Change Healthcare Cyber-Attack: Fallout and Subsequent Responses

On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group (UHG), suffered what is now called the “most significant cyber-attack on the U.S. health care system in American history” at the hands of the Blackcat ransomware group. What makes this ransomware attack unprecedented is Change Healthcare’s role in the health care system – it is the main source of more than 100 critical functions that keep the U.S. health care system operating. Change Healthcare’s technology manages the clinical criteria used to authorize a significant portion of patient care and coverage; processes billions of claims; supports clinical information exchange; and processes drug prescriptions.

This cyber-attack resulted in widespread crippling of Change Healthcare’s functionality, which ultimately resulted in disruption of patient care and timely claims processing/reimbursement for hospitals, healthcare systems and medical practices. According to a survey from the American Hospital Association (AHA), more than 80 percent of hospitals state their cash flow has been affected by this breach.

As of March 1, 2024, UHG created a website to serve as a resource for providing updates on their response to the cyber-attack. To mitigate the financial impact, UHG is offering a temporary funding assistance program, which UHG has advanced more than $2.5 billion to providers thus far. The company has also released an estimated timeline for the restoration of its services, which will be updated as the products get restored.

Also in response to the cyber-attack, the U.S. Department of Health and Human Services (HHS) has announced immediate steps “that the Centers for Medicare & Medicaid Services (CMS) is taking to assist providers to continue to serve patients.” Specifically, flexibilities that have been put in place for affected providers during this type of outage:

  • For provider clearinghouse changes, Medicare Administrative Contractors (MACs) are instructed to provide instructions to process the new EDI enrollment; and expedite these requests of new electronic data interchange (EDI) enrollment.
  • For Medicare Advantage (MA) organizations and Part D sponsors, CMS will offer guidance to remove or relax prior authorization, other utilization management, and timely filing requirements; and encourage MA plans to offer advance funding to severely impacted providers.
  • For problems filing claims or other necessary submissions, Medicare providers are instructed to contact their MAC for details on exceptions, waivers, extensions or quality reporting programs.
  • For claim submission, CMS has contacted all MACs to ensure they are prepared to accept paper claims when providers need to file them.

Palmetto GBA, the part A/B MAC for Alabama, Georgia, Tennessee, North Carolina, South Carolina, Virginia and West Virginia, issued an article regarding the Change Healthcare Security, which include the list of CMS flexibilities:

“The Centers for Medicare & Medicaid Services (CMS) and Palmetto GBA are aware that Change Healthcare recently experienced a cyberattack. Change Healthcare is a clearinghouse that connects providers with insurance payers and has operations that impact the submission of Medicare claims, including claims submitted to Palmetto GBA and Railroad Medicare. At this time, there is no indication that Medicare systems have been compromised. This is not a CMS or Palmetto GBA incident. We understand the need to make sure your patients have continued access to care, and the ability to submit Medicare claims. Palmetto GBA takes these matters very seriously and will provide additional updates should they become available. If your EDI clearinghouse is impacted, we recommend you check directly with them for further instructions.”

According to UHG, multiple Change Healthcare functions have been restored including pharmacy network services, the electronic payments platform so that so payer implementations are proceeding, and the medical claims preparation software is back online. $14 billion in charges have been staged for processing thus far.

The HHS Office for Civil Rights (OCR) has launched an investigation into the cyber-attack. “Given the unprecedented magnitude of this cyber-attack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” the agency said in a statement. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.” UHG stated it would cooperate with the OCR investigation.