The Uncomfortable Premise
Hospitals aren't like restaurants. If a restaurant can't run cards for an afternoon, it's annoying. If a hospital can't process claims for a week, it's a liquidity event.
A hospital can have full beds, staffed floors, and nonstop demand and still end up with a cash problem fast if reimbursements can't move. Most of the money flowing into hospitals comes from insurers, Medicare, and Medicaid, processed through a surprisingly small number of intermediary systems.
Nobody's blaming the hospitals here. The point is simpler than that. The pipes that move the money are more important than most people realize, and pipes break.
The Plumbing Is More Fragile Than It Looks
U.S. healthcare payments depend on a layer of intermediaries that most people never think about: claims clearinghouses, revenue-cycle management tools, eligibility verification, payment routing networks. These companies sit between every hospital and every dollar.
Nobody thinks about this layer when it works. But when it goes down, hospital cash flow stops. Not gradually. It just stops.
|
The U.S. Office of Financial Research flagged the Change Healthcare cyberattack as an example of how a disruption at a single key firm can interrupt payment flows across an entire sector — describing Change as the largest medical claims clearinghouse in the United States. |
Here's where it gets uncomfortable: this layer is extremely concentrated. Change Healthcare alone handled over one-third of all U.S. healthcare claims, roughly 15 billion transactions per year, when it got hit. The top handful of clearinghouses (Availity, Optum/Change, Waystar, Trizetto) process the vast majority of the country's medical billing. The whole system funnels through a few pipes.
"Single point of failure" sounds like an IT problem. In healthcare, it shows up on the balance sheet.
This Already Happened
Change Healthcare, February 2024
On February 21, 2024, Change Healthcare got hit with ransomware. Claims processing went dark. Not at one hospital. Everywhere, all at once.
Quick sidebar on who owns what here, because it matters. Change Healthcare is a subsidiary of Optum, which is a subsidiary of UnitedHealth Group, the largest healthcare company in the world. UnitedHealth Group also owns UnitedHealthcare, the insurance arm that became the center of a national conversation about claims denials after its CEO was murdered in December 2024. The same parent company that drew public outrage for how it handles insurance claims also runs the clearinghouse that processes a third of the country's medical billing. One arm decides whether your claim gets approved. The other arm is the pipe all the claims flow through. If you wanted to design a system with concentrated risk, you'd have a hard time doing better than this.
The American Hospital Association surveyed nearly 1,000 hospitals in early March 2024. The numbers:
|
|
|
Source: American Hospital Association survey, March 2024
One billing intermediary went down and hundreds of hospitals lost cash flow within days.
CMS responded by creating a specific relief program, Change Healthcare/Optum Payment Disruption (CHOPD) Accelerated and Advance Payments, because providers were experiencing direct Medicare payment disruption. Total relief distributed: approximately $3.3 billion.
There was relief money. But providers had to apply individually. The process wasn't instantaneous. And distribution was uneven, some providers got too much, others too little.
So yeah, the government showed up. But the gap between "payments frozen" and "relief check clears" is where things get ugly.
Why a Hospital REIT Is in the Blast Radius
Medical Properties Trust (MPT, recently changed from MPW) doesn't run hospitals. It owns hospital buildings and collects rent. So why does a cyberattack on a billing clearinghouse matter to a landlord? Because rent is just a claim on tenant cash flow. And tenant cash flow comes from reimbursements.
For most hospital tenants, cash flow is heavily tied to Medicare and Medicaid reimbursements arriving on time. If reimbursements get delayed across the system, it comes down to one thing:
|
How long can tenants float payroll, vendors, and debt service before something breaks? |
MPT's tenants don't have to be bad at running hospitals for this to become a problem. They just have to be thinly capitalized and highly levered, and based on the track record, some of them very much are.
The Steward Precedent
Steward Health Care filed Chapter 11 in May 2024. Reporting on the bankruptcy filings highlighted approximately $6.6 billion in long-term lease liabilities tied to MPT affiliates. (Private Equity Stakeholder Project)
The Covenant Reset
MPT amended its revolving credit facility in 2024, including a reset of its consolidated net worth covenant from ~$6.7B down to $5.0B, plus other covenant modifications. (SEC filing, August 2024)
None of this proves the cyber thesis on its own. But it paints a picture of a company without a lot of room to absorb another shock.
Why "Syndicated" Matters
There's a detail in MPT's debt structure that becomes the lynchpin of this entire scenario: the debt is widely syndicated, held by a large, fragmented group of bondholders rather than a single bank or small lending syndicate.
Why does that matter? If you owe one bank a billion dollars and miss a covenant for 30 days, you pick up the phone and negotiate a waiver. If you owe a thousand different bondholders a billion dollars, you can't get them all in a room to agree. A temporary technical breach, the kind that would be a phone call with a single lender, becomes a hard default with a fragmented bondholder base. That turns a temporary cash crunch into a potential bankruptcy, not because the business failed, but because the debt was structured for normal times. And "normal" doesn't include payment infrastructure going dark.
The Chain Reaction
Here's the scenario, spelled out step by step. Every link is conditional. I'm not saying this will happen. I'm saying if it does, the market isn't priced for it.
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
I'm not saying hospitals are doomed. I'm saying a single outage can weaponize the cash conversion cycle, and MPT's debt structure doesn't have the flexibility to absorb the gap.
The Kill Switch
Here's the strongest argument against everything I just laid out: the government can step in. And they probably will.
|
What would break this thesis
|
The government will probably step in. They did last time. But if the backstop shows up three weeks late, that's still three weeks of covenant math running against you.
During the Change Healthcare attack, CMS stood up the CHOPD program, but it took weeks to get payments out, and providers had to apply individually. That gap is the whole trade idea.
The System Is More Fragile Now Than It Was in February 2024
This point is worth making explicitly, because the default assumption is "well, they fixed it after last time." Let's check.
Since the Change Healthcare attack:
- Healthcare cyberattacks increased 30% (476 in 2024 to 575 in 2025)
- AI-powered attack tooling became broadly available, cutting the cost and skill level required to launch sophisticated campaigns
- CISA's budget and workforce are being cut, reducing the federal government's ability to respond to the next incident
- No meaningful legislation has forced clearinghouse redundancy or portability. Providers can't just "switch" to a backup processor overnight
- Hospital cybersecurity budgets remained flat or declined as a share of IT spending
- The clearinghouse market is still dominated by the same small group of companies processing the same concentrated volume
What did change: CMS now has a playbook for emergency advance payments. That's real. But having a playbook and executing it fast enough to prevent covenant breaches across a fragmented bondholder base are two very different things.
The system took a direct hit, patched the wound, and went back to operating the same way. Except now the attackers are better equipped and the defenders have fewer resources. That should bother you.
Why This Path Is Under-Modeled
Analysts cover MPT's tenants constantly: margins, admissions, labor costs, payer mix, state Medicaid rates, occupancy trends. All legitimate concerns.
What fewer models stress-test:
- "What if payments don't clear for weeks?" Even while care continues and beds are full.
- "What if the disruption hits many tenants at once?" Not individual operator failure, but a shared clearinghouse taking everyone down together.
- "What if the debt structure can't flex?" Syndicated means fragmented means no waiver path.
Wall Street knows how to model a hospital that's losing money. What it doesn't really model is a hospital that's making money but can't collect it, let alone a scenario where that happens to dozens of hospitals at the same time through one shared vendor.
Cyber Isn't Slowing Down
Separate from the MPT-specific case, the backdrop here deserves its own section because the trend lines are genuinely alarming.
|
|
|
Health-ISAC's 2025 threat landscape report describes continued escalation. Becker's Hospital Review tracked 575 health sector-specific attacks in 2025, up from 476 in 2024. Ransomware attacks across all sectors surged 126% in Q1 2025 compared to Q1 2024.
And when healthcare gets hit, it stays down. The average ransomware downtime across industries is about 24 days. In healthcare specifically, it averages 17 days of downtime per incident, and full operational restoration takes an average of 279 days. Only 58% of organizations achieve complete recovery.
Seventeen days of downtime at a hospital operator that depends on daily claims processing to make payroll. That's not an inconvenience. That's an existential cash flow event.
AI Is the Accelerant
The trend here isn't just "bad." It's getting structurally worse every quarter.
AI-powered cyberattacks increased 72% year-over-year through 2025. Automated vulnerability scanning hit 36,000 scans per second. Credential theft jumped 160%, driven by AI-enhanced phishing campaigns. The average cost of an AI-powered breach is now $5.72 million.
Some specifics worth listing:
- Trend Micro projects that by 2026, we could see fully automated hacking: AI running the entire attack chain from scanning to exploit to extortion, no human in the loop
- Palo Alto Networks predicts that by 2026, the majority of advanced cyberattacks will use AI to execute dynamic, multilayered attacks that adapt in real-time to defensive measures
- Experian's 2026 Data Breach Forecast calls AI the "major threat to cybersecurity in 2026," citing a new wave of sophisticated attacks
- Exploitation of known vulnerabilities surged 34% as AI tools automated scanning and exploitation of unpatched systems
The attackers are getting faster, cheaper, and more automated every month. Healthcare payment infrastructure will get targeted again. The only open questions are how soon and whether the target has the budget to defend itself.
Healthcare Is the Softest Target With the Biggest Consequences
Here's the mismatch that makes this whole thesis work: healthcare is the most attacked sector and one of the least funded for defense. At the same time.
The numbers are bleak:
- Hospitals spend 2-4% of their total budget on IT (tech companies spend 15-20%)
- Of that tiny IT budget, cybersecurity gets roughly 4-7% (financial services allocates ~15%)
- Some healthcare organizations allocate as little as 1-2% of their IT budget to security
- The global cybersecurity workforce gap hit 4.8 million unfilled positions in 2025 (19% YoY increase). Healthcare can't compete with tech-sector salaries to fill those roles
- Among for-profit hospitals, the share spending at least 10% of their IT budget on cybersecurity actually dropped from 22% in 2023 to 18% in 2024
Why? The World Economic Forum put it plainly: under budget constraints, hospitals concentrate resources on front-line patient care and transformative technologies, "leaving limited flexibility for other critical areas such as cybersecurity." Hard to argue with a hospital that chooses an MRI machine over a firewall upgrade. But the consequences of that choice compound.
Meanwhile, the Defenders Are Getting Defunded
While AI-powered attacks surge, the U.S. federal government is cutting cybersecurity funding:
- The Trump administration proposed cutting CISA's budget by ~$495 million (16%) for FY2026
- The National Risk Management Center, the group that assesses threats to critical infrastructure like power grids and healthcare, faces a 73% cut ($97.4 million) and the loss of 70 positions
- CISA's Cybersecurity Division faces an 18% cut
- The agency is projected to lose a third of its workforce
- The Joint Collaborative Environment, where CISA analyzes threat and incident data, faces a $36.5 million cut
Congress softened some of these cuts (the House committee landed at $135 million in cuts instead of $495 million), but the direction is clear: federal cyber defense capacity is shrinking while the threat is growing exponentially.
Healthcare organizations that relied on CISA advisories, threat intelligence sharing, and incident response support are increasingly on their own, with budgets that already can't keep up.
The Math Doesn't Work
Zoom out for a second. The picture looks like this:
- Attacks are up 30%+ year-over-year and accelerating
- AI is automating the entire attack pipeline
- Healthcare spends a fraction of what other sectors spend on defense
- Federal cyber support is being cut
- The payment infrastructure is concentrated in a handful of clearinghouses
- Average downtime from a ransomware hit is 17-24 days
- The last time a major clearinghouse went down, it took $3.3 billion in emergency government relief to patch the hole
This already happened in February 2024, and every variable has gotten worse since then. More attacks, better tools, less defense funding, same concentrated infrastructure. Another major clearinghouse breach is a matter of when, not whether.
The Trade (As a Storytelling Device)
One specific option contract illustrates the risk/reward math of a grey swan bet:
|
At $0.04 per contract, this is a $4 lottery ticket. You can't lose more than four bucks. But if the ugly chain reaction actually fires and the stock gaps down hard, the math gets very interesting very fast.