Nonprofit Healthcare Systems: Change Healthcare Impact Evident in Q1 Numbers
Healthcare systems are struggling to catch up on billing and collecting for patient care as the industry seeks to get back to normal after a major disruptive cyberattack. Change Healthcare, the largest provider of revenue cycle and claims management in the U.S., was hit with a cyberattack in February that halted most activity through its platform for several weeks. Impacts to healthcare providers’ finances include higher accounts receivable, declining revenue, and lower days’ cash on hand, based on financial filings of nonprofit healthcare systems in the first quarter of 2024.
The impacts likely would have been worse, except for generally strong investment markets in Q1, which cushioned the negative impact on cash balances, emergency support in the form of cash advances and loans from the Centers for Medicare and Medicaid Services (CMS) and United Healthcare (Change’s owner), and the fact that many healthcare providers don’t rely exclusively on the Change platform, so were able to continue processing some claims while Change was shut down. Additionally, most of Change’s systems were operational by the end of March, so some of the claims backlog was probably in process by the close of the quarter at March 31.
The attack, which began on February 21st, cripped financial operations for physician groups, pharmacies, and hospitals nationwide. It was several weeks before most of Change’s claims processing systems were restored (timeline), but it will likely take longer for the backlog to be fully processed, and it remains to be seen if the financial impacts to healthcare systems are purely temporary or if some accounts become more difficult to collect because of the delay.
A survey by the American Hospital Association found that 94% of hospitals reported a financial impact from the disruption, with more than half reporting the impact as “significant” or “serious”. The potential impact was significant enough to prompt commentaries on the potential credit impact to healthcare systems from the 3 largest rating agencies — S&P Global, Moody’s, and FitchRatings.
Accounts Receivable Spiked
From a sample of nonprofit healthcare systems’ financial statements analyzed by Nutshell Associates, days in accounts receivable shot up by 15% to 53 days in the quarter ended March 31, 2024, meaning it was taking longer to collect patient accounts than usual. Days in accounts receivable had previously remained in a tight range of about 45–48 days.
Operating revenue was also down in the quarter ended March 31st by 1.7%, which could reflect a reluctance to record revenue for patient care if hospitals were unable to bill for it during the cyberattack, although other factors could also be at play including divestitures, asset sales, or other changes in revenue producing assets among hospitals in the sample.
Days’ cash on hand fell during the quarter, to an average of 214 from 218, a slight decline that was probably related to the backlog of patient accounts receivable due to the cyberattack. When accounts receivable grow, cash flow isn’t coming in as quickly as it should, while expenses usually continue to be paid, so cash balances fall. The decline in days’ cash may have been worse, except for advances offered by the Centers for Medicare and Medicaid Services (CMS) and United Healthcare, which some providers utilized, and investment markets that were generally solid in Q1. Large cap stocks were up 11% in the quarter, offset somewhat by a 1% decline in Bloomberg’s US Treasury Index.
Reliance on Technology Platforms
Although the worst effects of the attack seem to be behind us, the Change Healthcare episode highlights a previously unrecognized reliance by healthcare providers on technology platforms like Change for day-to-day cash flow. Healthcare is an especially rich target for cyber criminals due to its size and the large amount of sensitive data that providers manage. The U.S. Department of Health and Human Services (HHS) has documented almost 900 data breaches in the last 24 months that each impacted the protected health information of more than 500 individuals. The attack also highlights the value of liquid cash reserves, which provided a strong cushion for many healthcare systems to manage disruption of cash flow while continuing to pay expenses and provide necessary care to their communities.
About the data
The sample used for this study includes 24 nonprofit healthcare systems, including stand-alone hospitals, single-state systems, and multi-state systems. The healthcare systems have total annual operating revenue of approximately $115 billion. All systems in the sample have issued debt in the municipal securities market, and post quarterly financial statements on www.EMMA.msrb.org. The same 24 systems were tracked for eight quarters, starting with the quarter ended June 30, 2022, through March 31, 2024.
Liz Sweeney is President of Nutshell Associates, LLC