Change Healthcare cyberattack isn't threatening major for-profit systems' bottom lines, execs say

The nation’s largest for-profit health systems reassured investors Tuesday that the Change Healthcare cyberattack, though disruptive in the short term, is a “transitory” event that’s unlikely to have a material impact on their businesses.

Systems like HCA Healthcare broadly acknowledged that their organizations are “better positioned than many others to weather” payment disruptions due to their scale, liquidity and their capacity to redirect claims to another vendor, per HCA Chief Financial Officer Bill Rutherford.

“We did use Change Healthcare and their products for a large portion of our billing interface system,” Rutherford said Tuesday at the Oppenheimer Annual Virtual Healthcare Conference. “We have worked diligently over the past two-and-a-half weeks to convert to another vendor [and] we’re now almost fully converted. … We were very fortunate that we already had an established relationship with another electronic billing vendor.”

Tenet Healthcare CEO Saum Sutaria, M.D., said during a session at the Barclays Global Healthcare Conference that Change is “an important vendor” but that the system only uses it in some of its hospitals. Its ambulatory care business, United Surgical Partners International, and its physician business both do not rely on Change, he said.

He stressed that the security breach did not extend from Change’s systems into Tenet’s—an important point for Tenet as its Conifer revenue cycle management business works with third-party clients that would have also been at risk.

Tenet, Sutaria explained, keeps Conifer’s billing edits and other proprietary processes “on the premises rather than in the cloud, and so they were unaffected. So we’ve been able to produce clean claims in our environment.

“The difficulty has been, frankly, submitting them electronically,” he said, though these have not led to any interruptions in business operations.

Universal Health Services CFO Steve Filton, who also spoke at Barclays, said his system doesn’t use Change for any outbound claims. Because “certain payers” do use them for inbound claims, however, “we think the effect may be 5% to 6% of our total claims,” he said.

Similar to HCA, UHS had another vendor that it had previously contracted with and so was able to switch over some physician groups that were using Change for their outbound claims, Filton said.

UHS does rely on “miscellaneous applications like automated cash posting” from Change, but recent commentary from the company suggests that many applications could come back online this week, he said.

“That’s disruptive, but over the short term I don’t think it’ll be a big deal,” he said. “It feels to me like this is mostly a transitory impact that will extend over three, four or five weeks, but after that shouldn’t be much of an issue.”

For Filton, the experience underscores the need for health systems to consider “a greater level of redundancy among all these applications,” he said. “… It just makes sense that in a lot of these applications, we don’t have a single user, single source vendor, just in case something like this arises.”

Tuesday’s comments strike a contrast with the criticism and alarm bells ringing among smaller healthcare providers and industry trade groups.

In a comment note issued Friday, Moody’s Investors Service warned that “providers with small scale, a weak financial profile, who only use Change and have little headroom in meeting debt covenants stand to suffer the most from the disruption.”

Monday, the Massachusetts Health & Hospital Association released a report that 12 hospitals and health systems in the state were suffering over $24 million in reimbursement losses daily. With nearly three-quarters of Massachusetts systems currently posting negative operating margins, “the cash flow problem … is especially worrisome,” it wrote.

The federal government has worked to lower the bar for providers in need of advance payments and other supports and has been pressuring Change Healthcare parent company UnitedHealth Group and other insurers to do more for cash-strapped providers.

UnitedHealth Group put together a temporary funding assistance program in early March, which was blasted by provider associations like the American Hospital Association as “not even a Band-Aid on the payment problems” their memberships face. Another statement released last week from the Federation of American Hospitals—which represents for-profit hospital systems like HCA, Tenet and UHS—pointed to the “gravity” and expanding fallout of the cyberattack. It called for Congress and the administration alike to put together a response “on a scale to mitigate this unprecedented attack.”

Though their organizations are somewhat shielded, the for-profit executives speaking in Tuesday’s events acknowledged that the incident is weighing down nearly the entire healthcare industry—including UnitedHealth Group itself.

“It’s obviously quite disturbing that we have a cyberattack on systems that, in many ways, form a critical engine of liquidity in the healthcare system,” Tenet’s Sutaria said. “Having been through this a couple of years ago, I can imagine what UnitedHealthcare is going through, the state of confusion that can exist in this type of environment. … It’s very disturbing that this kind of thing can happen.”