Overview of CMS Payment Issues During Cyberattack

Background of the Study

A recent study published in Health Affairs reveals that the Centers for Medicare & Medicaid Services (CMS) overcompensated numerous hospitals during a relief program following the Change Healthcare cyberattack last year. The research indicates that while the federal government allocated $3.3 billion to Medicare providers in early 2024, many hospitals received payments that surpassed their actual Medicare revenue losses during the initial six weeks of the cyberattack. Additionally, over 300 hospitals, mostly small and rural, did not participate in the relief program despite experiencing similar financial hardships.

Impact of the Cyberattack

The Change Healthcare cyberattack represented a significant disruption to the healthcare sector, which is frequently targeted by cybercriminals. It resulted in the exposure of data belonging to more than 192 million individuals, marking it as the largest healthcare data breach reported to federal authorities. The attack severely disrupted healthcare operations in early 2024, affecting critical administrative tasks such as claims processing, eligibility verification, prior authorization, and prescription fulfillment. Consequently, many healthcare providers struggled to submit claims and receive payments for their services.

CMS Relief Program Details

To mitigate the financial strain caused by the cyberattack, the CMS introduced a relief program allowing Medicare providers to request advanced payments. Providers received a one-time payment equivalent to 30 days of their average Medicare reimbursement, which could be reduced if requested. Notably, these payments were not adjusted based on the severity of the disruption, and the CMS later recouped these funds without imposing interest charges. According to the study, hospitals accounted for more than two-thirds of the total payments from the CMS, while physicians received nearly 19%.

Findings on Hospital Payments

The study found that most hospitals received more financial support than necessary to cover their losses. The median hospital reported a surplus of $314,302 from the relief program. However, approximately one-third of hospitals experienced revenue losses that exceeded the payments they received, while another one-third received payments of $1 million or more above their losses.

Participation Discrepancies

The research highlighted that some hospitals opted not to participate in the relief program, even if they likely faced financial disruptions due to the cyberattack. The median hospital involved in the program experienced a 66% reduction in Medicare revenue compared to the same period in 2023. In contrast, non-participating hospitals reported similar Medicare revenue during the same timeframe. The study identified 312 hospitals that did not receive relief payments but experienced revenue disruptions equal to or exceeding the median of participating facilities. These hospitals were predominantly smaller, less likely to be nonprofit-owned or affiliated with a health system, and more frequently located in rural areas.

Recommendations for Future Relief Programs

The researchers suggested that the CMS could enhance future provider relief programs. They recommended reducing payments to address the issue of overpayment, while simultaneously providing additional support for providers facing severe disruptions. The study emphasized the necessity of effective outreach to providers if the CMS continues with an opt-in strategy for relief payments. “This approach is appealing because of its ability to target relief payments to providers attesting to their need, but we found strong evidence that many hospitals experiencing revenue disruptions during the Change Healthcare cyberattack did not receive [Change Healthcare/Optum Payment Disruption] program relief payments,” the researchers concluded.