Linda Witzal runs a small independent pharmacy that caters exclusively to about 1,200 residents of New Jersey senior living facilities. Virtually all the revenue she takes in comes, ultimately, from the government. In a simpler time, she billed New Jersey Medicaid directly for most of her patients. âWhen I started in this business, I was 28 years old, and New Jersey was actually very easy to get on the phone back then,â Witzal, now in her early sixties, recalls.
Three and a half decades later, thereâs a whole legalized extortion ring that small pharmacies like Witzalâs need to pay off to access Medicare and Medicaid funds, a symptom of the middleman creep in the pharmaceutical transaction chain. Standing between pharmacies and reimbursement checks for the drugs they dispense include the administrators of managed care programs, the tyrannical triumvirate of dominant pharmacy benefit managers that represent about 85 percent of all health plans, and Change Healthcare, the electronic data clearinghouseâor âswitch,â as pharmacists call themâshe uses to access the computer ecosystems of these middlemen. Until last week, Witzal viewed Change as one of the least-bad gatekeepers in the pharmacy business, though that was starting to change in the aftermath of its 2022 acquisition by UnitedHealth Group, the $372 billion Minnesota health care leviathan, which axed hundreds of tech and call center employees immediately after closing the deal. âIt was getting harder and harder to get someone on the phone,â she says.
Then just over a week ago, Change abruptly shut down for Witzal and 67,000 other pharmacies it services. The company, it turned out, had been attacked by an extortion ring of its own, a hacker UnitedHealth initially identified in a Securities and Exchange Commission filing as a âsuspected nation-state-associated cyber security threat actorâ but has since emerged as the ransomware gang BlackCat/ALPHV, whose affiliates cybersecurity experts have previously described as native English speakers from predominantly âWestern countriesâ between the ages of 17 and 22.
Ransomware gangs, which brought in a record $1.1 billion in 2023, have besieged the U.S. health care system in recent years. Four of last yearâs ten most disruptive ransomware hacks attacked health care providers, and affiliates of BlackCat/ALPHV alone took credit for attacks on at least three hospital systems and an electronic health records provider last year. Last summer, the private equityâgutted Prospect Medical chain of safety-net hospitals descended into chaos at the hands of a ransomware gang, and was forced to divert patients from some hospitals for weeks.
But the sheer size of the data cache held by Change puts this breach in a different class. The company, which is believed to process at least half of all the health insurance claims filed in the entire country, is the agglomeration of dozens of smaller data providers, stitched together through the years.
âItâs an order of magnitude worse than anything Iâve ever seen,â says Luke Slindee, a Minnesota pharmacy consultant who has worked for United in the past. âChange has, over a long time period, become the IT vendor of an ungodly amount of things. The reason everyone is talking about pharmacies is because thatâs one of the few places in health care where stuff actually happens in real time, but I guarantee you there are entire medical offices and clinics that are not able to do anything either ⦠Everything about this is a disaster.â
THE ROOTS OF CHANGE TRACE BACK TO A COMPANY called Healthcare Data Interchange Corp., a unit of the giant insurer Aetna. In 1997, Healthcare Data Interchange was acquired by a Nashville payment processing company called Envoy, which was in turn acquired in 2000 by the dot-com startup Healtheon/WebMD, which scooped up dozens of smaller firms using its high-flying stock price during the first dot-com boom while promising to bring health care into the âcyberspace era.â After ten WebMD executives were indicted in an accounting fraud and kickback scheme, the company changed its name to Emdeon and reinvented itself as a low-key consolidator of just about every kind of software or information technology vendor in the business. It sold out to the private equity firm Blackstone in 2011, which moved the conglomerate to Nashville and renamed it âChangeâ after buying another firm with that name in 2014, by which point Emdeon had absorbed at least 24 separate companies.
Change owns bill collectors, consultancies, IT outsourcing firms, a bare-bones pharmacy benefit manager (PBM) that administers co-pay assistance programs and processes Medicaid claims in 11 states, auditing and verification systems, and practice managers. âThe healthcare system, and how payers and providers transact, would not work without Change,â the company boasted in one prescient presentation referenced in the DOJâs failed 2022 antitrust lawsuit to block the companyâs acquisition by UnitedHealth. And sure enough, the Change ransomware outage has upended operations for untold numbers of health care providers.
PBM abuse has galvanized independent pharmacists into perhaps the single most emphatically anti-monopoly small-business lobby in America, and they have seized on the outage as a belated vindication for the Change/UnitedHealth lawsuit, which the media portrayed at the time as a quixotic power grab. (It died at the hands of a preposterous ruling by federal judge Carl Nichols that essentially amounted to âBut they promise they wonât do anything bad.â) Revisiting the 199-page proposed findings of fact the agency produced in that case, I wonder how the DOJ might tweak its argument with the benefit of hindsight. Like most defenses of anti-competitive mergers, UnitedHealthâs response focused heavily on highlighting the âefficienciesâ it would bring to Changeâs operations. The DOJ, by contrast, built its case around the harms United might inflict upon its competitors using Changeâs arsenal of data, and swatted away the âefficienciesâ argument like the mosquito it was.
But anyone who lives in the world knows that what corporate lawyers call âefficiencyâ is in reality almost always the direct antithesis of the word. Debilitatingâand, duh, inefficient!âransomware attacks almost always occur after layoffs, outsourcing, and budget cuts that invariably give short shrift to luxuries like data protection and cybersecurity.
PBM abuse has galvanized independent pharmacists into perhaps the single most emphatically anti-monopoly small-business lobby in America.
Just consider the targets of some of the most disruptive ransomware attacks of recent years. Colonial Pipeline had paid out dividends in excess of its profits to owners like Koch Industries for years leading up to the hack that caused a nationwide run on gas stations. Prospect Medical paid out $658 million in dividends to private equity owners while shirking its ambulance gas bills in the years before its crippling August ransomware attack. The casino conglomerate Caesars and the hospital chain Ardent Health Services were both strip-mined by confederations of private equity firms and real estate investment trusts in the years before their ransomware attacks last fall. The enterprise software company Citrix was taken private in a mind-bending buyout deal so overleveraged the company could not afford to make its first interest payment even after laying off 1,000 workers, just a year before a ransomware gang developed a customized hack called âCitrixBleed,â targeting customers from Comcast to a major mortgage servicer.
Change was strapped for cash when UnitedHealth acquired it, because its owners had been raiding its balance sheet for years. When it went public in 2019, $450 million of its $3 billion in annual revenue was being siphoned off into interest expenses on its massive debt load and pseudo-dividends to its owners, which were called âtax receivable agreements.â UnitedHealth cut still deeper, according to pharmacists and online reports. In October, a trade publication collected ten separate reports of widespread, high-level layoffs at Changeâs new parent company Optum, and message boards like Reddit and TheLayoff are full of online accounts suggesting United deliberately conducts rolling, mass layoffs âin secret.â
On Monday, The Examiner News of New Yorkâs Hudson Valley broke the news that the DOJ had been conducting a broader investigation into UnitedHealth since last October, in a story that also mentioned that the company had just last week laid off 119 employees from a medical practice it had acquired in 2022. Companies with more than 100 employees are required by law to warn them 60 days in advance of layoffs affecting more than 50 people at a given site, but according to a layoff tracking site, UnitedHealth hasnât filed such a notice since 2010.
Which brings me to another unappreciated problem with monopolies: They act like they are above the law because they are. UnitedHealth is so big and dominant that traditional antitrust concepts are insufficient to describe the harms that result from making it even bigger. After United purchased the senior care utilization management software NaviHealth in 2020, for instance, there is no evidence it used the companyâs data to spy on NaviHealth client competitors like Humana. What we do know, thanks to an appalling investigation by STAT News, is that United immediately tweaked NaviHealthâs algorithm to force case managers to systematically discharge postoperative Medicare Advantage patients from rehabilitation facilities well before they were ready to go home. United was far more interested in using NaviHealth as a pretext for denying care to sick patients than it was in exploiting its data. This was not new behavior for the health care colossus. In 2008, then-New York Attorney General Andrew Cuomo sued the company after discovering that its claims database Ingenix, which evolved from a company called Medicode, Inc., it acquired a decade earlier, was actually little more than an elaborate scheme to defraud providers by spitting out lowball âreasonable and customaryâ estimates for medical services provided. (Far from hoarding this fake information for its own purposes, United sold Ingenixâs fraudulent data to Aetna, Cigna, Wellpoint, and others.)
It stands to reason that UnitedHealth likely acquired Change with the intention of using its âservicesâ in similarly pretextual fashion, to systematically screw patients and providers with a patina of plausible deniability. Surely the ongoing antitrust investigation can incorporate this analysis and use it to break Unitedâs power.
But the ransomware gang got to the job first, which has left many pharmacists pondering how the system might work if somehow they could dispose of all the profiteering middlemen. âIt was on this day in History, where Change Healthcare went offline and every Indy in the United States turned a profit,â joked the California retailer behind the âAngry Pharmacistâ podcast and blog.
UNITED CLAIMS THAT 90 PERCENT OF ITS PHARMACY CUSTOMERS have established âworkarounds,â enabling them to process claims without its clearinghouse services. For most transactions, the workaround has simply involved rerouting claims through Changeâs primary competitor, Relay, which is owned by the drug distribution goliath McKesson (which also, oddly enough, co-owned Change with Blackstone between 2016 and 2020).
But for transactions involving insurers or providers that outsource claims processing to Change, the âworkaroundsâ have been more challenging. Physicians who use Change to process their e-prescriptions have had to revert to paper prescriptions, and states like Colorado that require doctors to e-prescribe controlled substances have temporarily relaxed those requirements. Eleven state Medicaid programs and several Medicare Part B contractors use Change to process claims, and for some the only workaround so far has involved giving patients their drugs and praying the system comes back online soon.
So far, Witzal has used the âhonor systemâ to dole out just over $1,000 worth of medication, mostly vaccines administered through Medicare Part B. âIf this happened in September, when Iâm doing hundreds of thousands of dollars worth of flu and RSV vaccines, I donât know what I would even do, I would literally be finished,â she said.
In Utah, one of the states whose Medicaid program uses Change, the week has been oddly liberating, says Benjamin Jolley, a compounding pharmacist and self-described âanti-monopoly crusaderâ in the state. After working through the weekend to reach out to tens of thousands of patients with unfilled prescriptions in the system, the state decided to simply put together a simple four-question Google form for pharmacies to file requests for reimbursement until the system is back up and running. â[Itâs] janky and hacky, but it does the job,â said Jolley, who has filled $1,500 in Medicaid prescriptions since the outage started and filed for reimbursement yesterday. âPresumably if anyone asks for an abnormally high figure theyâll look at their history and give them a call.â
But the mere fact that a state government decided to reimburse pharmacists using a Google form is a powerful reminder that even massive health care bureaucracies can emancipate themselves from the tyranny of health care middlemen if they want to, says upstate New York community pharmacist Steve Moore, who has spent the past several years slowly but successfully lobbying his own state Medicaid authorities to banish the dominant PBMs they once contracted to manage their pharmacy benefits.
Until last year, he says, PBMs alone extracted such an enormous cut of drug costs that he grossed just 50 cents dispensing medication to a Medicaid patient. Now he makes a few dollars on most sales, and the state still expects to save more than $700 million this year that the PBMs had previously been extracting in fees and spread pricing.
It wasnât easy to get the state to forswear PBMs: Industry advocates promised âmassive confusionâ and also âArmageddonâ and successfully postponed the switch by two years. âThey literally had a âdie-inâ at the state capitol,â Moore laughs, referencing a group of astroturf activists organized by an HIV/AIDS nonprofit who protested the stateâs insourcing of its Medicaid drug program by lying down on the floor of the statehouse the week before the change went into effect, supposedly concerned the change would threaten safety-net hospitals and community clinics. (A long story but ⦠it didnât.)
Now that the pharmacy benefit racket has produced a doomsday scenario all by itself, independent pharmacists hope the Change outage will spur health care bureaucrats in other states to ponder similar reforms. Witzal, for her part, still pines for the days when you could get the government on the phone when a nursing home resident needed a drug. âThey had some really capable people working in the Medicaid system back then and when you had a problem they would pick up the phone and help you,â she remembers. âIt was nothing like today.â
——————————————————–