UnitedHealth Group Earnings Show Strong Q3 Revenue Growth
For most of 2024, and even going back into 2023, The Rowan Report has written about UnitedHealth Group and its acquisitions, its over diagnosing patients for financial gain, its dropping of Medicare Advantage plans, and, of course the Change Healthcare cyberattack.
Despite all the negativity, UnitedHealth Group continues to grow. The company’s revenue grew more than 9% over last year’s Q3 numbers. Even after the cyberattack, Optum grew by more than $2 billion. According to UnitedHealth Group CFO John Rex, the growth is due to an increase in both the number and type of care services offered. Optum operates three subsidiaries, OPtum Health, OptumRx, and OptumInsight, with total revenue of $63.9 billion.
CyberAttack did not Impact Earnings
According to the Q3 financial statement, per share earnings of $6.51 include the cyberattack impacts. The annual adjusted net earnings outlook for 2024 is between $27.50 and $27.75, in line with earlier projections. The 2024 net earnings outlook reflects both the selling of South American properties and the impacts from the Chnage Healthcare cyberattack. Net earnings outlook is $15.50 to $15.75 per share.
More UnitedHealth Group Acquisitions on the Horizon
UnitedHealth Group CEO Andrew Witty said the company is using a five pillar growth strategy. They will continue to spend money acquiring companies for United Healthcare, value-based care, pharmacy businesses, financial services, and what he called “technology-ed opportunities.
Meanwhile...
While UnitedHealth Group and Optum post higher revenue and cash flow and their shareholders se an increase in per share earnings, subscribers to UnitedHealth insurance plans are losing. Monthly premiums and annual deductibles for Medicare Part B increased from 2023 to 2024. Part B standard premiums are expected to increase by almost 6% in 2025. For seniors with higher income, the adjustment amount will go up to $74 per month, making monthly premiums jump to $259. The base beneficiary premium for Part D also increased in 2024 and will again for 2025.
Keeping it in the Family
Effective September 1, 2024, UnitedHealthcare started requiring prior authorization for Medicare Advantage member to receive PT, OT, and ST services when performed outside of the home. Not surprisingly, United Health owns multiple practices that offer PT, OT, and ST at home. Those services don’t require prior authorization. UnitedHealth Group is enjoying higher revenue, higher net income, and is funneling the money from insurance premiums back into its own pocket.
Go for the Gold
This announcement came just after UHC announced a gold card program to reduce prior authorization requirements. The gold card program started October 1st and was supposed to reduce the prior authorization request volume for provider groups. Providers groups who are in-network, have a minimum number of prior authorizations for two years, and have at least a 92% approval rate qualify for gold status.
Final Thoughts
Home health agencies are struggling to survive with lower payment rates from Medicare plans and operating in the negative under Medicare Advantage plans. Physician practices, surgery centers, urgent care, and pharmacy benefit managers are operating under UHC for even greater profits. More patients are seeing delays in care due to increased prior authorization requirements, unless the patient is seeing a caregiver owned by UHC. Shareholders are getting increased per share revenues. Perhaps there’s a solution hidden in the math there somewhere.
# # #
Kristin Rowan has been working at Healthcare at Home: The Rowan Report since 2008. She has a master’s degree in business administration and marketing and runs Girard Marketing Group, a multi-faceted boutique marketing firm specializing in event planning, sales, and marketing strategy. She has recently taken on the role of Editor of The Rowan Report and will add her voice to current Home Care topics as well as marketing tips for home care agencies. Connect with Kristin directly kristin@girardmarketinggroup.com or www.girardmarketinggroup.com
You know the routine. Everyone does. You log into your bank, airline account, or health insurance web portal, enter the correct password, and are directed to look on your smartphone for a code to enter to fully authorize your login. The name for this is Multi-Factor Authentication, or MFA. Lack of MFA procedures leaves your company at risk, which UnitedHealth discovered when it was grilled by Congress about the cyberattack on Change Healthcare.
United Health Grilled by Congress
In his testimony to the House Energy and Commerce Committee Wednesday, UnitedHealth Group CEO Andrew Witty blamed the absence of MFA as the weak link that allowed a ransomware attack to cripple subsidiary Change Healthcare in February. The breach had ripple effects throughout healthcare, given Change’s role as fiscal intermediary for thousands of providers. Healthcare systems on every level were unable to file claims and receive payments.
Asked by the committee why Change Healthcare, which United acquired in late 2022, did not have MFA in place, Witty testified, “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it.”
CBS News reported that Change Healthcare processes 15 billion transactions a year. “The scale of the attack,” their report stated, “meant that even patients who weren’t customers of UnitedHealth were potentially affected. Personal information that could cover a ‘substantial portion of people in America’ may have been taken in the attack.” The breach has already cost UnitedHealth Group nearly $900 million, plus the $22 million ransom Witty decided to pay to the hackers.
The Russia-based ransomware gang, ALPHV, or “BlackCat,” claimed responsibility for the attack, bragging that it stole more than six terabytes of data, including “sensitive” medical records. The attack triggered a disruption of payment and claims processing around the country.
We followed up our initial report on the attack with CMS guidance on March 20, 2024 and an update on April 11, 2024, with reports that Change Healthcare was being blackmailed again by another ransomware gang, RansomHub, who claimed to have 4TB of data from Change Healthcare and demanded another ransom payment.
Walmart & Optum, UnitedHealth Trouble Spots?
UnitedHealth Group is also in headline news this week for two other reasons. The company’s Optum division, which owns home care giant CenterWell,formerly Kindred at Home, and which is awaiting government approval for its bid to acquire Amedisys, has quietly been executing a reduction in force. Reports are that the bulk of the layoffs are hitting “Optum Virtual Care,” the name given to naviHealth following its $1 billion acquisition in 2020. Following a surge in demand during the pandemic, the company is apparently abandoning telehealth services.
A planned 10-year collaboration between UnitedHealth and Walmart to provide virtual healthcare services ended Tuesday after only one year. On April 30, the retail giant announced that it will close its 51 health centers across five states due to the “challenging reimbursement environment” and rising operating costs, which have resulted in a lack of profitability. Like Optum Virtual Care, the centers were providing virtual services via telehealth.
A sign of the post-pandemic times? Perhaps. We will keep watching.
Tim Rowan is a 30-year home care technology consultant who co-founded and served as Editor and principal writer of this publication for 25 years. He continues to occasionally contribute news and analysis articles under The Rowan Report’s new ownership. He also continues to work part-time as a Home Care recruiting and retention consultant. More information: RowanResources.com Tim@RowanResources.com
For a few weeks now, we have been covering the Change Healthcare cyberattack by ALPHV/BlackCat and the subsequent updates from CMS. Pharmacy and medical orders have been delayed, providers and patients are suffering, and CMS has issued “guidance” with no real solution. Underground reports indicate that Change Healthcare paid $22 million to BlackCat following the first cyberattack and that BlackCat stole 6TB of data from the system. Change Healthcare has refused to respond to questions about the alleged payment. Three weeks after the attack, Change Healthcare started to come back online, starting with the pharmacy services, which returned on March 7th. Parent company UnitedHealth Group indicated that other services would return in the coming weeks.
Legal Action
More than 87% of physicians are see more than a 20% drop in daily claim submissions. As of April 9th, physicians are still reporting issues with cash flow and anticipate higher than expected losses due to financing and loans that may be needed to cover them as the effects of the attack continue. Rivals of Change Healthcare are reportedly onboarding hundreds of customers who have left the organization. One of these, Availity, has processed more than $5 billion in claims that were left unprocessed by Change Healthcare’s system and has onboarded 300,000 providers with a backlog of more than 50 health systems waiting to start using the platform.
The attack has caused long-term disruptions, delays, cash flow problems, patient care disruptions, prescription delays, and billing issues. Some physician practices have started using personal money to cover payroll and other expenses. The US Department of Health and Human Services (HHS) has launched a formal inquiry into Change Healthcare’s data protection standards. This inquiry follows six class action lawsuits filed against the organizations. Physicians were still reporting significant impacts on their claims.
Adding Insult to Injury
Change Healthcare has barely gotten their systems up and running were still putting out fires when they were hit again. On April 8, RansomHub contacted Change Healthcare and alleged to have 4TB of data stolen from the system and are demanding an extortion payment to keep the data private . RansomHub has threatened to sell the data, which includes US military personnel and patient data, medical records, and financial data, to the highest bidder in 12 days if the ransom isn’t paid.
Among the prevailing theories as to why Change Healthcare has been hit again is that the first ransom was supposed to have been split between ALPHV/BlackCat and an associate known as “notchy”, but ALPHV absconded with the ransom, leaving the other with nothing. Looking for a payout equal to what they lost, notchy partnered with RansomHub to try to recoup their losses. A second theory is that ALPHV and RansomHub are one in the same and that ALPHV went to ground after the ransom payout and have resurfaced as RansomHub. RansomHub, however, claims that after ALPHV went to ground, some of their affiliates joined the RansomHub operation and this is how they came by the data. Either way, it seems that the data stolen in the first attack was not returned after the ransom was paid and Change Healthcare is still susceptible to further extortion. This also means that the Change Healthcare system was not hacked a second time, but rather this is just an extension of the first data breach.
No word yet on whether Change Healthcare and UnitedHealth Group will pay the second ransom demand.
We will continue to follow this story and provide updates as it impacts payment and claims processing.
# # #
Kristin Rowan has been working at Healthcare at Home: The Rowan Report since 2008. She has a master’s degree in business administration and marketing and runs Girard Marketing Group, a multi-faceted boutique marketing firm specializing in event planning, sales, and marketing strategy. She has recently taken on the role of Editor of The Rowan Report and will add her voice to current Home Care topics as well as marketing tips for home care agencies. Connect with Kristin directly kristin@girardmarketinggroup.com or www.girardmarketinggroup.com
On March 15th, the Centers for Medicare & Medicaid Services (CMS) issued a Center Informational Bulletin (CIB) that provides guidance and flexibilities to mitigate the impacts on providers resulting from the Change Healthcare Hack. In the guidance, CMS advises state Medicaid agencies that certain requirements will not be enforced, until June 30th, to enable ongoing funds to flow to providers and to prevent disruption of access to Medicaid services, prevent associated negative health outcomes, and avoid solvency issues for providers.
The most important component of the guidance is the ability for states to make interim payments to providers to avoid operational disruptions. Federal law and regulation does not allow for “advance payments” in Medicaid fee-for-service systems, despite their availability in Medicaid managed care environments; however, states can make interim payments to providers subject to reconciliation with actual services delivered.
CMS stresses that such interim payments are not advanced payments or prepayments prior to services furnished by providers, but rather are payments for services furnished that are subject to final reconciliation once the state has access to individual claims data currently inaccessible due to the cybersecurity incident.
The flexibilities CMS discusses in the guidance include:
Modifying required timelines for public notice, public process, and Tribal consultation and to obtain an earlier effective date for certain kinds of SPAs than would otherwise be possible;
Use interim payment methodologies to pay providers without current period claims data, as long they are determined via current approved payment rates, limiting the interim payments to the amount expected for each specific provider based on recent history, and reconciling the interim payments with final payments based on the actual services provided once they can be properly identified. These could be effective retroactively to the date when claims payment processing was disrupted due to the cybersecurity incident and could last until June 30, 2024;
Suspend beneficiary cost sharing requirements described in their state plans when necessary to avoid service disruptions for Medicaid beneficiaries for services affected by the hack;
CMS also includes language urging Medicaid managed care plans to make prospective payments to impacted providers and reiterating that plans do not need prior CMS authority to make prospective payments to providers. CMS also indicates that plans can:
Suspend or modify prior authorization requirements;
Allow early prescription refills and/or extend the length of prescription refills;
Extend existing prior authorizations;
Suspend out-of-network requirements; and
Modify or update cost-sharing requirements to be consistent with any changes that are made in the Medicaid state plan.
**March 6, 2024 Update** As the previously reported cyberattack on Change Healthcare continues, the US Department of Health and Human Services issued a statement on March 5, 2024 outlining immediate steps CMS is taking to assist providers. CMS is strongly encouraging Medicaid and CHIP plans to waive or relax prior authorization requirements. They’ve also urged providers to offer advance funding to providers.
According to feedback from NAHC members, the impact of this cyberattack on home health and hospice providers has remained minimal. However, for those experiencing delays in claims processing and payments, some providers are unable to meet payroll or pay for patient care items.
**February 29, 2024 UPDATE** We’ve just been contacted by a home care agency out of Charlotte, NC who told us, “For our home care agency we can’t submit claims for VA clients (ChangeHealthcare [sic] has been totally taken off line), and we aren’t having remittance records from Optum feed through ChangeHealthcare [sic] to Wellsky.”
February 28, 2024
The news broke last week that another cyberattack is impacting healthcare. This time, it is Change Healthcare, a division of UnitedHealth Group, that processes insurance claims and pharmacy requests for more than 340,000 physicians and 60,000 pharmacies. In response to this attack, UnitedHealth Group separated and isolated the effected systems, causing delays in claim payments and backlog pharmacy orders.
The attack was first reported on February 21, 2024 and the outage is still ongoing. Former FBI cyber official and current adviser for cybersecurity and risk at the American Hospital Association warns that the longer this outage persists, the worse it will get and it will start to impact patient care. UnitedHealth Group claims that fewer than 100 pharmacy orders and claims have been interrupted across its insurance and pharmacy plans. But, at least on health insurer is claiming a 40% drop in claims since the system went down.
Source of the Attack
Initially, UnitedHealth Group blamed an unknown “nation state” for the cyberattack. The FBI found no evidence of this and has since named Blackcat ransomware gang culpable in the attack. Blackcat ransomware gang has attacked numerous hospitals and the FBI seized their website and servers in December, 2023. Blackcat accessed the Change Healthcare system through vulnerabilities in the ConnectWise ScreenConnect remote desktop and access software.
Implications
The American Hospital Association has urged all healthcare organizations that work with Optum, Change Healthcare, and UnitedHealth Group to weigh the risk of the connection to Change Healthcare against the possible clinical and business disruptions cased by severing that connection.
Health-ISAC anticipates additional cyberattack victims in the coming days. ConnectWise has alerted its users to the remote code execution flaw and has urged all users to update immediately to prevent attacks.
Point of View
This is not the only story this week about UnitedHealth Group. Backlogged pharmacy orders, healthcare claims, and payments, add further credence to the Antitrust probe filed this week by the Justice Department, investigating UnitedHealth and Optum. Should one healthcare group have this much influence over insurance, physicians, pharmacies, and home care?
# # #
Kristin Rowan has been working at Healthcare at Home: The Rowan Report since 2008. She has a master’s degree in business administration and marketing and runs Girard Marketing Group, a multi-faceted boutique marketing firm specializing in event planning, sales, and marketing strategy. She has recently taken on the role of Editor of The Rowan Report and will add her voice to current Home Care topics as well as marketing tips for home care agencies. Connect with Kristin directly kristin@girardmarketinggroup.com or www.girardmarketinggroup.com
for a code to enter to fully authorize your login. The name for this is Multi-Factor Authentication, or MFA. Lack of MFA procedures leaves your company at risk, which UnitedHealth discovered when it was grilled by Congress about the cyberattack on Change Healthcare.
formerly Kindred at Home, and which is awaiting government approval for its bid to acquire Amedisys, has quietly been executing a reduction in force. Reports are that the bulk of the layoffs are hitting “Optum Virtual Care,” the name given to naviHealth following its $1 billion acquisition in 2020. Following a surge in demand during the pandemic, the company is apparently abandoning telehealth services.
Tim Rowan is a 30-year home care technology consultant who co-founded and served as Editor and principal writer of this publication for 25 years. He continues to occasionally contribute news and analysis articles under The Rowan Report’s new ownership. He also continues to work part-time as a Home Care recruiting and retention consultant. More information: 
On April 8, RansomHub contacted Change Healthcare and alleged to have 4TB of data stolen from the system and are demanding an extortion payment to keep the data private . RansomHub has threatened to sell the data, which includes US military personnel and patient data, medical records, and financial data, to the highest bidder in 12 days if the ransom isn’t paid.
