Health Care Providers Navigate Fallout of Major Cyberattack on Change Healthcare

Change Healthcare, an affiliate of Optum and UnitedHealth Group, processes more than 15 billion health care transactions annually and touches one of every three patient records. On February 21, Change disconnected its technology systems after reporting it was the victim of a cyberattack. Weeks later, health care providers continue to grapple with the operational, financial, and legal implications arising from the incident.

Off

What Happened?

Change specializes in various health care technology solutions and services, including revenue cycle management, clinical decision support, and pharmacy solutions. It acts as a critical intermediary between health care providers and insurance companies, facilitating the exchange of health care information for billions of claims each year.

On February 21, Change reported enterprise-wide connectivity issues due to a cybersecurity issue and subsequently disconnected its information technology systems, essentially halting its operations. The company later identified ALPHV/Blackcat, a well-known ransomware group, as the “threat actor” that had gained unauthorized access to the company’s systems.

As of the date of this alert, while various Change systems have restored connectivity, others remain offline. The company expects to reestablish its electronic payment platform and restore claims network connectivity by mid-March 2024.

The Impact on Providers

Across the health care industry, providers have endured significant disruption from the Change cyberattack. In a letter to Congress dated March 4, the American Hospital Association (AHA) stated that Change’s downed systems “are hampering providers’ ability to verify patients’ health insurance coverage, process claims and receive payment from many payers, exchange clinical records with other providers, provide cost estimates and bill patients, and, in some instances, access the clinical guidelines used in clinical decision support tools and as part of the prior authorization process.” These interruptions are also directly impacting patients, who have reported losing access to copayment assistance and discount programs for prescription medications and experiencing disruption in the processing of prior authorizations necessary to receive treatment.

According to an estimate from First Health Advisory , a digital health risk assurance firm, providers are losing more than $100 million daily in the aftermath of the Change cyberattack. In its March 4 letter to Congress, AHA described the loss of revenue as “staggering,” with some hospitals and health systems potentially “unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services.” Likewise, in a March 7 letter to the Centers for Medicare & Medicaid Services (CMS), the American Medical Association reported that physician practices “face substantial uncertainty about when they will be able to resume daily transactions that sustain their practice and must make unenviable decisions about how to continue to meet their obligations, including paying their staff salaries, while continuing to care for their patients.”

CMS Offers Accelerated and Advance Medicare Payments to Mitigate Financial Losses

CMS acknowledged that Medicare providers and suppliers “may face significant cash flow problems from the unusual circumstances impacting facilities’ operations, preventing facilities from submitting claims and receiving Medicare claims payments when using the Change Healthcare platform.” On March 9, in response to these concerns, CMS announced that it was providing Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Medicare Part A providers and advance payments to Medicare Part B suppliers experiencing claims disruptions as a result of the incident.

The payments may be granted in amounts approximating up to 30 days of claims payments to eligible providers and suppliers. The average 30-day payment is based on the average monthly Medicare claims paid to the provider or supplier between August 1, 2023, and October 31, 2023, divided by three. The payments will be repaid through automatic recoupment from Medicare claims over a 90-day period. A demand for any remaining balance will be issued on day 91 following the payment issuance. Providers and suppliers must certify that they meet specific eligibility criteria, including experiencing disruption in claims payment or submission related to the cyberattack, and acknowledge the terms and conditions of the payments in a signed agreement.

Because the CHOPD accelerated and advance payments are based on Medicare claims, they may offer limited relief to providers with a high volume of Medicaid claims, including children’s hospitals, federally qualified health centers, and rural health centers. Recognizing that “many Medicaid providers are deeply affected by the impact of the cyberattack,” CMS noted that it is “continuing to work closely with States and [is] urging Medicaid managed care plans to make prospective payments to impacted providers, as well.” In a March 10 letter to health care industry leaders addressing the Change cyberattack, the US Department of Health and Human Services and US Department of Labor also called on Medicaid plans, as well as private insurers, to begin making interim payments to impacted providers.

Patient Information Privacy and Security Concerns

As Change has focused on restoring its systems following the cyberattack, the company has not yet publicly announced the extent of any data breach affecting patient information. As of the date of this alert, the company’s cyber response webpage states only that the company’s “privacy office and security information teams are actively engaged and working to understand the impact to members, patients and customers.”

Given the current level of knowledge regarding the cyberattack and taking into account the scale of Change’s operations, the attack has the potential to be one of the largest — if not the largest — health care data breaches in history. As a result, millions of patients across the United States may soon receive notifications that their health-related information was compromised in the attack.

Meanwhile, at least six lawsuits seeking class-action status have already been filed against Change and its affiliates. The suits allege that Change failed to maintain reasonable cybersecurity measures to prevent a data breach that resulted in potential identity theft, loss of privacy, and other harms.

Next Steps for Providers

Providers across the health care delivery system should determine the extent of any damage to their systems or operations and revisit their data privacy and security policies and contracts to ensure their patients’ data is protected to the fullest extent possible. Among other actions, providers should:

Identify the types of provider data and information Change hosts or accesses.
Review contracts and business associate agreements to determine their rights, remedies, and obligations in the wake of the cyberattack.
Account for and document any disruptions to their services.
Take appropriate action in accordance with their privacy and security policies and procedures to determine the extent of any damage to their networks and data systems and take all available remedial actions.
Determine eligibility and consider application for CHOPD accelerated and advance payments.
Monitor information and updates from Change regarding the cyberattack.

ArentFox Schiff continues to closely monitor developments relating to the Change cyberattack. Providers who have been or may be affected should contact David Greenberg, Douglas Grimm, Hillary Stemple, Gayland Hethcoat, or the ArentFox Schiff attorney who usually handles your matters.