical decision-making and outlaw retrospective denials of coverage and down-coding of claims. Steps should also be taken toward bundling claims, as upwards of 50 billion separate “transactions” a year, even efficiently managed, are an absurdly costly burden on the care system and patients alike. Health plans would compete based on price, customer service, payment model innovations, and improved health status of their beneficiaries. 

As mentioned above, data and infrastructure security standards would apply equally and stringently to all contractors, as well as to providers of care. Criminal breaches of operating systems by cyberattackers would be a federal crime punishable by life imprisonment without the possibility of parole and forfeiture of all wealth and property. The federal government must be prepared to pursue attackers to the ends of the earth, since many are based in hostile foreign countries. Assistance by state actors, a real possibility in the case of the Change attack, would be punishable by ruinous economic sanctions and asset forfeiture. Fraud by care providers in claims submissions and care would be punishable by lifetime exclusion from the new payment infrastructure as well as criminal penalties. Payment of ransom to attackers should be a federal crime punishable by a fine 20 times the payment. 

US health care is 17.3 percent of the US GDP and by itself now exceeds the GDP of Germany. It has grown to the point where the uninterrupted functioning of health care payments is vital to national security. There is no reason why private sector firms cannot provide high-quality technical support for health care payment. A completely centralized, federally owned system of health care payment is neither practical nor desirable. 

However, the current IT system fragmentation, fragility, and the absurd complexity of health care payment rules all cry out for a much higher level of systemic security, stability, and simplicity. Simplifying health care payment will not happen with the current system of over 1,100 independent health plans without federal action. There is no excuse for the Change Healthcare data breach happening again.

Author’s Note

The author wishes to thank Tom Priselac, Gail Wilensky, Tim Kinney, Erik Pupo, John Klare, Joe Polaris, Troy Wells, and Trevor Goldsmith for their comments on this manuscript.

Sponsored Content: UHC

Advertisement: Icahn School of Medicine

April 2024 | Perinatal Mental Health & Well-Being