Two independent healthcare practices in Minnesota once aimed for expansion but have faced challenges recovering from the significant cyberattacks on the UnitedHealth Group Payment System over the past year.

Odom Health & Wellness, specializing in sports medicine and rehabilitation, and Dillman Clinic & Lab, a family medicine provider, are among numerous medical offices that faced sudden financial disruption last year. Cyberattacks on Change Healthcare, a division of United, have crippled many healthcare payment systems nationwide for months.

Billions of dollars have been lent to medical practices short on cash, with repayment demands now surfacing.

Odom and Dillman are filing a lawsuit against United in U.S. District Court in Minneapolis, alleging negligence related to the cyberattack and claiming they are incurring excessive costs due to its aftermath.

Furthermore, Odom and Dillman alleged in their court documents that their insurer, UnitedHealthcare, denied claims on the grounds of late filings despite covering patient care.

Lawmakers view the disruption caused by these attacks as a consequence of United’s relentless pursuit of acquisitions, including Change and various medical practices. This widespread upheaval highlights the deep entrenchment of United’s subsidiaries in the national healthcare framework.

“This serves as another reminder that the swift integration of major healthcare firms may be doing more harm than good,” stated Sen. Ron Wyden, a Democrat from Oregon, regarding the financial strain imposed on practices by these cyberattacks.

Last month, the American Medical Association expressed its concerns to Optum, the United Health division owning Change, regarding the pressure many practices face to repay loans despite ongoing financial hardships due to the attacks.

Since March 2024, Change has provided $9 billion in interest-free loans to over 10,000 healthcare providers, including $569,680 for Odom and $157,600 for Dillman.

A year later, approximately $5.5 billion has been repaid, according to United’s court application. About 3,500 practices, including Odom, Dillman, and six other plaintiffs, had yet to repay as of April 1. Numerous other practices and patients have also initiated lawsuits against United.

In its statement, Change emphasized it would “proactively work with providers to identify flexible repayment plans tailored to their specific circumstances.”

“We’ve also collaborated with UnitedHealthcare to ensure claims are reviewed considering the challenges we’ve faced, including waiving timely submission requirements for plans under its governance.”

Change drew parallels between its loan recovery efforts and those of the Centers for Medicare and Medicaid Services (CMS). Following the cyberattack, CMS expedited payments to practices to assist with Medicare claims pending due to the attack. They offered accelerated payments to reclaim funds from Medicare claims.

In court filings, United reported data indicating that a minor percentage of Odom and Dillman’s healthcare claims were rejected due to being “too early,” although denials escalated after the cyberattacks.

Denouncing the plaintiff’s motion as a “group shakedown,” UnitedHealth urged the district court to dismiss a request for an injunction regarding loan repayment, asserting the right to manage relations with thousands of other loan recipients.

United contended that the injunction might permit other medical practices to “hold billions of dollars hostage.”

Dr. Megan Dillman, a specialist in pediatrics and internal medicine, opened her practice in Lakeville, Minnesota in 2022, aiming to “restore joy in practicing medicine.” She argued that her healthcare business spends significantly more time with patients compared to the average 15 minutes doctors are increasingly limited to.

“Without our existence, there are patients who might not be here today,” Dr. Dillman noted, referencing a cancer diagnosis that was missed by another hurried physician.

Her husband, Richard Dillman, manages the business operations of her practice and has called for United to fulfill its repayment obligations.

“I would rather endure the Special Forces Qualification Courses than face this situation again,” remarked former Green Beret Dillman.

At the time of the cyberattack, Change’s Medical Building Clearinghouse processed approximately 45% of healthcare transactions across the nation, amounting to around $2 trillion annually. The company had to pause services in February 2024 to mitigate damage, halting a significant portion of the healthcare system’s cash flow.

There was a breach of sensitive personal information, marking the largest breach recorded in U.S. healthcare history. In January, United increased the number of individuals whose personal data was compromised to 109 million from approximately 100 million previously reported.

The U.S. Department of Health and Human Services’ Civil Rights Office commenced an investigation in March 2024 concerning the ransomware attack. An agency spokesperson noted that they “do not comment on ongoing or potential investigations.” Some healthcare firms may face penalties for violations related to patient data mishandling.

Company executives reported that hackers exploited compromised login credentials, utilizing a portal that didn’t require multifactor authentication.

United authorities confirmed that they paid a $22 million ransom to a Russian cybercriminal who claimed responsibility for the attack. In a January revenue report, the cyberattack was stated to have cost the company $3.1 billion.

Healthcare reimbursements did not start flowing more freely through Change until June 2024, with United noting that the full restoration of services took time and some areas were still not back to 100%.

During a May 2024 Congressional hearing, a senator criticized United CEO Andrew Witty regarding the company’s response to the cyberattacks and the resulting struggles faced by thousands of providers. Witty testified that the company “will not pursue repayment until providers confirm that operations are back to normal.”

The repayment terms stipulate that Change does not require payments until “the affected billing and/or payment processing services have resumed during the service disruption period.”

The interpretation of “to be dealt with” is central to the ongoing lawsuit.

Change initiated collection attempts from Dillman and Odom, which were described in court documents as a series of increasingly aggressive letters. Both practices have been changed, barring repayment and rejecting offers for repayment plans. Change subsequently demanded full repayment in January, threatening to withhold future health care reimbursements.

“It’s disheartening, but not surprising, that United Health Group has chosen to prioritize profits over the well-being of families and small businesses,” stated Wyden, who led the Senate inquiry into the cyberattacks.

The AMA urged the company to negotiate “individual and realistic repayment plans” with each practice.

Dr. Katherine Mazzola, who operates pediatric neurology and neurosurgery practices in New Jersey, is among many others contesting United over loans.

“In my view, Optum operates like a loan shark that seeks swift collection,” remarked Dr. Mazzola, a non-plaintiff in the case against United.

Dr. Mazzola received a loan of $535,000 and later informed Change that she was unable to repay it. Despite suggesting a payment schedule, there was no response. Consequently, she began paying $10,000 monthly in January. Nevertheless, without notice, she reported that United started to withhold her reimbursements.

Currently, Dr. Odom employs around 110 individuals, many of whom assist seniors in assisted living facilities. He contended that if his practice were forced to immediately repay the Change loan, at least 22 staff members would need to be laid off. Dr. Odom asserted that this could hinder care availability, reduce services, and create further economic challenges.

“We are navigating a challenging battle as a small firm,” declared Odom President Dr. Meghan Klein, emphasizing the significant impact the financial situation poses for his company compared to United’s. “These are lives we are concerned about.”

According to the lawsuit, Dillman Clinic, which relies on United Insurance reimbursements for about 25% of its income, could face bankruptcy if compelled to fully repay the loan.

They claimed Dillman would risk losing all assets, including homes, vehicles, and retirement savings, if bankruptcy ensues.

“Part of my purpose in being here is to manage my schedule,” Dr. Dillman mentioned. However, the chaos stemming from the cyberattacks consumes their time, leaving little for their six-year-old daughter.

“I have just an hour to spend with her,” Dr. Dillman said, “I am missing out on her childhood.”