Skip to main content

Change Healthcare Cyberattack: News and Resources

The Feb. 21 hack of the data interchange company caused disruptions for providers and patients. Here's an information roundup.

Roundup
Date: Friday, March 22, 2024

[Last updated: April 23]

Latest News

April 23: UnitedHealth Admits It Paid Ransom in Cyberattack
From IT Pro: "UnitedHealth Group has admitted it paid a ransom to threat actors who exfiltrated patient data in a breach affecting its subsidiary Change Healthcare. Researchers monitoring crypto wallets of the ALPHV group, believed to be responsible for the initial attack, suggested UnitedHealth had paid a $22 million dollar ransom in Bitcoin in early April."

April 23: UnitedHealth Says "Substantial Portion" of Americans' Health Information Exposed in Cyberattack; Acknowledges Second Extortion Attempt
From cybernews: "Health insurance behemoth UnitedHealth Group has confirmed that cyberattackers compromised a massive trove of sensitive data from its tech branch Change Healthcare, which could cover a 'substantial proportion of people in America.' Meanwhile, a second ransomware group that was demanding payments has delisted the company from its victim's page."

April 23: Novitas Tells Providers to Stop Submitting Paper Forms
Medicare administrative contractor Novitas Solutions, which operates in the District of Columbia, Delaware, Maryland, New Jersey, and Pennsylvania, has advised providers to return to electronic submissions of Medicare claims forms "now that Change Healthcare and Optum have restored their customers' ability to electronically bill Medicare." Tip: Other MACs may implement similar changes, so it's a good idea to check in regularly for announcements. Find a directory and map of MACs here.

From apta.org

CMS Offers Accelerated and Advance Payments
A relief program announced on March 9 offers advanced or accelerated payments to qualified providers that would be repaid by way of automatic deductions from future claims.

From UnitedHealth Group (Parent Company of Change Healthcare)

Regularly Updated Information on Cyberattack Response
UnitedHealth Group describes the webpage as "a main source for the latest business and information updates, UnitedHealthcare, Optum and Change Healthcare stakeholders" with links to other resources. The page includes information on temporary funding, a list of frequently asked questions, news updates, and more.

From the U.S. Centers for Medicare & Medicaid Services

CMS Extends MIPS Deadline, Reopens Exceptions Process in Response to Change Attack
The U.S. Centers for Medicare & Medicaid Services announced that it is extending the deadline for 2023 data submissions under the Merit-based Incentive Payment System, or MIPS, until April 15 at 8 p.m. ET. In addition, the agency has reopened the MIPS Extreme and Uncontrollable Circumstances, or EUC, exception application window until the same date and time. Only exception applications that cite the Change cyberattack as the reason for the request will be accepted. More information on the extension and exceptions processes is available from the CMS Quality Payment Program.

Accelerated/Advanced Payment Program Information and Instructions
This CMS fact sheet outlines the Change Healthcare/Optum Payment Disruption, or CHOPD, program: how it works, who qualifies, how to apply, and more.

Accelerated/Advanced Payment Program Frequently Asked Questions
What is the CHOPD program? How long will payments be available? How long will it take to get the money? CMS answers these and more questions about its accelerated and advanced payment program.

CMS Statement on Medicaid Enforcement Flexibilities (and Link to Informational Bulletin)
CMS issued a statement on March 15 outlining flexibilities in some of its Medicaid rules in response to the Change cyberattack. The resource includes a link to a detailed 13-page informational bulletin.

From the U.S. Department of Health and Human Services

HHS Shares Individual Payers' Assistance Information
The U.S. Department of Health and Human Services has compiled a toolkit that breaks down 10 commercial payers' assistance programs and resources available to providers impacted by the Change cyberattack. Programs from United Health Group, AmeriHealth Caritas, Blue Cross Blue Shield, Centene, Cigna, CVS Health, Elevance, Humana, Kaiser Permanente, and Molina are detailed in the document, which also includes contact information for those payers and more.

Readout of March 18 White House Meeting With Insurers
HHS issued a summary of a meeting between HHS Secretary Xavier Becerra, White House officials, and payers "to discuss actions to mitigate harms to patients and providers." The readout also includes a history of HHS actions on the Change cyberattack up to the meeting date.

Letter to Health Care Leaders
On March 10, HHS Secretary Becerra issued a letter that includes recommendations for payers, with specific calls to action for UnitedHealth Group.

HHS Office of Civil Rights Opens Investigation
The HHS Office of Civil Rights, which oversees enforcement of HIPAA privacy and security rules, has announced an investigation focusing on "whether a breach of protected health information occurred and Change Healthcare and UHG's compliance with the HIPAA rules."

In the Media

Infographic: Timeline of the Change Cyberattack
From healthleaders: A graphic chronology of major Change hack-related events from Feb. 21 to March 18.

White House Urges Payers to Move on Emergency Funds
From CNN: "Senior Biden administration officials on Tuesday pressed the CEO of health care giant UnitedHealth Group and other health care firms to do more to get vital payments flowing to health care providers three weeks after a cyberattack crippled those payment systems."

Change Hack Raises Questions About the Data Security of the Health Care System
From Politico: "Eight officials with the government or U.S. hospitals interviewed by POLITICO say the hack underscores major vulnerabilities in the country’s health care system — raising critical questions about whether federal agencies and Congress need to do more to prevent another, potentially more serious, attack in the future."

Back to top
Share This
Resource Details

Date: March 22, 2024
Contact:  news@apta.org
Content Type:  Roundup

Topics

Coding & Billing, Commercial Insurance

You Might Also Like...

News

Get Regular Insights on Regulatory, Legislative, and Payment Issues From APTA

Apr 17, 2024

Free to members, APTA's webinar series delivers crucial information in an easy-to-understand format. Register now for upcoming sessions.

News

APTA Wins AMA Award for Education on Caregiver Training Codes

Apr 2, 2024

After helping create the CPT codes and advocate for their adoption, APTA launched an education campaign featuring a practice advisory.

News

CMS Clears Up Inconsistent Information on New Caregiver Training Codes

Mar 29, 2024

A new FAQ resource from CMS confirms that information in an APTA Practice Advisory is correct.