HHS Says It’s Working to Help Those Impacted by Change Healthcare Cyberattack

The United States Department of Health and Human Services released a statement Tuesday that addresses the cyberattack on Change Healthcare. The agency said it is in contact with leadership at the company to ensure an effective response and is also working to help coordinate efforts to avoid further disruptions in the future.¹

Sign of US Department of Health & Human Services at its headquarters in Washington, D.C. / JHVEPhoto - stock.adobe.com

What’s the Issue?

Change Healthcare, which is owned by UnitedHealth Group, was the victim of a cyberattack on February 21. The attack was performed by a group of hackers who stole patient data and other important information, and caused an outage at the company that left numerous hospitals and healthcare providers unable to bill for services.²

• Change Healthcare is the largest processor of medical claims in the country. According to the company’s website, it completes 15 billion transactions every year, representing over $1.5 trillion in healthcare claims.³
• The HHS statement said the Centers for Medicare & Medicaid Services is taking action to help providers continue to see patients and is communicating with the larger health care community to initiate flexibilities.

Why it Matters

The cyberattack caused major disruptions in large and small practices across the country. Many doctors were not able to check patients eligibility for treatment, fill prescriptions electronically, or receive reimbursements from insurers.⁴

• In response, UnitedHealth announced it was launching a financial assistance program to aid providers that are dealing with cash flow issues, but it’s been widely criticized for not providing enough support.
• Although the HHS statement provides some relief, it has also been panned by advocacy groups, including the American Hospital Association (AHA), the Federation of American Hospitals (FAH), and the American Medical Association (AMA).

Expert Commentary

• “I don’t think that people are aware that the actual people providing the services are not able to extract revenue for those services,” Dan Inder Sraow, MD, told CNBC.⁴ “We don’t know how long that’s going to be, and that’s such a dangerous, dangerous thing.”
• “I worry about providing for [patients],” Kiranjit Khalsa, MD, told CNBC.⁴ “I also worry about: Where am I going to get this money if it does not come through? Do I need to take a loan out to keep the clinic afloat?”
• “We…appreciate that UnitedHealth Group has come to recognize ‘the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem,’” Richard J. Pollack, president and CEO of AHA, said in a letter to UnitedHealth.⁵ “Regrettably, the Temporary Funding Assistance Program that your company announced on Friday is not even a band-aid on the payment problems you identify.”
• “Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, such as Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems,” UnitedHealth said in a statement.⁶ “We are actively working to understand the impact to members, patients and customers.”

In Depth Insights

Cyberattacks on healthcare companies have been increasing significantly over the past several years, causing HHS to develop a strategy that focuses “…specifically on strengthening resilience for hospitals, patients, and communities.”⁷

• Data from HHS indicates there was a 93% increase in large breaches between 2018 and 2022, as well as a 278% increase in large breaches involving ransomware.⁷
• Other health care companies that have been impacted by cyberattacks in recent years include Trinity Health, Shields Healthcare Group, Broward Health, and OneTouchPoint.

Extra Reading

For more on this issue check out these articles.

• Providers say fallout from UnitedHealth cyberattack 'a mess' and threatens their financial health. (Star Tribune)
• Physicians beg for relief amid Change Healthcare payment crisis. (Washington Post)

References

1. HHS Statement Regarding the Cyberattack on Change Healthcare. News Release. HHS. March 5, 2024. Accessed March 6, 2024. https://www.hhs.gov/about/news/2024/03/05/hhs-statement-regarding-the-cyberattack-on-change-healthcare.html

2. Diamond D, Gilbert D. Officials rush to help hospitals, doctors affected by Change Healthcare hack. News Report. Washington Post. March 5, 2024. Accessed March 6, 2024. https://www.washingtonpost.com/health/2024/03/05/change-healthcare-insurance-hack-hhs-plan/

3. Eligibility and Claims APIs. Report. Change Healthcare. Accessed March 6, 2024. https://community.changehealthcare.com/developers/eligibilityandclaims

4. Capoot A. Outages from Change Healthcare cyberattack causing financial ‘mess’ for doctors. News Report. CNBC. February 29, 2024. Accessed March 6, 2024. https://www.cnbc.com/2024/02/29/change-healthcare-cyberattack-has-caused-financial-mess-for-doctors.html

5. AHA Expresses Concerns with UHG Program in Response to Cyberattack on Change Healthcare letter page 1. AHA Expresses Concerns with UHG Program in Response to Cyberattack on Change Healthcare. News Release. AHA. March 4, 2024. Accessed March 6, 2024. https://www.aha.org/lettercomment/2024-03-04-aha-expresses-concerns-uhg-program-response-cyberattack-change-healthcare

6. Information on the Change Healthcare Cyber Response. News Release. UnitedHealth Group. March 5, 2024. Accessed March 6, 2024. https://www.unitedhealthgroup.com/changehealthcarecyberresponse

7. HHS Announces Next Steps in Ongoing Work to Enhance Cybersecurity for Health Care and Public Health Sectors. News Release. HHS. December 6, 2023. Accessed March 6, 2024. https://www.hhs.gov/about/news/2023/12/06/hhs-announces-next-steps-ongoing-work-enhance-cybersecurity-health-care-public-health-sectors.html