Facing financial jeopardy, clinics sue to stop UnitedHealth from collecting on emergency loans

Dillman Clinic & Lab was finally at a point where the one-doctor practice in Lakeville could start thinking about hiring another physician.

Then, all of a sudden, the clinic was walloped by the aftermath of a major cyberattack at Change Healthcare, the UnitedHealth Group subsidiary hacked in February 2024.

The breach, which affected the data of 1 in 2 Americans, prompted the Eden Prairie-based health care giant to shut down a widely used computer system “clearinghouse” for processing claims that precipitated a nationwide cash flow crisis for health care providers.

“Our growth was stifled,” said practice manager Richard Dillman, whose wife has been the clinic’s sole practitioner since it opened in June 2022. “I remember turning to Megan and just saying, ‘I don’t know how we’re gonna survive.’”

Last year, UnitedHealth Group provided $9 billion in interest-free loans to assist health providers caught up in the financial nightmare. Now, as the company’s Optum division has begun seeking repayment, some are crying foul, saying they can’t pay because they’re not fully recovered.

Earlier this month, Dillman Clinic and another small health care provider in Minnesota filed for a preliminary injunction in federal court to stop UnitedHealth Group from collecting on their emergency loans.

Last week, the American Medical Association (AMA) fired off a letter saying Optum should make it easier for doctors to repay loans when many are still economically stressed.

“Physician practices are still suffering severe financial distress as a result of the cyberattack nearly 14 months after the breach was first discovered,” wrote Dr. James Madara, the AMA’s CEO and executive vice president.

“To be clear, physicians and other medical providers did nothing wrong and were compliant with industry standards and regulations; they did not suffer any data breach of their systems but were powerless to prevent the widespread service outage caused by the failure of [Change Healthcare] to secure its data and keep its systems operational.”

Optum responded to the AMA this week, saying the company continues to work with health care providers to find flexible repayment plans based on the individual circumstances of clinics and medical practices.

In a statement, the company said it has given health care providers significantly more time to start repaying loans than the U.S. Department of Health and Human Services (HHS) did with a parallel financial assistance program last year.

“More than one year post the event and with services restored, we have begun the process of recouping the interest-free funding we provided to providers — as HHS itself did when it began recouping repayments it provided under its own cyber-attack lending program in July 2024," the company said.

“We continue to work with providers on repayment and other options, and continue to reach out to those providers that have not been responsive to previous calls or email requests for more information.”

The push by two small clinics for a preliminary injunction comes as two putative class-action lawsuits make their way through U.S. District Court of Minnesota.

In one case, more than 60 patients are plaintiffs seeking monetary damages and other relief for the alleged loss of privacy and other harms. In a second complaint, more than two dozen health care providers are seeking damages related to the massive hack, which brought the ire of lawmakers during congressional hearings last year.

“Change Healthcare defendants failed to implement reasonable security procedures and practices and failed to disclose material facts surrounding their deficient security protocols,” plaintiffs argued in a January filing.

“As a result of defendants’ conduct, providers have suffered and will continue to suffer substantial harm,” the complaint says. “The event pushed many providers to the brink of collapse. ... Providers will never see compensation for claims that they were unable to submit during the shutdown. ... Providers are still in a precarious financial situation due to defendants’ conduct and failures.”

UnitedHealth Group has filed motions to dismiss both lawsuits, arguing that the patients’ are trying to “manufacture liability where there is none.” It contends the lawsuit from health care providers is flawed for attributing harms such as missed or delayed claims payments to the cyberattack, versus the temporary system disruption.

“Plaintiffs cannot point to a duty — in contract, at common law, or under statute — to maintain services at all costs and at all times, including during a cyberattack," the company argued in a motion filed last month.

“Although defendants had no obligation to loan $9 billion to providers during this time, this action obviates plaintiffs’ claims of injury,” the motion says. “Incredibly, plaintiffs attempt to retain these billions of dollars of loans, despite the fact that nearly all the services were restored months ago, in addition to seeking further compensation through this complaint.”

UnitedHealth Group has not yet responded in court to the motion for a preliminary injunction, or a separate lawsuit from Eden Prairie-based Odom Sports Medicine P.A., which joined Dillman Clinic in seeking relief from Optum’s push for repayment.

“We believe these lawsuits are baseless and we intend to defend ourselves vigorously,” the company said in a statement to the Minnesota Star Tribune.

Odom Sports Medicine argues that a preliminary injunction is needed because the clinic is still emerging from a $700,000 financial hole created by the Change Healthcare shutdown.

The medical practice estimates that it still has about $235,000 in outstanding claims that accrued from about February through August 2024 that it’s still trying to get processed through insurance. In the mix are claims to UnitedHealthcare Insurance Co. (UHIC) and the “giant web of subsidiary insurers” at UnitedHealth Group, the medical group alleges in a court filing.

“UHIC has denied approximately 39 claims totaling approximately $18,095 that were delayed due to the shutdown as ‘untimely,’” Odom Sports Medicine said in its request for a preliminary injunction.

In other words, one part of UnitedHealth is allegedly denying payment of funds that could help repay loans from another part of the same company.

“At least 20 of these claims accrued in February 2024. Even though Odom specifically informed UHIC that the claims were late due to the Change defendants’ complete system failure and shutdown caused by its corporate partner, UnitedHealthcare Insurance still denied the claims as untimely.”

In a statement, UnitedHealth Group said it has worked with its UnitedHealthcare insurance division to make sure claims are reviewed in light of the challenges faced by health care providers, including waivers for timely filing requirements. These accommodations, however, don’t extend to other health insurers or to all groups that hire United to administer their “self-insured” health plans, where employers take the financial risk for claims and ultimately set rules for payment.

“We have asked the AMA to join us in encouraging flexibility from all payers and plan sponsors,” the company said.

Dillman Clinic said in a court filing it has seen nearly $5,000 in claims denied by insurers, including UnitedHealthcare, as untimely.

The clinic received a total loan of $157,600 between April and September 2024. In November, UnitedHealth Group demanded repayment by Jan. 10, according to the filing, before granting an extension to May 5. The clinic alleged it’s been told that payments on claims submitted to UnitedHealthcare could be withheld going forward.

“If defendants force the entire repayment or start withholding claims, Dillman Clinic will face a substantial threat of bankruptcy or closing its doors,” according to the motion for a preliminary injunction.

On Tuesday, U.S. District Judge Donovan Frank set a briefing schedule for filings related to the motion. UnitedHealth Group shall respond by April 25, the judge ordered, with oral arguments at an unspecified later date.