Skip to main content

Change Healthcare Cyberattack: News and Resources

The Feb. 21 hack of the data interchange company caused disruptions for providers and patients. Here's an information roundup.

Roundup
Date: Friday, March 22, 2024

[Last updated: May 8]

Latest News

May 1: UnitedHealth Says Up to One-Third of Americans May Be Affected by Change Cyberattack
From CNN: "A third of Americans may have had their personal data swept up in a February ransomware attack on a UnitedHealth Group subsidiary that disrupted pharmacies across the US, UnitedHealth CEO Andrew Witty estimated in testimony to Congress on Wednesday. It will likely take 'several months' before UnitedHealth is able to identify and notify Americans impacted by the hack because the company is still combing through the stolen data, Witty said in written testimony."

May 3: Recap of Change Cyberattack Senate Committee Hearing
From MedCity News: " The chief executive officer of UnitedHealth Group appeared in front of two Congressional Committees on Wednesday, forced to answer uncomfortable questions on how his company handled what is being described as the worst malicious ransomware attack in the history of the healthcare industry … Here are the key moments and takeaways from the 2-hour-plus hearing in the Senate Committee on Finance."

April 23: Novitas Tells Providers to Stop Submitting Paper Forms
Medicare administrative contractor Novitas Solutions, which operates in the District of Columbia, Delaware, Maryland, New Jersey, and Pennsylvania, has advised providers to return to electronic submissions of Medicare claims forms "now that Change Healthcare and Optum have restored their customers' ability to electronically bill Medicare." Tip: Other MACs may implement similar changes, so it's a good idea to check in regularly for announcements. Find a directory and map of MACs here.

From UnitedHealth Group (Parent Company of Change Healthcare)

Ongoing: Regularly Updated Information on Cyberattack Response
UnitedHealth Group describes the webpage as "a main source for the latest business and information updates, UnitedHealthcare, Optum and Change Healthcare stakeholders" with links to other resources. The page includes information on temporary funding, a list of frequently asked questions, news updates, and more.

From the U.S. Centers for Medicare & Medicaid Services

March 15: CMS Statement on Medicaid Enforcement Flexibilities (and Link to Informational Bulletin)
CMS issued a statement on March 15 outlining flexibilities in some of its Medicaid rules in response to the Change cyberattack. The resource includes a link to a detailed 13-page informational bulletin.

March 13:  Accelerated/Advanced Payment Program Frequently Asked Questions
What is the CHOPD program? How long will payments be available? How long will it take to get the money? CMS answers these and more questions about its accelerated and advanced payment program.

March 9: CMS Extends MIPS Deadline, Reopens Exceptions Process in Response to Change Attack
The U.S. Centers for Medicare & Medicaid Services announced that it is extending the deadline for 2023 data submissions under the Merit-based Incentive Payment System, or MIPS, until April 15 at 8 p.m. ET. In addition, the agency has reopened the MIPS Extreme and Uncontrollable Circumstances, or EUC, exception application window until the same date and time. Only exception applications that cite the Change cyberattack as the reason for the request will be accepted. More information on the extension and exceptions processes is available from the CMS Quality Payment Program.

From the U.S. Department of Health and Human Services

March 25: HHS Shares Individual Payers' Assistance Information
The U.S. Department of Health and Human Services has compiled a toolkit that breaks down 10 commercial payers' assistance programs and resources available to providers impacted by the Change cyberattack. Programs from United Health Group, AmeriHealth Caritas, Blue Cross Blue Shield, Centene, Cigna, CVS Health, Elevance, Humana, Kaiser Permanente, and Molina are detailed in the document, which also includes contact information for those payers and more.

March 19: Readout of March 18 White House Meeting With Insurers
HHS issued a summary of a meeting between HHS Secretary Xavier Becerra, White House officials, and payers "to discuss actions to mitigate harms to patients and providers." The readout also includes a history of HHS actions on the Change cyberattack up to the meeting date.

March 13: HHS Office of Civil Rights Opens Investigation
The HHS Office of Civil Rights, which oversees enforcement of HIPAA privacy and security rules, has announced an investigation focusing on "whether a breach of protected health information occurred and Change Healthcare and UHG's compliance with the HIPAA rules."

March 10: Letter to Health Care Leaders
On March 10, HHS Secretary Becerra issued a letter that includes recommendations for payers, with specific calls to action for UnitedHealth Group.

In the Media

April 23: UnitedHealth Admits It Paid Ransom in Cyberattack
From IT Pro: "UnitedHealth Group has admitted it paid a ransom to threat actors who exfiltrated patient data in a breach affecting its subsidiary Change Healthcare. Researchers monitoring crypto wallets of the ALPHV group, believed to be responsible for the initial attack, suggested UnitedHealth had paid a $22 million dollar ransom in Bitcoin in early April."

April 23: UnitedHealth Says "Substantial Portion" of Americans' Health Information Exposed in Cyberattack; Acknowledges Second Extortion Attempt
From cybernews: "Health insurance behemoth UnitedHealth Group has confirmed that cyberattackers compromised a massive trove of sensitive data from its tech branch Change Healthcare, which could cover a 'substantial proportion of people in America.' Meanwhile, a second ransomware group that was demanding payments has delisted the company from its victim's page."

March 20: Infographic: Timeline of the Change Cyberattack
From healthleaders: A graphic chronology of major Change hack-related events from Feb. 21 to March 18.

March 18: Change Hack Raises Questions About the Data Security of the Health Care System
From Politico: "Eight officials with the government or U.S. hospitals interviewed by POLITICO say the hack underscores major vulnerabilities in the country’s health care system — raising critical questions about whether federal agencies and Congress need to do more to prevent another, potentially more serious, attack in the future."

March 12: White House Urges Payers to Move on Emergency Funds
From CNN: "Senior Biden administration officials on Tuesday pressed the CEO of health care giant UnitedHealth Group and other health care firms to do more to get vital payments flowing to health care providers three weeks after a cyberattack crippled those payment systems."

 

Back to top
Share This
Resource Details

Date: March 22, 2024
Contact:  news@apta.org
Content Type:  Roundup

Topics

Coding & Billing, Commercial Insurance

You Might Also Like...

News

Get Regular Insights on Regulatory, Legislative, and Payment Issues From APTA

Apr 17, 2024

Free to members, APTA's webinar series delivers crucial information in an easy-to-understand format. Register now for upcoming sessions.

News

APTA Wins AMA Award for Education on Caregiver Training Codes

Apr 2, 2024

After helping create the CPT codes and advocate for their adoption, APTA launched an education campaign featuring a practice advisory.

News

CMS Clears Up Inconsistent Information on New Caregiver Training Codes

Mar 29, 2024

A new FAQ resource from CMS confirms that information in an APTA Practice Advisory is correct.