The U.S. Department of Health and Human Services (HHS) has issued a comprehensive response to the cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG), which occurred in late February 2024. This attack, initiated by the Blackcat ransomware, severely impacted more than 100 systems belonging to Change Healthcare, disrupting key healthcare operations nationwide. These systems are a key part of various healthcare processes, including insurance coverage verification, claims submission, and payment processing, rendering their inaccessibility a concern for healthcare providers across the country.
HHS has taken proactive steps to coordinate efforts with UHG leadership, state partners, and external stakeholders as a consequence of the widespread impact on healthcare operations. Through regular communication channels, HHS aims to assess the extent of the cyberattack’s consequences and ensure the continuity of healthcare services. The department emphasizes the importance of UnitedHealth Group’s efforts to restore and maintain operations quickly, highlighting the urgency of the situation.
Acknowledging the challenges faced by healthcare providers due to the cyberattack, HHS has announced immediate support measures through the Centers for Medicare & Medicaid Services (CMS). These measures include facilitating expedited processes for providers needing to switch clearinghouses for claims processing, ensuring minimal disruption to billing processes. CMS is advocating for the relaxation of prior authorization and filing requirements for Medicare Advantage (MA) organizations and Part D sponsors, easing administrative burdens on providers during this period. HHS is urging Medicaid and Children’s Health Insurance Program (CHIP) managed care plans to adopt similar flexibility measures, ensuring that Medicaid beneficiaries continue to receive uninterrupted access to healthcare services. The department recognizes the financial strain experienced by healthcare providers as a result of the cyberattack-induced disruptions and encourages the utilization of accelerated payment options and paper claims submissions to mitigate cash flow challenges.
HHS emphasizes its commitment to strengthening cybersecurity across the sector, highlighting the interconnected nature of the healthcare system and the need for cybersecurity resilience. This commitment is reflected in the department’s cybersecurity strategy outlined in a concept paper released in December 2023. The strategy includes voluntary performance goals, collaboration with Congress to develop support mechanisms, improved accountability measures, and improved communication channels to address cybersecurity threats effectively.
While the initial response from HHS has been met with positive feedback, concerns persist among healthcare providers and industry groups regarding the adequacy of the support measures. The President of the American Medical Association (AMA), Jesse Ehrenfeld, commends the initial steps taken by HHS’, stating “Many physician practices operate on thin margins, and we are especially concerned about the impact on small and/or rural practices, as well as those that care for the underserved,” said AMA President Jesse M. Ehrenfeld, MD, MPH. “The AMA urges federal officials to go above and beyond what has been put in place and include financial assistance such as advanced payments for physicians.” In the face of ongoing challenges, collaboration between government agencies, healthcare organizations, and industry stakeholders remains necessary for managing the aftermath of this cyberattack and ensuring the resilience of the healthcare system against future threats.
