A University of Minnesota review found that the federal government’s upfront Medicare payments tied to the 2024 Change Healthcare cyberattack were oversized for most hospitals that received them, while hundreds of other hospitals that saw major drops in revenue were excluded from the program entirely.
Hospitals that were left out of the Change Healthcare/Optum Payment Disruption (CHOPD) initiative – a $3.3 billion accelerated and advance payment effort launched by the Centers for Medicare & Medicaid Services – were more likely to show signs of financial pressure or higher dependence on Medicare. These included rural facilities and those operating as critical access hospitals, according to the researchers.
The study identified over 300 hospitals that failed to receive CHOPD funding despite experiencing revenue hits greater than those seen by the median participant.
Roughly one-third of hospitals that participated in the program ended up receiving at least $1 million more than their Medicare revenue losses during the disruption period. Conversely, another third of hospitals in the program didn’t receive enough support to cover their Medicare revenue shortfall, in some cases falling short by millions.
These findings, which were published in the December issue of Health Affairs, represent the first data-driven evaluation of the CMS relief effort undertaken to assist providers whose revenue cycle operations were crippled by the Change Healthcare cyberattack, which impacted a major claims clearinghouse. The CHOPD initiative marked only the second time CMS deployed nationwide relief payments, the first being during the COVID-19 emergency.
Under the voluntary program, Part A and Part B providers could request up to 30 days’ worth of funding based on their mean Medicare reimbursement level. Unlike COVID-19 provider relief dollars, CHOPD payments were clawed back by CMS over the subsequent 90 days without interest and did not include mechanisms to direct support toward providers with the greatest financial need.
The researchers said the results highlight opportunities to strengthen future CMS interventions when providers face sudden operational shocks. To mitigate the median overpayment of $314,302, they suggested that CMS could lower the standard 30-day advance amount while adding an option for exception-based payments to support providers facing exceptionally large disruptions.
The study authors further explained that their results highlighted how crucial provider outreach would be if CMS decided to maintain an opt-in model for relief funds. They noted that this method was attractive because it directed assistance to organizations confirming their own need, yet their analysis showed clear evidence that many hospitals facing financial interruptions from the Change Healthcare cyberattack did not obtain support through the CHOPD program.
The team based its assessment on CHOPD payment records secured from CMS through a Freedom of Information Act request, combined with multiple datasets detailing hospital traits and Medicare billing activity.
Their review found that over 8,500 providers collectively received $3.3 billion in upfront payments from the program, including 476 hospitals that accounted for roughly two-thirds of that amount. According to the analysis, hospitals that received funds generally had higher patient discharge volumes and lower proportions of Medicare patients than the 3,866 hospitals that did not obtain CHOPD payments.
Change Healthcare Relief Fund Distribution Issues
The Change Healthcare Cyberattack Relief Fund, designed to support hospitals affected by recent cyberattacks, has reportedly overpaid some hospitals while missing others. Officials say gaps in the fund’s distribution process have caused discrepancies in relief allocation.Change Healthcare is working with regulators to correct errors and ensure that remaining funds are properly distributed. The company emphasizes that its goal is to provide timely support to healthcare providers impacted by cyber incidents while improving oversight and verification procedures.The funding missteps have raised concerns about transparency and accountability in Change Healthcare’s administration of relief funds. Hospitals and industry stakeholders are calling for more robust processes to prevent similar issues in future cybersecurity relief efforts.
