This is an exclusive BHB+ story

The impact of the Change Healthcare hack is not just a distant echo in the behavioral health industry. The reverberations of this seismic event are still felt through industry today.

On top of the direct impact of the Change Healthcare hack, 15 months or so of hindsight have revealed key lessons for behavioral health operators. Also, the hack and its fallout make clear what and where other fault lines in the industry exist.

“We cannot say this more clearly — the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history,” Rick Pollack, president and CEO of the American Hospital Association, said in a statement in March 2024

On Feb. 21, 2025, Change Healthcare shut down certain systems after detecting a cyber incursion. In the weeks that followed, it would be learned that an international hacking group known as ALPHV/Blackcat had targeted Change Healthcare, taking advantage of services that did not use multifactor authentication services, according to congressional testimony from UnitedHealth Group’s (NYSE: UNH) now-former CEO, Andrew Witty.

Change Healthcare is an entity within the UnitedHealth Group services division, Optum. It operates as a digital claims clearinghouse that acts as the go-between and digital translator for the various digital systems that health care providers and health plans use. This includes vital functions such as claims processing and verification, processing payments, and sharing certain clinical information. Estimates are that, at the time, Change Healthcare facilitated 15 billion transactions annually and touched 40% of all health insurance claims.

In March 2024, as Change Healthcare and Optum began to get systems rolling again, the organizations announced a funding assistance program that offered loans to help impacted providers. However, in April 2025, providers began to express frustration with how Change and the UnitedHealth Group affiliates approached payment recoupment. CNBC reported that the company called for immediate repayment of the loans.

Behavioral Health Business has spoken to behavioral health providers that report having similar frustrating experiences with UnitedHealth Group and its various entities, which is the largest integrated payer, health care and related services provider in the U.S. UnitedHealth Group acquired Change Healthcare in late 2022 in a deal worth about $13 billion.

The providers spoke to BHB on conditions of anonymity for fear of reprisals.

“United and Optum have persistently stonewalled us on any communication,” one provider said. “They announce publicly to contact them to discuss cyber outage claims, ostensibly appearing friendly and approachable, but in reality they don’t return communication in the timeframes they promise, if at all.”

That person’s organization missed out on hundreds of thousands of claims payments and has debt obligations with Change Healthcare of just less than $1 million. They have made some payments on their funding assistance, they said, but also experienced UnitedHealthcare withholding claim payments until they came to terms on a repayment plan. 

“We still feel strong-armed into it (i.e., we could not stop claims retractions until we agreed) and our damages still far exceed the advances they paid us,” they said.

For its part, Change Healthcare and Optum maintain that it’s taking a flexible approach to helping providers that were impacted by the hack.

“Optum has and will continue to actively work with providers to identify flexible repayment plans based on the individual circumstances of providers and their practices,” a representative of the company told BHB. “We have also worked with UnitedHealthcare to ensure the claims it receives are reviewed in light of the challenges providers experienced, including waiving timely filing requirements for the plans under its control.”

The representative also notes that Change Healthcare was used by several other payers as well and can only deal with impacted or missed claims payments that are tied to UnitedHealthcare. It is working with the American Medical Association to encourage other health plans to also be flexible when it comes to timely claims filing.

The fragility of health care

Healthcare and the industries that are adjacent to it have been consolidating for decades, especially in the health insurance industry. For health insurance, consolidation has led to a small handful of organizations, among those being UnitedHealth Group, controlling most of the market share for various insurance products.

UnitedHealth Group, Elevance Health (NYSE: ELV), The Cigna Group (NYSE:CI), Aetna and Health Care Service Corp. account for 54% of U.S. market share, according to an analysis by the American Medical Association.

That, combined with the elevation of technology to facilitate the system, creates notable areas of potential weakness in the collective health care system. On its face, it may seem like such concerns would be outside of what individual provider organizations ought to think about when it comes to cybersecurity. However, the hack demonstrates that such events can’t be ignored.

“The central theme here is that no system is perfect, and we still have to do our part to protect ourselves,” Dr. Zaid Fadul, chief medical officer at Better U, an at-home ketamine-assisted therapy provider, told BHB. “Nobody can do your push-ups for you.”

The hack highlights a flaw in the health insurance-heavy focus that many behavioral health providers adopt in the hopes of making care more accessible and affordable for patients, Fadul said. It also shows the high levels of risk that providers take on when they rely on payers for the bulk of their revenue.

Fadul, who is also the CEO of the direct care provider Bespoke Concierge MD, notes that both of his organizations were minimally impacted by the hack because each didn’t lean into providing care on an in-network basis. His organization experienced a “bump” in business in the weeks following the hack because certain patients couldn’t get care.

In his estimation, the payer-provider dynamic in the U.S. has “a net effect that sucks” and “perverse incentives that are definitely there.” That dynamic has led him to work outside of that system.

“Nobody dictates to me how I do care; I do care based on each patient, not based on an algorithm the insurance more or less wants me to follow,” Fadul said. “The entire health care system right now is set up to be reactive, not proactive.”

A complicated relationship

David Khalili, CEO of Rouse Relational Wellness, an outpatient couples and sex therapy practice, said the hack and complications that followed inspired him to put the brakes on a strategic shift to getting contracts with more health plans. Khalili also does consulting work for other private practices.

Leading into the hack, about 20% of the group’s revenue came from insurance claims. In the wake of the hack, about 10% of revenue stopped coming in. Khalili said the minimal exposure to health insurance generally limited the overall impact on the practice. He said he didn’t have to “scramble” in a way that others in his professional network did — facing down the need to take on new debt funding to keep going, cutting staff or exploring bankruptcy — but was still impacted “significantly” at a personal level.

He and the other practice owners didn’t pay themselves for a time in the wake of the hack.

“It didn’t feel great to have to take on the brunt of the income loss,” Khalili said.

While there is wide variation with the various segments of behavioral health — even among providers in similar segments — behavioral health is not as well ensconced in the payer-provider dynamic as the rest of the health care system.

One study finds that behavioral health patients went out-of-network 3.5 times more often than patients receiving medical or surgical care. Many forces drive this — including a lack of parity enforcement, low payer reimbursement rates and ghost networks — and the impact is manifold. Patients potentially face greater costs for care while providers face a structural barrier to treating more patients.

While many in the industry say this dynamic is evolving, the Change Healthcare hack presents a potentially unpredictable and unavoidable risk when engaging with the health insurance industry. For Khalili and Rouse Relational Wellness, the company is working toward contracts with “nonprofits, employment agencies, EAPs or bigger companies.”

“That felt like a better match for us,” Khalili said.

Khalili speculated that developments such as the Change Healthcare attack could lead to a bifurcation within outpatient mental health based on which firms accept insurance and those that are capitalized by investors such as private equity or venture capital.

“I think what I’m hearing from a lot of self-funded or bootstrap practices is, well, ‘Let’s just have the VC-backed ones take care of the insurance clients. They’ve got millions of dollars, the business corporate approach,'” Khalili said. “It’s not how I wanted to see things go, but at least we’re not taking the brunt of the burden. A lot of us are not excited about working with insurance.”