The Change Healthcare Cyberattack: A Risk Perspective for CFOs and Treasurers

2 minute
Resource allocation collage

On February 21, 2024, Change Healthcare – Optum’s claims processing platform – experienced a massive cyberattack. Change’s platform touches about one-third of all patient records processed annually. To limit the impact, Change immediately disconnected its systems, and as a result, hospital systems were not able to send or receive claims information through Change’s clearinghouse platform. As of this article’s publication date, Change was still working on full restoration of services.

The cash management impact of this cyberattack may be more pronounced for some and less so for others, depending on their level of exposure to the Change Healthcare clearinghouse. For those with exposure, cash recognition as revenue may decline as hospitals post any funds received as “pending” to the General Ledger, until a match can be made between the cash received and the claim information via the clearinghouse. As a result, days in Accounts Receivable could rise while days cash on hand may decline. Depending on how long this incident lasts, it may cause significant liquidity challenges at hospital systems, particularly those with greater exposure to Change that have limited financial reserves, and/or covenant issues as the quarter-end approaches.

According to reporting from the Wall Street Journal,[1] banks and other firms have faced increased cyberattacks since the start of the Ukraine War in 2022. These attacks, perpetrated by so-called “hacktivists,” are often politically motivated. In particular, there is an uptick in “distributed denial of service” (DDoS) attacks, in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites. Per the Wall Street Journal article, “Ransomware groups sometimes use DDoS as one component of an attack, or use DDoS to get a company’s attention while demanding a ransom to retrieve stolen data.” In other words, the Change cyberattack may not be an isolated incident. 

What can we learn from this incident?

It pays to prepare. Hospital providers are reevaluating concentration risk among vendors, cybersecurity spending levels, cyber risk policy development, and the like. What we cannot protect with mitigating strategies, however, we must own. At some level, the question becomes whether it makes sense to allocate some amount of additional liquidity to hedge this sort of risk. Given the increase in frequency of disruptive events like Change Healthcare, it becomes clear that enhancing preparations is more important than ever. Had the hospitals that were most impacted by this incident sized the potential impact of a cyberattack and set aside cash reserves in their investment portfolio to protect against just such an incident, the impact would be more manageable. These preparations will not only ensure adequate liquidity in a crisis, but we contend they will also be well received by the rating agencies as a sophisticated step in managing financial risk. 

We recommend that clients consider a systematic approach to allocating reserves to areas of risk within the organization, a process we call Strategic Resource Allocation. This process, designed to identify and address emerging systemic risks, becomes invaluable in an increasingly complex world. Examples of key risks hospitals face that we have helped our clients quantify include:

  • Cyberattacks (Change Healthcare is one example)
  • Salary increases above Plan estimates (i.e., if the Plan estimates 2%, what if it is 5%?)
  • 340B expiration
  • Reimbursement risk
  • Payer mix shifts (i.e, more government payers vs. commercial payers than expected)
  • The impact of potential unfavorable state legislation (i.e., minimum wage increases)

Our contention is that risk identification requires participation from key executives within the organization, with the goal of narrowing the list to the top 10 – 15 risks facing the organization. Once identified, the objective turns to quantifying the potential dollar impact of those risks in a structured and collaborative way. This rigorous quantitative exercise becomes the basis for positioning the balance sheet to prepare hospital providers for risks—both macro risks and risks unique to each institution.

An additional proactive step would be to create a governance document to support the risk-sizing work, and to prepare in advance how to respond in the event of a future liquidity crisis. Hospitals must have preparedness plans in the event of a natural disaster, or the outbreak of a highly contagious disease; a liquidity crisis is no different. A board-approved “Liquidity Preparedness Plan” can be used to designate sources of cash in a crisis situation, such as lines of credit, commercial paper programs, and a pool of more liquid assets in the long-term investment portfolio designated as immediate sources if needed. The quickest and easiest way to prepare for future risk events is to ensure adequate and diverse liquidity sources, and to allocate certain assets in the investment portfolio to protect and preserve the core mission of the hospital.

[1] Stupp, C.: “Banks Face ‘Hacktivist’ Cyberattacks.” Wall Street Journal, March 6, 2024.

Lisa Goldstein headshot
Lisa Goldstein is a nationally recognized analyst, speaker, writer, and expert on not-for-profit healthcare. At Kaufman Hall, she is a member of the Treasury and Capital Markets practice and Thought Leadership team.
Similar Resources