WANAN YOSSINGKUM/istock via Gett

Feature

How OhioHealth got through the Change Healthcare cyberattack

When the Change Healthcare cyberattack occurred, OhioHealth activated its cyber risk management playbook and adjusted its revenue cycle management strategies to reduce disruptions.

Jill McKeon
By
Published: 03 Mar 2025

The Change Healthcare cyberattack hit the healthcare sector on Feb. 21, 2024, but its effects lasted far beyond that day. From large health systems to independent practices, providers and patients alike felt the effects of the cyberattack perpetrated by BlackCat/ALPHV cyberthreat actors for weeks, experiencing delays in authorizations for care and operational and financial disruptions.

Change Healthcare is a clearinghouse that is part of Optum and owned by UnitedHealth Group and processes 15 billion healthcare transactions annually. The revenue cycle departments within healthcare organizations were hit especially hard when one of their key tools was suddenly unavailable.

Nearly 75% of the approximately 1,000 hospitals surveyed by the American Hospital Association in March 2024 reported direct patient care impact as a result of the cyberattack, and 60% reported requiring two weeks to three months to resume normal operations. About 33% of respondents said that the attack disrupted more than half of their revenue.

OhioHealth was one of those hospitals that felt the impacts of last year's cyberattack.

"We were basically a single-source clearinghouse across all of our 16 hospitals and over 200 ambulatory sites," said Girish Dighe, vice president of revenue cycle at OhioHealth.

"So, hospital billing operations, professional billing operations, ran through that clearinghouse. We also did have some real-time eligibility and insurance verification processes with them as well too. But the main driver when it comes to revenue cycle and cashflow collections was the clearinghouse."

In the year since the cyberattack began, Dighe, like other healthcare leaders, has reflected on the decisions made in the early days of the Change Healthcare cyberattack, emerging with lessons learned and advice for fellow leaders.

Using a cyber risk playbook to guide incident response

OhioHealth is a nonprofit health system in Central Ohio that submits approximately 8.3 million claims per year across its network of hospitals, ambulatory sites and other services. Months prior to the Change Healthcare cyberattack, Dighe and his team had already put together a cyber risk management playbook specifically around cyber risk for the revenue cycle.

"That essentially means not just downtime procedures for any type of outage, but more of a longer-term downtime and how we would understand our primary systems, secondary systems, communication pathways and things across the revenue cycle components, whether it's coding, HIM, AR management or cash posting," Dighe explained.

"So, we were lucky to have that. That immediately put us into a mode of action to use our playbook that we created."

Essentially, Dighe and his colleagues had already worked to figure out how to navigate cashflow disruptions in the event of a cyberattack, which gave them a solid starting point to respond to this incident.

The team also conducted simulations across the organization to see how cyber risks would affect different areas of the business, such as revenue cycle, scheduling teams, clinical services and pharmacy.

Through these simulations, Dighe said he gained an appreciation for the cyber risk management practices that the organization maintained while getting visibility into remaining gaps. Dighe emphasized the importance of working with your organization's IT architecture and engineering teams to truly understand the technical system integrations from an IT perspective.

What's more, Dighe emphasized that each organization's approach to cyber risk management and the creation of a playbook will vary based on factors like organization size and system complexity.

"I think it's important for folks to know that everybody's cybersecurity risk protocols are going to be different at their organizations. Everybody's tolerance is very different," Dighe said.

Leaning on vendor support

When Change Healthcare's services went down, OhioHealth had to make a decision -- wait it out and hope that Change Healthcare is restored quickly, or pivot to a different clearinghouse altogether.

"I can't underestimate making that decision and weighing your options was so key critical. I can still remember weighing out the options. I'm a big fan of laying out a couple of options, talking about the risk, the value and putting the recommendation forward," Dighe noted. "And my recommendation was to the organization is we're moving forward now."

OhioHealth decided to switch their clearinghouse to Availity, a different revenue cycle management solution that stood up its Lifeline program within 48 hours of the cyberattack to offer an alternative to Change Healthcare.

"How do you get automation back into your system? That, to me, was the primary goal. And then everything else would come around that," Dighe stated.

"The timing of Change Healthcare was very fluid. There was no really dedicated understanding of when that would come back online. So, we couldn't afford to see cash segregation and erosion from that standpoint. To me, the true partnership was how quickly we were ready and Availity was ready to come to the table to state, all right, we got you."

Dighe emphasized that he had buy-in from the CEO and CFO to move forward with a new vendor, with the confidence that this move aligned with the organization's long-term plans, rather than being a quick fix.

"Revenue cycle is a lot of times change-averse and wants to do things the same way because there's a strict standard work or process that has worked, and then it's hard to evolve for that," Dighe said.

Dighe stressed the value of engaging with trusted vendor partners that are able to drive toward mutually beneficial outcomes and keep operations running, even amid an adverse event like a cyberattack.

"I don't think a provider can just do this on their own," Dighe said.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on Cybersecurity strategies