HHS responds to Change Healthcare cyberattack, prioritizes minimizing healthcare service disruptions

The U.S. Department of Health and Human Services (HHS) acknowledges that Change Healthcare, a subsidiary of UnitedHealth Group (UHG), experienced a cybersecurity breach in late February. The department understands the significant effects this incident has had on healthcare operations nationwide, and its foremost priority is to facilitate coordination efforts to minimize interruptions in healthcare services across the system.

The move comes as Change Healthcare suffered a severe cyberattack last month, and is reported to have paid the responsible cybercriminals US$22 million in cryptocurrency to restore access to its systems. The cybercriminal organization, identified as Blackcat, also known as AlphV, has taken credit for the highly disruptive ransomware attack on Change Healthcare, which is part of UnitedHealth Group’s Optum division.

The HHS also announced immediate steps that the Centers for Medicare & Medicaid Services (CMS) is taking to assist providers to continue to serve patients. CMS will continue to communicate with the healthcare community and assist, as appropriate. Providers should continue to work with their payers for the latest updates on how to receive timely payments.

On the cyberattack, the HHS is in regular contact with UHG leadership, state partners, and numerous external stakeholders to better understand the nature of the impacts and to ensure the effectiveness of UHG’s response. 

HHS has made clear its expectation that UHG does everything in its power to ensure continuity of operations for all health care providers impacted and HHS appreciates UHG’s continuous efforts to do so. HHS is also leading interagency coordination of the federal government’s related activities, including working closely with the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the White House, and other agencies to provide credible, actionable threat intelligence to industry wherever possible.

HHS refers directly to UHG for updates on their incident response progress and recovery planning. However, numerous hospitals, doctors, pharmacies, and other stakeholders have highlighted potential cash flow concerns to HHS stemming from an inability to submit claims and receive payments. HHS has heard these concerns and is taking direct action and working to support the important needs of the healthcare community.

The agency said that medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch. The MAC will provide instructions based on the specific request to expedite the new EDI enrollment. CMS has instructed the MACs to expedite this process and move all provider and facility requests into production and ready to bill claims quickly. 

CMS is encouraging other payers, including state Medicaid and Children’s Health Insurance Program (CHIP) agencies and Medicaid and CHIP managed care plans, to waive or expedite solutions for this requirement. CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages. CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.

Furthermore, CMS encourages Medicaid and CHIP managed care plans to adopt the same strategies of removing or relaxing prior authorization and utilization management requirements, and consider offering advance funding to providers, on behalf of Medicaid and CHIP managed care enrollees to the extent permitted by the State. 

If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs. CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them. While we recognize that electronic billing is preferable for everyone, the MACs must accept paper submissions if a provider needs to file claims using that method.

Identifying the incident as a reminder of the interconnectedness of the domestic healthcare ecosystem and of the urgency of strengthening cybersecurity resilience across the ecosystem, the HHS pointed to its December concept paper that outlines the department’s cybersecurity strategy for the sector. 

The concept paper builds on the National Cybersecurity Strategy that President Joe Biden released last year, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. The paper details four pillars for action, including publishing new voluntary healthcare-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, increasing accountability within the healthcare sector, and enhancing coordination through a one-stop shop.

“The American Medical Association credits the Department of Health and Human Services and the Centers for Medicare & Medicaid Services for responding to the urgent situation caused by the Change Healthcare cyber security incident and the unprecedented disruptions to medical practices and access to care,” Jesse M. Ehrenfeld, president of the American Medical Association, said in an emailed statement. “The newly announced flexibilities that have been put in place are a welcome first step, but we urge CMS to recognize that physicians are experiencing financial struggles that threaten the viability of many medical practices.” 

Ehrenfeld pointed out that many physician practices operate on thin margins, and “we are especially concerned about the impact on small and/or rural practices, as well as those that care for the underserved. The AMA urges federal officials to go above and beyond what has been put in place and include financial assistance such as advanced payments for physicians.”

HHS will continue to communicate with the healthcare sector and encourage continued dialogue among affected parties. “We will continue to communicate with UHG, closely monitor their ongoing response to this cyberattack, and promote a transparent, robust response while working with the industry to close any gaps that remain,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.