IN EARLY MARCH, Joe Martin, the owner of Function Better, a physical therapy clinic in Yorkville, N.Y., looked at his business bank account and thought he’d been hacked. After more than 22 years in operation, Martin, an orthopedic clinical specialist, had a good sense of the revenue that came through the door each week, and so he was alarmed when his statement showed the account was severely depleted.
Martin hadn’t been hacked, but Change Healthcare—the clearinghouse that touches from a third to half of all medical claims in America, including those submitted by Function Better’s billing firm—had. Change processes a stunning $1.5 trillion in claims annually in the U.S. And the February ransomware attack on the subsidiary of UnitedHealth Group (UHG), which has been described as “the most significant and consequential cyberattack on the U.S. health care system in American history,” has affected almost every corner of the industry.
With no insurance reimbursement coming into his practice for weeks on end, Martin went so far as to hire a bankruptcy attorney. Though when we spoke in mid-March, he had developed a work-around to muddle through the cash crunch: It involved his other business, a physical therapy practice based in Florida that accepts only Medicare and private pay (and thus doesn’t solely depend on insurance claims being paid). “There’s times in the last four weeks that I carried bags of cash on [the] airplane to make sure my employees were paid.”
Multiply Martin’s predicament by thousands of providers—from Fortune 500 hospital chains to single-office independent physicians—and the size and seriousness of this breach become increasingly clear. In March,
