Skip to main content

[Last updated: Oct. 10]

Latest News

From the U.S. Centers for Medicare & Medicaid Services: Oct. 11 is the deadline for clinicians and groups that were impacted by the Change Healthcare cyberattack to apply for exceptions to MIPS reporting requirements based on extreme and uncontrollable circumstances, aka EUC, for the 2023 performance year. Note that this opportunity applies only for 2023. For guidance on EUC applications for the 2024 performance year (that application deadline is Dec. 31), see APTA’s article "Facing Challenges With MIPS Reporting Requirements? Exceptions Are Available."

 

June 21: Change Healthcare to start notifying customers who had data exposed in cyberattack 
From Associated Press: "Change Healthcare is starting to notify hospitals, insurers and other customers that they may have had patient information exposed in a massive cyberattack. The company also said Thursday that it expects to begin notifying individuals or patients in late July."

June 17: CMS Preparing to Close Program that Addressed Medicare Funding Issues Resulting from Change Healthcare Cyber-Attack 
From the U.S. Centers for Medicare & Medicaid Services: CMS announced that it will stop accepting new applications for accelerated or advance payment, saying providers are now successfully billing Medicare and that it has recovered over 96% of payments dispersed in the CHOPD program.

June 14: Notices Regarding the No Surprises Act 
From CMS: In a June 14 notice, CMS announced that it had extended the period for initiating open negotiation, which begins the dispute resolution process under the No Surprises Act. CMS set a deadline of Oct. 12, 2024, after receiving complaints from entities about difficulties in initiating open negotiation due to disruptions to claims processing caused by the Change cyberattack.

June 13: Ransomware attacks surged after Change Healthcare hack
From Axios: An uptick in ransomware attacks since the Change Healthcare security breach "suggests that the $22 million Change's parent, UnitedHealth Group, paid out to hackers to unlock its systems may have emboldened bad actors to further target the vulnerable industry."

May 1: UnitedHealth Says Up to One-Third of Americans May Be Affected by Change Cyberattack
From CNN: "A third of Americans may have had their personal data swept up in a February ransomware attack on a UnitedHealth Group subsidiary that disrupted pharmacies across the US, UnitedHealth CEO Andrew Witty estimated in testimony to Congress on Wednesday. It will likely take 'several months' before UnitedHealth is able to identify and notify Americans impacted by the hack because the company is still combing through the stolen data, Witty said in written testimony."

May 3: Recap of Change Cyberattack Senate Committee Hearing
From MedCity News: " The chief executive officer of UnitedHealth Group appeared in front of two Congressional Committees on Wednesday, forced to answer uncomfortable questions on how his company handled what is being described as the worst malicious ransomware attack in the history of the healthcare industry … Here are the key moments and takeaways from the 2-hour-plus hearing in the Senate Committee on Finance."

April 23: Novitas Tells Providers to Stop Submitting Paper Forms
Medicare administrative contractor Novitas Solutions, which operates in the District of Columbia, Delaware, Maryland, New Jersey, and Pennsylvania, has advised providers to return to electronic submissions of Medicare claims forms "now that Change Healthcare and Optum have restored their customers' ability to electronically bill Medicare." Tip: Other MACs may implement similar changes, so it's a good idea to check in regularly for announcements. Find a directory and map of MACs here.

From UnitedHealth Group (Parent Company of Change Healthcare)

Ongoing: Regularly Updated Information on Cyberattack Response
UnitedHealth Group describes the webpage as "a main source for the latest business and information updates, UnitedHealthcare, Optum and Change Healthcare stakeholders" with links to other resources. The page includes information on temporary funding, a list of frequently asked questions, news updates, and more.

From the U.S. Centers for Medicare & Medicaid Services

March 15: CMS Statement on Medicaid Enforcement Flexibilities (and Link to Informational Bulletin)
CMS issued a statement on March 15 outlining flexibilities in some of its Medicaid rules in response to the Change cyberattack. The resource includes a link to a detailed 13-page informational bulletin.

March 13:  Accelerated/Advanced Payment Program Frequently Asked Questions
What is the CHOPD program? How long will payments be available? How long will it take to get the money? CMS answers these and more questions about its accelerated and advanced payment program.

March 9: CMS Extends MIPS Deadline, Reopens Exceptions Process in Response to Change Attack
The U.S. Centers for Medicare & Medicaid Services announced that it is extending the deadline for 2023 data submissions under the Merit-based Incentive Payment System, or MIPS, until April 15 at 8 p.m. ET. In addition, the agency has reopened the MIPS Extreme and Uncontrollable Circumstances, or EUC, exception application window until the same date and time. Only exception applications that cite the Change cyberattack as the reason for the request will be accepted. More information on the extension and exceptions processes is available from the CMS Quality Payment Program.

From the U.S. Department of Health and Human Services

March 25: HHS Shares Individual Payers' Assistance Information
The U.S. Department of Health and Human Services has compiled a toolkit that breaks down 10 commercial payers' assistance programs and resources available to providers impacted by the Change cyberattack. Programs from United Health Group, AmeriHealth Caritas, Blue Cross Blue Shield, Centene, Cigna, CVS Health, Elevance, Humana, Kaiser Permanente, and Molina are detailed in the document, which also includes contact information for those payers and more.

March 19: Readout of March 18 White House Meeting With Insurers
HHS issued a summary of a meeting between HHS Secretary Xavier Becerra, White House officials, and payers "to discuss actions to mitigate harms to patients and providers." The readout also includes a history of HHS actions on the Change cyberattack up to the meeting date.

March 13: HHS Office of Civil Rights Opens Investigation
The HHS Office of Civil Rights, which oversees enforcement of HIPAA privacy and security rules, has announced an investigation focusing on "whether a breach of protected health information occurred and Change Healthcare and UHG's compliance with the HIPAA rules."

March 10: Letter to Health Care Leaders
On March 10, HHS Secretary Becerra issued a letter that includes recommendations for payers, with specific calls to action for UnitedHealth Group.

In the Media

April 23: UnitedHealth Admits It Paid Ransom in Cyberattack
From IT Pro: "UnitedHealth Group has admitted it paid a ransom to threat actors who exfiltrated patient data in a breach affecting its subsidiary Change Healthcare. Researchers monitoring crypto wallets of the ALPHV group, believed to be responsible for the initial attack, suggested UnitedHealth had paid a $22 million dollar ransom in Bitcoin in early April."

April 23: UnitedHealth Says "Substantial Portion" of Americans' Health Information Exposed in Cyberattack; Acknowledges Second Extortion Attempt
From cybernews: "Health insurance behemoth UnitedHealth Group has confirmed that cyberattackers compromised a massive trove of sensitive data from its tech branch Change Healthcare, which could cover a 'substantial proportion of people in America.' Meanwhile, a second ransomware group that was demanding payments has delisted the company from its victim's page."

March 20: Infographic: Timeline of the Change Cyberattack
From healthleaders: A graphic chronology of major Change hack-related events from Feb. 21 to March 18.

March 18: Change Hack Raises Questions About the Data Security of the Health Care System
From Politico: "Eight officials with the government or U.S. hospitals interviewed by POLITICO say the hack underscores major vulnerabilities in the country’s health care system — raising critical questions about whether federal agencies and Congress need to do more to prevent another, potentially more serious, attack in the future."

March 12: White House Urges Payers to Move on Emergency Funds
From CNN: "Senior Biden administration officials on Tuesday pressed the CEO of health care giant UnitedHealth Group and other health care firms to do more to get vital payments flowing to health care providers three weeks after a cyberattack crippled those payment systems."

 


You Might Also Like...

Open Access

Understanding ICD-10

Sep 11, 2024

Access answers to the most frequently asked questions on ICD-10.

Article

Identifying the Correct Codes for ICD-10

Sep 11, 2024

Access guidelines and information on how to identify the correct codes for ICD-10.

News

Updated UHC Language Confirms Policy Change on Documenting Treatment Time

Jul 31, 2024

The latest update comes after clarifications the insurer released last year following a set of initially burdensome policy expansions.