top of page

UnitedHealth Exploits an ‘Emergency’ It Created

The Change ransomware attack left an Oregon medical practice with an empty bank account, and only one quick way to fix it: sell to UnitedHealth.

Last Thursday, the medical colossus UnitedHealthcare applied for an emergency exemption that would fast-track its takeover of a medical practice in Corvallis, Oregon, in a letter warning regulators that the practice might close its doors if the merger were not approved right away.

Although the specific reason for the exemption request is redacted from the publicly posted version of the application, a clinic insider says the “emergency” is the same one that has plunged thousands of other health providers across the nation into a terrifying cash crunch: the weeks-long outage of UnitedHealth’s Change Healthcare clearinghouse and claims processing systems, which has halted the flow of information that enables physicians, hospitals, and other health care providers to get paid for their work. 

“Our claims processing goes through [Change], so all of a sudden there was no money coming in,” the insider, an employee of The Corvallis Clinic who did not want to be identified for fear of jeopardizing the transaction, told the Prospect. The clinic’s shareholders, who include include more than half of its 110 physicians and one of its behavioral health providers, worked without pay last week in order to “scrape together enough money to pay the staff,” the insider said, but on Thursday the shareholders explained that they weren’t sure they would be able to open the doors Monday without an emergency cash injection. “They’re praying that the sale’s going to go through and that Optum will front them the money.” 

The situation underscores the perverse state of affairs in which UnitedHealth, which comprises some 2,642 separate companies that collectively raked in $371.6 billion last year, has arguably profited from the desperation that the hacking of its Change computer systems in late February has inflicted upon the health care system. An estimated half of all health care transactions are processed or somehow otherwise touched by Change, a rollup of dozens of health care technology firms that provide 137 software applications that have been affected by the outage. 

Every dollar in revenue that has disappeared from hospitals, medical practices, and pharmacies in the aftermath of the outage corresponds to an extra dollar sitting in the coffers of the nation’s health insurers, so UnitedHealth, which pays out roughly $662 million in medical claims each day, is presumably sitting on a mountain of unexpected cash. 

But the massive insurer has been thus far reluctant to share its wealth with the desperate health care providers that can’t bill it, rolling out an emergency zero-interest lending program that has offered health care providers loans as small as $10 to “tide them over.” Last week, a suburban Philadelphia physician whose $6 million-a-year practice was offered all of $3,300 by UnitedHealth’s emergency loan program told the Prospect that the outage could force her to sell her otherwise profitable 80-employee practice for far less than its worth just to keep the lights on. 

The situation in Corvallis reveals a second potential benefit for UnitedHealth, as a discount acquirer of broke medical practices. UnitedHealth’s Optum subsidiary is the largest employer of physicians in the country, and it can add to its stable by securing purchases of companies put into a terrible position by its own ransomware hack.

Joshua Corman, former chief strategist of the Cybersecurity and Infrastructure Security Agency (CISA) COVID task force, said that the Change hack “has created a massive going-out-of-business sale … There are so many distressed assets to prey upon.”

Oregon’s House of Representatives recently passed a bill to close loopholes in its corporate practice of medicine law that would prevent anyone from controlling physician practices who is not a licensed physician. But though the bill advanced through a state Senate committee, Senate Majority Leader Kate Lieber failed to bring it up for a vote. This puts Oregon even more at risk from seeing private equity and other investors gobbling up their health care practices in a fire sale.

The extent to which lax cybersecurity practices at UnitedHealth are responsible for the ransomware attack is unknown. In December 2021, the company assigned a “Needs Improvement” rating to its own data governance team during a routine internal audit, according to a court filing produced in the Justice Department’s failed lawsuit to block the insurer’s $13.8 billion acquisition of Change. The proposed findings of fact noted a “heightened risk of data being mismanaged” by Optum, which comprises the company’s non-insurance divisions, and “no effective means of enforcement if or when data misuse is discovered or reported,” leading to a “risk that the [Enterprise Data Management Office] will be unable to effectively intervene and reinforce data management practices.” 

In the year since United finalized its takeover of Change, Optum has reportedly engaged in extensive head count reductions, according to multiple news sources and an October lawsuit filed by two laid-off California employees who allege the company illegally terminated them without the legally required 60-day notice.

Many Oregonians are bitterly opposed to United/Optum’s proposed takeover of The Corvallis Clinic, a deal first announced last December. A request for public comment posted by the Oregon Health Authority drew 365 comments from local physicians and patients, about 350 of whom skewered the company and the merger plan. 

“Optum/UnitedHealth is harmful to patients, that's not just some idealistic viewpoint that corporations are evils, it is provable fact,” a typical comment reads. “Unlike the current Corvallis Clinic which is owned and operated by people familiar to the community, United Health can hide behind a screen of LLCs, management firms and private equity to evade responsibility for choices that maximize profit and minimize the well-being of their patients,” reads another.

In partial response to the influx of comments, the Oregon Health Authority earlier this year drew up a list of 24 conditions it asked UnitedHealth to agree to meet as a condition of buying the practice. The conditions generally consisted of agreements to continue accepting all the forms of insurance the clinic currently accepts, maintain all of its services, and “use all commercially reasonable efforts to retain substantially all employees and document to OHA the number of employees retained and provide the rationale for any workforce reductions” a year after the transaction. 

Those terms were fairly standard-issue for blue-state health care transactions, but UnitedHealth seems to have balked; emails produced in a public records request suggested they had not responded as of the middle of last week. UnitedHealth had also refrained from filing an application to invoke the emergency exemption to the usual merger review process—until Thursday, when the clinic’s very existence hung in the balance.

At that point, UnitedHealth told authorities the transaction was “urgently necessary to maintain the solvency of The Corvallis Clinic” and that their failure to approve it immediately could force the practice “to close its doors.” UnitedHealth and the Oregon Health Authority did not respond to a request for comment.

A cybersecurity source suggested to the Prospect that, given the potential benefits to acquirers from the weakened condition of provider practices, mergers might need to be frozen, with a rescue package of interest-free government bridge loans given to those affected until the crisis lifts.

Dr. John Santa, a local physician who filed a public records request seeking more information on the merger oversight process last week, said he finds the debacle “embarrassing for Oregon.” 

“This is a state that prides itself on transparency, but both Optum and The Corvallis Clinic have refused to release any information to the public of importance, and the documents they submit are almost entirely redacted. But for corporations [like UnitedHealth] keeping things a secret is just a way of life,” he said. “Health care requires transparency, and the impact of business confidentiality on patients can be extremely harmful.”

Reporter: Maureen Tkacik, Investigations Editor at the Prospect, Senior Fellow at the American Economic Liberties Project.

8 views0 comments


bottom of page