# Opener

Navigating Third-Party Cyber Risks in Healthcare: Insights from Recent Events

Published by Joe Breen

Looking at billing services’ impact on healthcare organizations

Last week’s blog talked about the events that nearly brought Change Healthcare’s services to a halt. This week, we’re going to look at the same event from the angle of healthcare organizations that the affected billing services have impacted. This is looking mainly at practices and large hospital networks that use payment management software to secure funds from insurance providers.

To tie this blog into the SEC’s cyber disclosure rules, let’s talk briefly about the relevance of third-party risk in the rules themselves. When questions came up at the time the rules were still being developed, it was noted that if a third-party organization has a cyber event that is material, organizations are still expected to conduct their assessment of the impacts. Materiality is a calculation based on a specific organization’s industry, risk tolerance, and other financial metrics. This means you can’t just piggyback off of another company’s assessment of the impact. In the case of the UHG event, that means hospitals that are being impacted by the billing delays will still need to conduct their materiality assessment, regardless of what UHG claims. We sifted through the SEC’s Edgar Database looking for mentions of the change healthcare event and found quite a few filings. Let’s take a look at what we found!

Pragmatic Cyber Risk Management in the Post-SEC Environment

The Axio services team hosted a webinar roundtable on pragmatic cyber risk management. The presentation focused on what security professionals can do today to be prepared for the  SEC cyber rules.

Insights from Encompass Health and Option Healthcare

There were a lot of companies with filings that mentioned the event itself, but there were two companies that gave more than just a mention: Encompass Health Corporation and Option Healthcare. Both companies filed their 8-ks upon receiving notification from Change Healthcare of the event. They both opened by stating that they were notified, they immediately severed all connections to Change Healthcare’s platform and then began their investigations. At the time of the 8-k, both claimed investigations came back with the result that no internal systems or data was compromised. Neither company has filed an amended 8-k, so from an investor’s standpoint, this is assumed to still hold. They also emphasized that while affected by this event, it has not stopped them from continuing their operations. Both companies operate a large network of hospitals and other outpatient centers and have claimed they are continuing to provide the care that their patients are seeking. In addition, Encompass and Option both mentioned that the events have not yet been assessed to be material, but each expanded a little bit on what they were going to keep their eyes on as things played out.

Encompass Health Corporation did not expand on the above too much, but they did at least mention what they were considering in their materiality assessments. They had of course mentioned that they were not slowing down with their daily operations, but they might see an impact on their financial results if the Change Healthcare event continues to cause billing issues.

Financial implications: insights from Option Healthcare

For Option Healthcare, mentioned the fact that this event has forced them to consider alternative options for billing and that more than one-half of the Company’s claims for services rendered since the third-party incident remain unprocessed. While the company doesn’t mention the dollar value of these “receivables”, it is safe to assume that this is a large balance to be waiting on. Option Healthcare anticipates annual revenue for 2024 to be in the ballpark of $4.6 billion. With the event occurring roughly a month ago, the value of these unprocessed claims could be upwards of $190 million based on these predictions and the statement that over half of the claims are unprocessed. In the same filing, they also mentioned that even if not material, the event is expected to have an impact on near-term financial results in a few different ways:

  • Cash flow and working capital due to the inability to process claims
  • Inefficiencies in patient registration and support functions
  • Inefficiencies in the billing and collections functions
  • Higher net interest due to lower-than-expected interest-bearing cash balances

They close out by mentioning that the company is very confident in its liquid (easy-to-access) assets, as well as a $400 million revolving credit to fall back on if all else fails. The detail they provided showed that they are not only financially prepared to handle this deferred revenue, but they also have clearly defined what might warrant a material impact.

Both companies mentioned the need for continued assessment of these factors, but it was great to see them not only conducting these exercises at a third-party event but also talking about the factors that they’re considering.

Axio has deep expertise building proactive cyber measures for healthcare organizations

When looking at events like this, Axio is here to help. In our guidance on how companies can best prepare for third-party risks, we mention the use of CRQ to efficiently assess the material impacts of the event. We are positioned to help you run scenarios on events like this, whether from the lens of UHG or companies like Encompass and Option. One of the best things a company can do to understand an event like this is to run CRQ ahead of time. Once the event occurs, you will hit the ground running with your assessment of material impact and save yourself some of the headaches that come following security events like this.

Fast-Track SEC Cyber Rules Compliance in Just 2 Days with Axio.
Harness the power of Axio360 to navigate governance, define materiality, and ensure transparent disclosure. Quantify potential business impacts in clear financial terms and streamline collaborative board-level reporting.