Cybersecurity

Cyberattack on Change Healthcare brings turmoil to healthcare operations nationwide

April 23 update: UnitedHealth Group is sharing additional information about PHI exposure from the attack.

March 20, 2024 9:00 am

Highlights

April 9: A possible second ransom demand

March 28: Issues with transmitting files to and from payers

March 26: A list of payer contacts for providers to inquire about advance payments

March 22: An update on the restoration of claims submission

March 14: An FAQ on Medicare accelerated and advance payments

March 6: Recommendations and resources for HFMA members

March 1: Link to UnitedHealth Group and Optum incident pages

April 24 updates

10:15 a.m. CT: Providers are still looking for solutions to lingering issues from the Change Healthcare cyberattack, according to comments during an April 19 call of HFMA’s Change Healthcare Business Continuity Workgroup.

Claims

A provider representative said supplemental payers such as Medigap plans have indicated they are not receiving crossover claims from Medicare because of backlogs. Change Healthcare’s recommended workaround is to submit paper claims, although providers have noted that step imposes an administrative burden and potentially leads to issues with claim reconciliation.

In an April 22 update, UnitedHealth Group (UHG) wrote: “Medical claims across the U.S. health system are now flowing at near-normal levels as systems come back online or providers switch to other methods of submission. Change Healthcare realizes there are a small number of providers who continue to be adversely impacted and is working with them to find alternative submission solutions and will continue to provide financial support as needed.”

Payment

An ongoing issue is for providers is the batch of 835 files (electronic remittance advices files) that were lost amid the outage.

Government payers, among others, may have reconnected via mechanisms other than Change Healthcare’s Assurance platform, which likely would entail a requirement for providers to reenroll with those payers to access historical remits.

One workaround is to request the 835 files directly from payers. Banking vendors may be able to convert the files to hostable 835 files. For Medicare, the files should be available from the provider’s administrative contractor.

UHG said payment processing is at 86% of pre-incident levels and is “increasing as additional functionality is restored.”

Other services

Connectivity with Change Healthcare’s real-time eligibility checker has been inconsistent, leading the connection to fizzle seemingly at random intervals, providers reported during the call. The provider-credentialing function also seems to be an issue.

Other products for which functionality reportedly remains spotty include the claim-editing interface with Epic’s Rapid Retest function.

Services “are being restored on a rolling basis with the active reconnection of our customers now the priority,” UHG wrote. “To date, approximately 80% of Change functionality has been restored on the major platforms and products, and the company expects full restoration of other systems to be completed in the coming weeks.”

A projected timeline of restoration for many services is available on UHG’s main incident page.

April 23 updates

11:45 a.m. CT: UnitedHealth Group issued its most definitive statement yet about the exposure of protected health information (PHI) from the cyberattack on Change Healthcare, saying “a substantial proportion of people in America” are at risk.

The statement applies to both PHI and personally identifiable information (PII), UHG said in an April 22 posting, citing a data sampling it has conducted. At least thus far, the data does not appear to include doctors’ charts or full medical histories.

“There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor,” the company stated. “No further publication of PHI or PII has occurred at this time.”

There was no reference to reports that information of business partners, such as contractual agreements, is among the posted files.

The statement says UHG is offering to make the required notifications “and undertake related administrative requirements on behalf of any provider or customer” regarding the data breach.

Customers are advised to confirm this accommodation with UHG, given that the HHS Office of Civil Rights (OCR) affirmed in an April 19 FAQ that all HIPAA-covered entities are required to make timely breach notifications to HHS and affected individuals stemming from the attack.

OCR is investigating UHG and Change Healthcare for possible HIPAA violations and has clarified that business associates of the companies are not focal points of the investigation.

Who posted the files?

The Wall Street Journal reported Monday (login required) that hackers penetrated Change Healthcare’s systems more than a week before launching the Feb. 21 ransomware strike. The vulnerability apparently stemmed from inadequate remote-access authentication, including a lack of multifactor authentication.

“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” UHG said in a statement issued Monday, its first confirmation that a payment was made.

Based on earlier reports, the screenshots referenced in Monday’s statement may have been posted by the RansomHub cybergang. UHG in early March reportedly paid a $22 million ransom to the Blackcat group, which was described as the perpetrator of the attack. After Blackcat allegedly cut its partners in the cyberattack out of the payment, RansomHub announced it had four terabytes of PHI and other files from the attack and sought another payment.

UHG’s statement does not indicate whether multiple ransoms have been paid.

Help for consumers, business partners

“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” UHG said in Monday’s update.

The company is offering resources to potentially affected individuals before completing its review and prior to sending out official breach notifications. Resources can be found on a dedicated website and via a call center (866-262-5342).

“The company will reach out to stakeholders when there is sufficient information for notifications and will be transparent with the process,” UHG stated.

April 17 updates

5:15 p.m. CT: Although the RansomHub group reportedly said it would give UnitedHealth Group until Friday, April 19 to avoid having several terabytes of protected health information sold or published (see the April 16 update below), a tech media report out of Australia indicates UHG may already be out of time.

RansomHub has announced the data is now for sale, Cyber Daily reported. However, the group is said to be alerting individual health insurers that they can still negotiate to protect any of their data that was caught up in the cyberattack.

11:45 a.m. CT: The Feb. 21 Change Healthcare cyberattack had a roughly $870 million impact on UnitedHealth Group (UHG) through March, leaders of the company said April 16 during an investor call to discuss Q1 financial results.

About $500 million of the loss is applied to Optum Insight, with which Change Healthcare merged after its October 2022 acquisition by UHG.

Still, UHG’s overall performance and revenues have been “growing and performing at a level which allows us to maintain the adjusted-earnings-per-share objectives we established last November, even while taking on the business disruption impacts,” said John Rex, president and CFO.

About $595 million in loss stemmed from direct costs applied to clearinghouse restoration and from medical expenses related to the suspension of some care management activities, Rex said. Meanwhile, revenue loss amounted to $280 million.

“The effect of the attack in the period is one of keeping all the lights brightly burning at full readiness to resume services while revenue production was essentially suspended,” Rex said.

For the full year, direct costs are projected at between $1 billion and $1.15 billion and revenue loss at between $350 million and $450 million, depending on how restoration proceeds.

Getting back to normal

Analysts had projected larger revenue losses for the quarter. Roger Connor, CEO of Optum Insight, attributed the mitigation to “good progress on system restoration,” noting that 80% of functionality is back in the areas of pharmacy, claims and payment.

Connor expressed confidence in the company’s ability to bring back customers that took their business elsewhere during the outage.

“We’re talking to those customers all the time, and they want their functionality back,” he said. “They like what they had with Change, and they want to get that back. We’re working with them to ensure that we can actually do that.

“Also, we provided financial support to a number of our clients, and they have said to us that they appreciate it. It’s a signal that we are committed both to them, but then also to this marketplace as well.”

UnitedHealthcare’s (UHC’s) incurred but not reported (IBNR) value of claims increased by $3 billion, reflecting “prudent ongoing claims receipt assessment,” Rex said. Lessening the medical cost payable balance was a $1.6 billion jump in the fully-processed-claims component stemming from UHC’s accelerated payments to providers.

As of mid-April, when the call took place, the insurer was seeing “fairly normal claims receipts and payments flows,” Rex said. “But we’ll really want to be careful on [assessing] that because we know there are certain care providers out there that maybe have been left out a bit.”

Is bigger better?

As policymakers examine the role of mergers and acquisitions in amplifying the risks of such cyberattacks, Andrew Witty, UHG’s CEO, said the purchase of Change Healthcare mitigated the impact.

It was “important for the country that we own Change Healthcare,” Witty said. “Without UnitedHealth Group owning Change Healthcare, this attack would likely have still happened, and it would have left Change Healthcare extremely challenged to come back.”

The company is moving at full speed to continue building innovations such as real-time claims settlement and clinical decision support capabilities, Witty added. The merger between Optum and Change Healthcare makes such tools easier to develop and implement, UHG leaders said.

April 16 updates

12 p.m. CT: A ransomware group is starting to leak out protected health information obtained through the Change Healthcare cyberattack, according to a new report.

The RansomHub group has begun posting PHI on the dark web, TechCrunch reported. RansomHub is seeking a payment after the Blackcat group, which was described as the perpetrators of the attack, reportedly cut its own partners out of a $22 million ransom payment (see the April 9 update below).

The new reports suggest that instead of being a partner of Blackcat, the RansomHub group is a third party working with one of Blackcat’s former partners. Regardless, a week ago, RansomHub said it has four terabytes of data from the hack. The group since has said the full data set will be published or sold April 19 if no additional ransom is paid.

The files include “personal information about patients across different documents, including billing files, insurance records and medical information,” TechCrunch reported after examining a sample.

Organizational information of payers may also be at risk, as the files “contain contracts and agreements between Change Healthcare and its partners,” the report states.

UnitedHealth Group issued a statement saying there is no indication of a second cyberattack following the initial Feb. 21 incident.

An April 13 report by WIRED also has key information about this latest development.

April 10 updates

4:45 p.m. CT: UnitedHealth Group recommends bookmarking its updates page, where information on product restoration is being updated more regularly these days.

Among the recent updates are notes on the availability of webinars for customers of Change Healthcare’s Acuity platform for revenue cycle analytics and the Enterprise Imaging Customer Support solution. There’s also an item about the company’s legacy Emdeon clearinghouse, although that update is merely a statement that a customer call about the platform took place last week.

11:30 a.m. CT: Remittance files from UnitedHealthcare and Aetna, among other payers, are starting to flow again through Change Healthcare’s system, according to information shared on a call this week of HFMA’s Change Healthcare Business Continuity Workgroup.

Some remittances that were being processed at the time of the Feb. 21 outage may require redirection, which can entail reenrolling with the payer. The need for such processes raises concerns about errors stemming from duplicate files.

Change Healthcare says that going forward, the Excel file showing which payers have reconnected with the Assurance platform will be updated to indicate specifically where remittances are processing. One recent update is that Medicare remittances should start going out in one to two weeks.

The payer file is available on Change Healthcare’s incident page.

April 9 updates

1:45 p.m. CT: Physician practices are experiencing a significant impact on their claims submissions as a result of the Change Healthcare cyberattack, according to a new survey by HFMA and Eliciting Insights.

The survey of 205 physician executives took place between March 28 and April 3. Among respondents whose practice uses Change Healthcare as its primary clearinghouse, 87% said they have experienced an impact of more than 20% on their daily claims submissions.

More than half of respondents for whom Change Healthcare is the primary clearinghouse cited issues with cash flow (86%), shifting to claims submission via an online portal (64%), shifting to paper claims (62%), and manual remittance posting (56%).

If the outage lasts another 30 days, 61% of respondents for whom Change is the primary clearinghouse foresee issues with overtime pay for administrative staff. The same share anticipates incurring unanticipated costs due to financing and loans.

11:15 a.m. CT: UnitedHealth Group reportedly already made a $22 million ransomware payment after the Change Healthcare cyberattack, and now another extortion effort may be in the works.

Per new reports, a group called RansomHub says it has four terabytes of Change Healthcare’s data from the attack. The group is threatening to release the data, which includes protected health information, if it does not receive a payment within 12 days (with the countdown starting April 8).

Reports have linked RansomHub with the ALPHV/Blackcat group that was described as the perpetrator of the attack. According to cybersecurity groups, RansomHub was affiliated with Blackcat and had a role in orchestrating the attack, and felt it was entitled to a share of the initial payment. When Blackcat essentially absconded with the full amount, RansomHub decided to seek a payment of its own.

The ransom demand specifically cites the following Change Healthcare partners as those for which PHI is being held: Medicare, Tricare and CVS Caremark, plus “tens of insurance companies and others.”

April 3 updates

12:15 p.m. CT: UnitedHealth Group (UHG) has not updated the Change Healthcare incident page since March 27 (as of late afternoon on April 3), theoretically suggesting a period of peace and quiet after restoration of the company’s claims submission system wrapped up March 22.

But providers are still encountering significant issues, as described by participants during this week’s call of HFMA’s Change Healthcare Business Continuity Workgroup.

A big problem is the lack of payer connectivity to the restored platform. A hospital representative on the HFMA call said Change Healthcare is asking its provider customers to help persuade their payer partners to reconnect.

More than 2,700 payers already have reconnected, as seen on the updated list available at this Change Healthcare link.

As is the case with providers, certain payers may not have gotten clearance to reconnect from their IT security team even after UHG and Change Healthcare provided third-party assurance. Hesitation also may stem from legal and compliance departments worried about the security of protected health information.

Some payers are offering the option to receive remittances via a direct connection, although that may cost the provider some of the functionality it has been accustomed to through the Assurance platform, according to feedback on the HFMA call. In at least one case, multiple payers have told a provider it must move to a different vendor that would require the provider to pay a fee to receive electronic remittance advice (ERA) files.

One provider representative on the call said she heard from Change Healthcare that for payers that were not connected at the time a claim was submitted but since have reconnected, the provider has to go in and manually trigger each such claim to go through. To find a better solution, it may be worth escalating the inquiry to a “tier two” level among Change Healthcare’s customer support staff, another provider representative said.

March 29 updates

4 p.m. CT: Although the status of Change Healthcare’s claims submission and reimbursement platforms has been the focus among providers during the outage, more than 100 other services likewise were affected by the cyberattack.

A majority of those remained down more than five weeks after the event, according to Optum’s status page, including tools to help with insurance eligibility and enrollment, revenue cycle management, risk adjustment and value-based care.

UnitedHealth Group’s incident page stated that the Clearance benefits verification product was scheduled to be restored this past week.

11:15 a.m. CT: Difficulty obtaining advance payments from payers continues to be an issue for providers during the Change Healthcare outage, according to a March 22-26 Market Pulse survey conducted by Eliciting Insights and HFMA, with responses from 155 health system executives.

A majority of respondents (56%) said they had not received advance payments or loans from any payer that has been impacted by the shutdown, while 28% said fewer than 10% of payers had made such an accommodation.

Federal healthcare leaders this week provided a list of payer contacts for providers to use in inquiring about advance payments. The list includes national contacts, but providers are advised to first check in with a regional contact if they have one for the particular payer.

Not surprisingly, survey results indicate the ability to submit claims and receive payments varies considerably depending on which clearinghouse the provider uses.

Among respondents for whom Change Healthcare is the primary clearinghouse, 1% said they could bill claims to payers “as usual,” and another 28% said most processing had resumed. On the flip side, 22% reported no improvement.

For respondents where another clearinghouse is the primary option, 25% were back to business as usual and 47% said they were most of the way there.

A similar split was seen with respect to receiving payments, with only 14% of respondents that rely on Change Healthcare as their primary clearinghouse saying “most processing” had resumed in that area.

March 28 updates

4:15 p.m. CT: In a March 27 update to its incident page, UnitedHealth Group said it has transmitted more than $3.3 billion in advance payments to providers, and more than 40% of the funds have gone to safety-net hospitals and federally qualified health centers.

By way of review, options for providers seeking a loan include Medicare and Medicaid advance payments, Optum’s temporary funding assistance program, and individual agreements with payers.

In a recent HFMA survey, feedback from a small subset of respondents indicated a possible issue with Medicaid advance payments in particular.

For providers hoping to inquire about advance payments from insurers, HHS recently provided a resource that includes a contact list.

10:30 a.m. CT: Survey results from HFMA’s Change Healthcare Business Continuity Workgroup (see also the March 27 entry below) suggest widespread difficulty for providers in verifying whether payers have reestablished the requisite connectivity with the claims submission platform.

In a question about their organization’s ability to verify that payers have reconnected and can receive 837 files, 85% of respondents answered in the negative.

Regarding 835 files (electronic remittance advices), responses were even more lopsided: 93% said they had been unable to confirm whether the ability to exchange such files has been restored.

Change Healthcare has made available an Excel file with a list of payers that have reconnected. The file can be downloaded from this link, and Change Healthcare says it is being updated multiple times per day.

UnitedHealth Group’s incident page notes that the Relay Exchange platform for transmissions with payers “will require new [payer] log-in credentials for secure file transfer protocol (SFTP) to establish new secure batch claims and electronic remittance advice (ERA) connections.” The platform was reactivated this past weekend (March 23-24).

“We have been reaching out to Relay Exchange payers to share our third-party documentation and gather the information we need to reinitiate a connection,” the incident page states. “It’s a relatively quick process once we have the information, but we need to have our credentials to your systems reset prior to reconnecting.”

As for Change Healthcare’s clearinghouse trading partners, UHG said it was “still waiting on a few others to reconnect. For payers with a clearinghouse that acts as your exclusive gateway, please encourage that clearinghouse vendor to reconnect directly with the Relay Exchange to help accelerate our restoration of provider connectivity.”

March 27 updates

4:30 p.m. CT: New survey results from HFMA members illustrate the key decisions facing finance professionals who are helping their provider organizations navigate the Change Healthcare outage.

HFMA surveyed members of the Change Healthcare Business Continuity Workgroup, receiving more than 60 responses between March 22 and March 26.

More than half of respondents (54%) said they are considering whether to file a business-interruption event through their insurance policy. Among 29 respondents who have made a decision, 15 intend to put in for a payment.

Nearly two-thirds (65%) said they will consider moving to multiple clearinghouses to ensure future business continuity. Regarding how claims volume would be split among multiple clearinghouses, the leading specified answer (39.5%) was to separate hospital claims from medical group claims.

Among customers of Change Healthcare’s claims submission system, 50% said they are considering whether to resume uploading claims, 29.4% are preparing to do so, and 20.6% will not be using the platform.

As to whether they will keep their business with Change Healthcare, 43% of respondents are exploring their options, while 23% are going to keep some platforms and terminate others. The share that will definitely stay or definitely leave was evenly split at 9% each.

Among respondents who have put in for Medicare advance payments, the vast majority (94%) were approved for the payment. But there may be an issue on the Medicaid side: Although only seven respondents said they have put in for those advance payments, five of the seven said they had not been approved. (States must submit a formal “state plan amendment” to CMS to gain authorization to make advance payments, with a deadline of March 31 unless they request a 10-day extension.)

Among 13 respondents who requested advance payments from their managed care partners, eight were granted those payments.

March 26 updates

4:30 p.m. CT: Federal healthcare leaders are expanding their outreach to healthcare providers about the financial constraints they continue to face more than a month after the Change Healthcare cyberattack.

Leaders of HHS, CMS and the Administration for Strategic Preparedness and Response (ASPR) drafted a March 25 letter to providers and attached a list of payer contacts. The hope is that the list can be of use to providers seeking financial assistance from commercial payers in the wake of the attack.

Federal officials “continue to hear from providers that you have sometimes had difficulty getting answers from healthcare plans about the availability of prospective payments or the flexibilities you may need while the Change Healthcare platform is unavailable,” the letter states.

Although the accompanying resource includes national contacts, HHS suggests reaching out to regional contacts first if a representative is known.

Many payers in the resource document mention the availability of advance payments, with most saying availability is on a case-by-case basis. At least one payer, Elevance Health, indicated it generally would not offer advances because providers have been able to switch to another clearinghouse. Elevance did extend timely filing requirements for affected providers by 30 days and said providers should contact their service representative if they cannot move to a different clearinghouse and are experiencing financial hardship.

The resource list appears not to be entirely up to date, given that the information provided by some payers does not mention the restoration of the claims submission platform, which happened last week. UnitedHealth Group’s incident page has the latest status information.

March 25 updates

4:45 p.m. CT: Among the long-term implications of the cyberattack on Change Healthcare are legislative and regulatory provisions that eventually will get implemented in response, and the impact of those on various healthcare stakeholders.

As a possible glimpse of what’s to come, Sen. Mark Warner (D-Va.) on March 22 introduced a bill that would apply cybersecurity-related conditions to the receipt of Medicare accelerated and advance payments during a cyberattack.

A provider would have to meet certain minimum cybersecurity standards to obtain payments, and the payments also would be conditional on whether the provider’s vendors meet those standards.

President Joe Biden’s administration also is pushing for hospital cybersecurity standards to be implemented. The White House’s FY25 budget proposal includes investments of hundreds of millions of dollars in cybersecurity supports for hospitals with resource needs, as well as an incentive program that would penalize hospitals for failing to meet established standards.

11:45 a.m. CT: Friday’s provider call (see also the March 22 update below) hosted by UnitedHealth Group (UHG) and Optum executives gave some of the clearest insight yet as to why there was a discrepancy between the payments offered through Optum’s temporary funding assistance and the actual value of providers’ disrupted claims volume.

Soon after the loan program was established March 1, providers began reporting that the amounts they received were a fraction of their claims that could not be processed.

The explanation that subsequently emerged from Optum, according to provider representatives who heard from the company, indicated the loan amounts were based on the value of claims that had been processed at the time of the breach and were ready to go back out to providers.

That changed within a couple of weeks, with UHG updating its incident page to state that the shortfall in claims value would determine the loan amount.

On Friday’s call, executives said the issue arose because prepopulated fields on the loan-program page were based on UHG’s visibility into payments being processed by Change Healthcare and on claims associated with UnitedHealthcare.

Since then, the company has made a point of expanding the program to account for a provider’s total shortfall. The executives encouraged providers to put in for the loan if they have yet to do so and are struggling with cash flow.

March 22 updates

5 p.m. CT: In a customer call Friday, UnitedHealth Group (UHG) executives said providers have been extensively using Change Healthcare’s medical claims preparation software since it came back online this week.

As of Friday, claims with more than $14 billion in charges had been staged for processing through the software, they said.

The next phase is for Relay Exchange claims processing to become functional again, and that is expected this weekend, along with third-party safety documentation.

From there, the plan is to first work with payers to ensure as many claims as possible will be successfully received and with other clearinghouses to optimize capacity and interoperability.

After that, customers of Change Healthcare’s Assurance platform, followed by other submitters, can send out their saved claims. Claims processing for Assurance customers will resume automatically and could take place as soon as Monday, March 25. Advance notice will be provided, as will instructions for any customer that does not want processing to begin immediately after the restart.

For other submitters, the hope is to complete restoration by the middle of the week. UHG and Optum are reaching out to gather the information that’s needed to configure the new connections. One goal is to minimize any reenrollment requirements.

As for when payment transmittal will resume, that’s largely up to the payers, UHG leaders said. UnitedHealthcare, sister company of Change Healthcare, has pledged to process payments immediately after receiving and processing claims.

UHG also updated its incident page today with its most specific estimates yet for when various Change Healthcare products and services will be restored. For example, benefits verification should be available during the upcoming week, while services related to value-based payment are still a couple of weeks away.

12:45 p.m. CT: Consumers began filing lawsuits against UnitedHealth Group (UHG) and Change Healthcare soon after the cyberattack, and more recently, providers have done the same.

An OB-GYN practice filed suit (login required for document access) March 14 in a federal district court in Mississippi, saying UHG, Optum and Change Healthcare failed to take reasonable measures to guard against the breach and that, as a result, the plaintiff could not be paid for its services to patients.

The plaintiff seeks class-action status for the lawsuit.

“As many class members, including plaintiff, have limited liquidity, this disruption threatens to bankrupt hundreds if not thousands of care providers, if it hasn’t done so already,” the filing states.

Change Healthcare is liable not only because its defenses failed to prevent the cyberattack, but also because it “compounded the attack by disconnecting all of its services, even though reports indicate that only certain systems were affected,” the lawsuit states.

The practice said it had been denied $132,700 in payment between Feb. 21 and March 14 as a result of the attack.

A San Francisco-area therapy practice filed suit (login required) March 18 in Northern California, similarly seeking class-action status and saying the defendants “neglected to implement the robust cybersecurity controls that such critical infrastructure demands.”

Failure to secure the infrastructure “catastrophically harmed hard-working medical providers around the country, forcing many to the edge of bankruptcy and delaying or denying vital medical treatments needed by patients around the country,” according to the lawsuit.

The plaintiff said it took out emergency loans with interest rates of 50% to pay basic expenses, including payroll. It also has had to divert staff resources away from patient care to address cash-flow problems and incurred costs of contracting with another clearinghouse.

The judgement should compensate the plaintiff and class for damages incurred while also providing “equitable relief” (e.g., contract cancellation), restitution and disgorgement (requiring the defendants to pay out any profits they made from the outage), the plaintiffs stated.

March 21 updates

4 p.m. CT: Following HHS’s request for health plans to offer advance payments to providers amid the Change Healthcare outage, correspondence from health insurance advocates suggests such relief will not be made widely available.

The Alliance of Community Health Plans posted a March 19 letter to HHS from four leading insurer advocacy groups. The associations said feedback from their member organizations indicates patient access to care mostly is not being disrupted and that “the overwhelming majority of providers have resumed claim submissions, received timely payments and maintained their operations.”

Acknowledging that smaller providers and those that serve the healthcare safety net are more likely to be struggling, the groups said insurers would fulfill HHS’s request to proactively reach out to those providers with assistance. “Targeted advance payments” would be offered.

Insurers also pledged to support providers in switching to alternative payment and claims-processing platforms, offer flexibility for providers that cannot make connections on those platforms, and expedite the clearance of incoming claim batches to promote timely reimbursement.

No specific reference was made to waiving or relaxing prior authorization and other utilization-management requirements. In a March 12 statement, AHIP (formerly America’s Health Insurance Plans) said such a step might not be advisable.

11:45 a.m. CT: For providers wondering about payer connections through Optum’s iEDI, which UnitedHealth Group has touted as an alternative clearinghouse to Change Healthcare, the following list shows which payers are requiring provider enrollment.

TherapyNotes, which provides practice management solutions for behavioral health practices, posted the list March 20 (the company noted it will send out claims at this stage only for payers that do not require enrollment).

Generally, commercial insurers do not require enrollment, while most public payers do have the requirement.

March 20 updates

4:45 p.m.: UnitedHealth Group (UHG) updated its incident page Wednesday to reflect the ongoing work of restoring Change Healthcare’s various functions, including claims submission.

 “By the end of the week, we expect all Assurance users — including thousands of hospitals across the country — will have complete functionality enabled again, including claims editing. Using the software, providers can begin preparing the backlog of claim files that accumulated during the outage,” the update states.

Actual claims submission to payers should be available by the end of the week or the beginning of next week as the Relay Exchange clearinghouse comes back online.

“Claims prepared in Assurance will not be released to payers until this happens,” the update states.

“Phased reconnection and testing will continue into the week of March 25 as operations ramp up,” the update also says. “Given the amount of volume that has already transitioned to other submission solutions and the phased approach, system capacity challenges are not expected.”

During a call Wednesday of HFMA’s Change Healthcare Business Continuity Workgroup, an executive with one health system said the organization was told not to exceed 20,000 claims per imported batch to avoid overwhelming the system. It also remains to be seen how soon payers reconnect and start transmitting the 835 and 837 files, another workgroup member noted.

For anyone trying to submit claims that does not have the capability to connect with Relay Exchange, UHG said it will coordinate on other solutions.

As previously noted, Change Healthcare’s electronic payments platform has been functional since March 15.

However, “Some providers still don’t have workarounds for claims and payments, and it will take time to fully bring all payers and providers back online,” UHG acknowledged.

Providers that require financial assistance due to the outage are encouraged to consider the various loan options from UHG, CMS and others. See the March 19 post below for details.

10:30 a.m.: The latest survey data from HFMA and Eliciting Insights reveals trepidation among healthcare finance leaders about the long-term ramifications of the Change Healthcare cyberattack.

In the second “Market Pulse” survey since the outage began, 128 health system finance executives responded March 12-14. More than 4 in 5 (83%) said their organizations are incurring additional expenses stemming from manual processes or new technology investments. The share was 94% among respondents at organizations where Change Healthcare is the primary clearinghouse, and 69% among other organizations.

Written comments included:

  • “We will incur significant investment transaction costs in addition to the manual process costs in order to cover the cash shortfall.”
  • “The Change Healthcare outage has put our entire organization at risk.”
  • “There is a significant increase in borrowing costs due to the delay in payments — we are basically funding the delay with our line of credit.”

Regarding post-outage plans, more than half (53%) of respondents at organizations where Change Healthcare is the primary clearinghouse said they would shift to partnering with multiple clearinghouses. Other steps expected to be implemented include submitting claims directly to payers (17%) and ensuring stronger contract language around business continuity for future outages or breaches (7%).

Among organizations with a different primary clearinghouse, 45% said they would not change their current processes. Other responses included partnering with multiple clearinghouses (22%), submitting claims directly to payers (14%) and stronger contract language (12%).

Where Change Healthcare is the primary clearinghouse, some respondents faced the prospect of incurring high costs to switch vendors, products or services. Of those that have implemented such changes, 34% foresee a total cost increase of up to 10%, while 10% of respondents project a higher increase.

On the bright side, 18% do not expect an increase, while 16% anticipate a decrease.

Results from the first post-outage survey conducted by HFMA and Eliciting Insights are available below.

March 19 updates

11:30 a.m. CT: More payers are agreeing to make advance payments to providers as a cushion against the impact of the Change Healthcare cyberattack, at least in Medicare Advantage and Medicaid managed care, federal authorities said.

During a media call March 18, HHS officials did not specify which insurers had agreed to do so. The department had been scheduled to meet with payers March 15 to implore them to help their provider partners.

12:15 p.m. CT: A newly released readout states that the meeting took place March 18 and says federal officials especially urged payers to support small, rural and safety-net providers. “HHS and White House leadership pressed insurers to be targeted and specific in carrying out solutions, including increasing advanced payments where needed to the providers and communities still most in need,” the readout states. Payers should use their proprietary data to proactively assess which providers require support.

HHS Secretary Xavier Becerra spoke about the issue March 14 during a Senate Finance Committee hearing on the administration’s FY25 budget proposal.

“What we’re doing is essentially saying to the payers — many of whom actually have already received their payments from Medicare [Advantage] and Medicaid, they’re holding money and providers aren’t getting paid — we’re saying to them, ‘You need to start making payments. While you may not receive the bill, you have a general sense on a monthly basis what these providers will bill you. So, there’s no reason to not work out an advance payment to these hospitals and other doctors and other providers,’” Becerra said.

UnitedHealthcare, a sister company of Change Healthcare, has pledged to make advance payments to provider partners that have been affected by the outage.

During a March 15 call of HFMA’s Change Healthcare Business Continuity Workgroup, however, a revenue cycle leader with one health system said the organization’s UnitedHealthcare contact did not seem clear on the availability of an advance from the insurer. The representative instead provided a link to Optum’s loan program.

Among its other payer partners, the health system had success in obtaining an advance from a large Medicaid managed care plan. And while the local Blues plan had not received authorization from the national office to make advance payments, the plan was laying the groundwork by establishing regional contacts for an advance payment program.

Optum adjusts its program

A piece of good news for providers in efforts to get financial assistance is the expansion of eligibility and available payment amounts in Optum’s loan program.

During the first two weeks after the program was implemented March 1, providers reported receiving a fraction of the funding they would have expected based on their interrupted claims volume.

Optum apparently was basing funding amounts on a provider’s payments that had been processed and were ready to go out for remittance, rather than on claims. That’s no longer the case, however.

“Funding is based on the difference between historical weekly claims/payments volume pre-disruption compared to weekly volume post-disruption,” the program page states.

In addition, providers will have a repayment period of 45 days after full resumption of Change Healthcare services. That’s up from 30 days most recently and a mere five days when the program initially launched.

In another change, providers can check their eligibility without registering for an Optum Pay account.

Optum also is trying to make the receipt of funds as easy as possible for providers after they enroll.

“For providers for whom we have visibility into pre-disruption weekly claims average or payment, we’re preloading funds into these providers’ respective Optum Pay accounts if we see a gap in the post-disruption weekly average,” states UnitedHealth Group’s incident page. “Providers only need to open their account and choose to accept the available funds. This is being managed on a week-by-week basis until services are restored.  

“For the providers for whom we don’t have full visibility into weekly claims average or payment, please submit an inquiry form to give us a better sense of your needs. We’ll review your submission on a case-by-case basis.”

Medicaid programs now authorized to help

CMS previously announced the availability of Medicare accelerated and advance payments in connection with the outage. More recently, the agency published guidance to state Medicaid directors on bolstering providers as needed.

Medicaid programs can use new regulatory flexibilities to get funding to providers. Specifically, states can submit attestations that will allow their programs to pay providers for rendered services for which claims cannot be submitted. Payments can be retroactive to the Feb. 21 start of the cybersecurity incident that took down Change Healthcare and can draw on the usual federal Medicaid contribution for those payments.

The guidance includes the technical details and requirements that accompany the flexibilities, which will be effective through June 30.

March 18 updates

12:45 p.m. CT: UnitedHealth Group updated its Change Healthcare cyberattack incident page with a posted news release.

Change Healthcare was scheduled Monday to begin releasing medical claims preparation software to “thousands of customers over the next several days,” according to the release.

Third-party safety and security attestations are expected to be available before services become operational.

“Following this initial phase, remaining services restoration will continue through ongoing phases of activation until all customers have been connected,” the release states.

In Friday’s call with providers (see also the March 15 update below), Optum executives presented information about payer connectivity and provider enrollments once Change Healthcare’s claims submission system is back up and running.

Subject to the discretion of commercial and government payers, Optum is seeking to implement bulk enrollments to help providers avoid having to take steps to re-enroll. Similar conversations will happen with respect to electronic remittance advice (ERA) transmittal.

Providers should not need to re-enroll for any payer connection that remains from before the outage, unless the provider enrolled with a different clearinghouse for that payer during the interim.

Another topic that came up during the call was the resubmission process, including for files that were in transit when Change Healthcare was shut down early on Feb. 21. The process will have to be nuanced because workarounds have varied from one provider to the next (e.g., Optum’s iEDI clearinghouse, paper claims, payer portals), Optum executives said.

As to whether full restoration will include unreleased claims, that is likely to be determined on a case-by-case basis to ensure the data behind the claims is available, the executives said. Payers should have no problem reprocessing remittances through Change Healthcare as needed, they added.

10:30 a.m. CT: As an additional accommodation for physicians affected by the Change Healthcare cyberattack, CMS announced it is reopening the application period for the Extreme and Uncontrollable Circumstances (EUC) exception in the Merit-based Incentive Payment System (MIPS). The EUC application must be submitted by April 15.

The exception is available only for physicians who cite the Change Healthcare cyberattack as the reason for their inability to meet the April 15 data-submission deadline. Specifically, applicants should select “Ransom/Malware” as the event type and include “Change Healthcare cyberattack” in the event description.

CMS previously granted a two-week extension of the original April 1 deadline for MIPS data submission. The American Medical Association has said the EUC exception should be applied to all MIPS participants.

March 15 updates

5 p.m. CT: Change Healthcare’s claims-related services are close to being restored, Optum and UnitedHealth Group officials said during a call with providers Friday, but they did not provide specific dates because of the need to ensure all functions can operate securely and seamlessly once they come back online.

Much of the news stemming from the call complemented updates posted by UnitedHealth Group on its incident page Wednesday and Thursday.

The Assurance Reimbursement Management platform was available for customers to connect to Friday, with testing of the claims submission system set to begin next week, officials said during the call.

Providers do not need to take action to reestablish connectivity between Change Healthcare’s reimbursement management platform and clearinghouse. Optum is working with its payer customers on network reconnections and with other clearinghouses to make sure access is at peak capacity during the restart. Customers using Optum’s iEDI or another clearinghouse should continue to do so until Change Healthcare’s platform is fully back online.

Providers should be aware that multifactor authentication through PingID will be required during the service restoration. It’s strongly recommended that they have the PingID application set up in advance. Optum said it will be resending instructions to all customers in case anyone doesn’t have them.

Another tool that will need to be reinstalled — for any providers that have uninstalled it — is an Assurance application called Auto Agent. The application should be functional unless it was disabled, but confirming its status is advisable.

Optum plans to make available third-party guarantees on the security of the claims platform as soon as is feasible. Optum and UnitedHealthcare systems have not been affected by the cyberattack and are fully functional, nor are there signs of any “traversal” over to Change Healthcare’s customers, officials reiterated.

However, saying the investigation is ongoing, officials declined to comment on the degree to which protected health information is at risk from the cyberattack.

Electronic prescribing is fully functional, including claims submission and payment transmission, officials again said during the call.

12 p.m. CT: The American Medical Association (AMA) called out the health insurance advocacy group AHIP for its stated response to the Change Healthcare cyberattack.

In a statement earlier this week, AHIP indicated widespread accommodations on processes such as prior authorization may not be warranted.

“Given the very wide variability of impact across the system, individual plans and providers are in the best position to assess how to maintain appropriate payments in a timely manner — and also to minimize the need for reconciliation processes,” AHIP stated. “Further, broad exemptions in prior authorization at a time of advance payments could expose patients and employers to fraud, waste and unnecessary costs.”

In a March 14 statement, the AMA said such a response is inadequate.

“It is dumbfounding that following weeks of silence and a lack of assistance to struggling practices in the wake of the Change Healthcare cyberattack, AHIP’s response is a ‘business as usual’ approach to prior authorization,” the AMA said. “This approach is particularly galling since service outages have exacerbated the administrative burdens and care delays already associated with this process. Prioritizing profits over the stability and solvency of our care delivery system starkly contrasts with the Biden administration’s appeal to health plans to ‘meet the moment.’”

HHS leaders met with healthcare stakeholders March 12 to talk about “concrete actions to mitigate harms to patients and providers caused by the cyberattack on Change Healthcare,” according to a readout of the meeting. AHIP and major health insurance companies were among those who attended.

March 14 updates

4:30 p.m. CT: New metrics from a leading healthcare solutions company foreshadow the financial toll on providers from the Change Healthcare outage.

Kodiak Solutions (formerly part of Crowe LLP) shared data showing the delay in claims processing amounted to an impact of $6.3 billion between Feb. 21 and March 9 among the more than 1,850 hospitals and 250,000 physicians in the company’s data set.

An expected weekly baseline was determined by examining claims filed between Jan 1. and Feb. 17. That total was $6.872 billion.

The dollar amount of claims filed then dwindled over the first three weeks after the attack, falling to $4.339 billion the week of March 3. That’s 63% of the expected baseline, Kodiak reported.

The implications for providers are ominous if they don’t get adequate financial assistance.

“The impact from the cyberattack showed up immediately in our claims data, and it will soon show up in reduced cash flow to hospitals, health systems and medical practices across the nation,” Colleen Hall, senior vice president and revenue cycle leader at Kodiak Solutions, said in a news release.

12:30 p.m. CT: CMS has published an FAQ on the program for making accelerated and advance payments to providers that have been affected by the cyberattack on Change Healthcare.

One noteworthy item in the FAQ applies to the required attestation: “At this time, CMS is requiring that providers/suppliers certify that they have obtained or attempted to obtain emergency financing or advances from other sources. Providers and suppliers should maintain this supporting documentation although the agency is not requiring that it be submitted with the request for CHOPD [Change Healthcare/Optum Payment Disruption] payments. CMS maintains the right to perform post-pay audits of providers and suppliers that received payments under CHOPD.”

Advocacy groups such as the American Hospital Association have raised concerns that the interest rate tied to the payments could make the loan impracticable for some providers. Interest will be applied if a provider has a balance remaining after the 90-day automatic recoupment period. The interest rate would be the standard rate pertaining to Medicare debts, according to the FAQ.

Providers facing financial hardship can apply for an extended repayment schedule.

10 a.m. CT: UnitedHealth Group (UHG) updated its incident page late Wednesday to provide promising news about the breach.

“A thorough forensic analysis is well underway,” the update states. “Through this analysis, we have identified the source of the intrusion and, with high confidence, have established a safe restore point. This point allows us to move forward safely and securely in restoring our data and systems.”

Full payment functionality remains on track to resume Friday, March 15.

“Once the platform is ready, we anticipate we will have effectively restored 100% of the pre-incident electronic payments volume,” the update states. “Payers who processed and disbursed payments to providers via the Change platform will be able to do so again, including using Automated Clearing House (ACH) and virtual credit cards (VCC) to transfer funds.”

The company still expects to begin restoring the claims system during the week of March 18. Phases will include connection, testing and resumption of full service.

“While we are making progress, we strongly recommend pursuing multiple paths and solutions, including [Optum’s iEDI] claim submission system and alternative clearinghouses,” UHG said.

“There are providers unable to submit claims for whom a more complete restoration is the answer. We understand the impact is very uneven and we are aggressively working to solve the problem for those who’ve not been able to implement workaround solutions. We’ve made funding mechanisms available to help providers who are in this situation.”

All major pharmacy and payment systems are up and more than 99% of pre-incident claim volume is flowing, according to the update. But challenges remain with respect to “a subset of pharmacies that are still offline, disruption for infusion pharmacies and challenges for some Medicaid fee-for-service customers.”

March 13 updates

4:45 p.m. CT: Hospitals continue to report significant financial, operational and even clinical impacts from the cyberattack on Change Healthcare, according to a large survey conducted by the American Hospital Association (AHA).

Out of 960 hospitals that responded between March 9 and March 12, 74% said they were contending with issues affecting patient care, such as delays in authorization for medically necessary services.

Meanwhile, 94% of respondents are facing financial consequences, with more than half saying the impact has been “significant or serious” and a third indicating more than half of their revenue has been disrupted.

The AHA referred to the survey results in a letter to the Senate Finance Committee that requests legislative help for hospitals and health systems.

Steps by HHS and CMS to make available accelerated and advance payments are welcome but not sufficient due, in part, to the repayment timeline and interest rate, the AHA said. Furthermore, regulators lack the statutory authority to compel private payers to assist providers financially; while UnitedHealthcare has said it will offer loans to help tide over providers, the extent to which other insurers will follow suit is unclear.

Legislative action also is needed to protect providers from “what is likely to be a substantial problem on the back end [of the outage]: excessive denials by payers of claims that either could not be filed timely or because the provider could not obtain the necessary authorization,” the letter states.

12 p.m. CT: HHS’s Office of Civil Rights announced Wednesday it will investigate UnitedHealth Group (UHG) and Change Healthcare, primarily examining whether the data breach violates the HIPAA Security Rule or Privacy Rule.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident,” the announcement states. The investigation “will focus on whether a breach of protected health information [PHI] occurred and Change Healthcare’s and UHG’s compliance with the HIPAA rules.”

The investigation will not focus on possible violations stemming from related breaches at other healthcare entities, such as the company’s payer and provider partners.

“While OCR is not prioritizing investigations of healthcare providers, health plans and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA rules,” the announcement states.

In 2018, OCR levied a record $16 million penalty on Anthem following what was described as the largest U.S. health data breach in history. The PHI of almost 79 million individuals was taken, OCR found.

The Change Healthcare breach potentially puts even more PHI at risk, since one out of every three U.S. patient records is said to pass through the company’s databases.

In addition to possibly incurring regulatory penalties, the company faces the prospect of having to defend itself against multiple class-action lawsuits.

March 12 updates

3:30 p.m. CT: For physician practices that participate in the Merit-based Incentive Payment System (MIPS) as part of Medicare’s Quality Payment Program, CMS is offering a two-week extension on the data submission deadline as an accommodation stemming from the Change Healthcare outage.

The window for 2023 data submission had been scheduled to run until April 1, but participants now have until April 15.

Failure to submit data by the deadline means a 9% penalty, the American Medical Association (AMA) noted in a March 7 letter to CMS.

“While physician practices prioritize keeping their practices open to continue to care for Americans, we are concerned that many will not have the resources to expend on MIPS data submission,” the AMA wrote.

In its letter, the AMA said CMS should apply the Extreme and Uncontrollable Circumstances Exception across the board. That would allow practices to avoid financial penalties.

Barring such a step, “CMS must extend the 2023 MIPS data submission window until after the cyberattack has been resolved and practices are back to normal operations,” the AMA wrote.

For now, at least, CMS has granted only the two-week extension.

12:15 p.m. CT: Provider feedback indicates that payments from Optum’s temporary funding assistance program are a fraction of what recipients anticipated based on their claims history.

The discrepancy may stem from how the estimate is generated. Optum seems to be basing the loan amount on the value of a provider’s claims that had been processed by health plans and subsequently were in the Change Healthcare pipeline for payment to providers at the time of the attack, according to one provider that has sought clarification from the company.

The language on the program page is vague: “We have been able to estimate providers’ average weekly payments prior to the Change Healthcare cyber incident, which will be the basis for the support,” Optum states.

UnitedHealth Group (UHG) has said the program should be viewed as more of a last resort than a first choice. Providers first should seek workarounds and alternatives to using Change Healthcare, as well as accelerated and advance payments from Medicare and advances from payer partners.

UnitedHealthcare, sister company of Optum and Change Healthcare, has committed to providing advance payments. UHG requested that other commercial payers do the same, but as of Tuesday morning, none of the other big insurers had publicly pledged to take that step in the five days since UHG put out the request.

March 11 updates

4:15 p.m. CT: HFMA partnered with Eliciting Insights to conduct a short survey March 8-10 of 146 health system executives on how their organizations are being affected by the Change Healthcare outage. Check out this PDF to see the full results.

As expected, results varied significantly depending on whether the organization uses Change Healthcare as its primary clearinghouse.

For example, among respondents at organizations where Change Healthcare is the primary clearinghouse, 94% said their organizations had experienced an impact on daily charge submissions of greater than 20% for more than eight days. Among organizations with a different primary clearinghouse, only 25% had experienced such an impact.

There also were significant disparities in the anticipated consequences for organizations if the Change Healthcare outage lasts more than 30 days. On the question of whether their organization would need additional funding in the form of loans, 60% of respondents from organizations at which Change Healthcare is the primary clearinghouse said “yes,” compared with 9% at other organizations.

On whether there would be a notable patient impact if the outage surpasses 30 days, the shares answering affirmatively were 55% and 34%, respectively.

The 30-day mark since Change Healthcare acknowledged the outage is March 22. In an update at the end of last week, UnitedHealth Group projected that payment functionality would be restored March 15, while claims submissions could resume the week of March 18.

12:45 p.m. CT: An industry expert shared insights last week on the likely impact of the Change Healthcare cyberattack from a credit-rating standpoint.

Kevin Holloran, sector head for U.S. not-for-profit healthcare and higher education with Fitch Ratings, and a member of HFMA’s Principles and Practices Board, conducted a webinar to preview Fitch’s 2023 medians.

The overall state of affairs for the NFP hospital sector is looking up, Holloran noted. The attack, which first was reported 15 days before Holloran’s remarks, has not altered Fitch’s sector ratings.

“Balance sheet strength is prevalent for our rated universe,” Holloran said. “It provides enough cushion to ride through this storm. It typically isn’t a big system saying, ‘It’s all of my hospitals [being affected by the breach].’ [They’re saying], ‘It’s a handful of our hospitals, not all, and A) we’ve got some workarounds and B) we’ve got enough cash to get through it.’ So I don’t think you’re going to see any rating changes from us on this impact.

“I think ultimately, there will be business interruption insurance, and we’ll have to see what the total impact from a monetary standpoint was in delays and billing issues and things like that. And what is the ultimate catch-up from some level of insurance, and ultimately who’s on the hook for it, that kind of a thing. But I just don’t think it’s going to be a rating impact, although it’s certainly, if you’re experiencing it right now, a really difficult thing to go through.”

March 10 updates

Weekend developments surrounding the recovery from the Change Healthcare cyberattack included a letter from HHS and the Department of Labor encouraging commercial payers to do their part to help financially strained providers.

“Larger payers in particular have the balance sheet stability to advance payments,” the letter states. “Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments.”

Medicaid managed care payers particularly should consider advancing funds, since providers in that program are more likely to be safety-net providers with less of a financial cushion.

Payers also should ease administrative burden “by simplifying electronic data interchange requirements and timelines and by accepting paper claims,” the letter states. They should be as flexible as possible with prior authorization and other requirements pertaining to utilization management.

The letter also calls on UnitedHealth Group (UHG) to step up its response to the attack, including by ensuring “expedited delivery of funds to impacted providers for all receiving advance payment from UnitedHealthcare.” UHG said Friday that UnitedHealthcare would be advancing funds to its provider partners (see the March 8 update below).

“While we believe payers have a unique responsibility and opportunity to address the challenge before us, we urge action on the part of any healthcare entity that can step up,” the letter states. “For example, we appreciate the actions taken by clearinghouses to enable switching from Change Healthcare systems, and we encourage them to offer easy-to-implement, standard terms for additional providers who want to switch, and [to] avoid cost-prohibitive pricing.”

The letter also reiterates steps being implemented by CMS to help Medicare and Medicaid providers, including streamlining the process for providers to change clearinghouses, encouraging Medicare Advantage and Medicaid managed care health plans to remove or relax prior authorization requirements, and directing Medicare administrative contractors (MACs) to be prepared to accept paper claims submissions. 

Medicare payment relief

On March 9, CMS issued a notice that MACs would begin posting information as soon as that very day on how providers can apply for Medicare accelerated and advance payments.

CMS earlier in the week had announced that hospitals and other Part A providers could apply for accelerated payments, but physician advocates had expressed disappointment that no relief was being offered for Part B providers. Saturday’s announcement represented a course change, noting that Part B providers are invited to apply for advance payments.

The notice states that accelerated and advance payments are to be made in amounts reflecting a 30-day claims-payment window. The amount for each provider will be one-third of the total amount of claims paid to the provider from August 2023 through October 2023.

Providers can put in for a lesser payment amount if they choose. Repayment to Medicare will be in the form of automatic recoupment over a 90-day period, with a notice issued on day 91 for any remaining balance.

The announcement lists various attestations required of applicants for the payments, along with terms and conditions of the loan.

March 8 updates

5 p.m. CT: The American Hospital Association weighed in on UnitedHealth Group’s projected timelines for getting processes related to payment remittal and claims submission back up and running (see today’s first post below).

“Nothing in the announcement materially changes the chronic cash flow implications and uncertainty that our nation’s hospitals and physicians are experiencing as a result [of the attack],” the AHA said in a statement by Rick Pollack, president and CEO. “Even after Change Healthcare’s technology is restored, it will be weeks — if not months — before our hospitals and other healthcare providers will be made whole.”

It will be important for the AHA to continue to work with UHG and federal authorities to ensure “all options for assistance are explored,” Pollack added.

4 p.m. CT: Consumers are starting to file lawsuits against UnitedHealth Group (UHG) and Change Healthcare following the cyberattack that disrupted business and finance operations across the U.S. healthcare system.

A case (login required for document access) filed March 5 at the U.S. District Court of Minnesota, the jurisdiction of UHG’s corporate headquarters in Minnetonka, Minn., was brought “on behalf of patients whose sensitive personal information was stolen by cybercriminals in a cyberattack that accessed patient data through Change Healthcare’s services on or around Feb. 21, 2024.”

The plaintiff, a California resident who is seeking class-action status and a jury trial, also stated that he was unable to use his health insurance to fill two prescriptions for medication. Among the counts being pursued in the case are negligence and breach of contract, with treble damages sought.

“The data breach has affected countless millions of individuals across the country,” the complaint states.

Furthermore, “Change Healthcare and associated entities, as medical industry experts, knew and should have known how to prevent a common cyberattack.” The complaint alleges that cybersecurity recommendations from the National Institute of Standards and Technology and HIPAA standards were implemented “after the data breach, rather than before.”

UHG has not publicly disclosed the extent to which protected health information may have been compromised. Any such breach potentially would affect millions, given that Change Healthcare says it processes transactions involving a third of all U.S. patient records.

At least one other case was filed at the same court this week, similarly seeking class-action status and a jury trial.

“Patients are stuck in prescription purgatory without access to their vital medications. … UHG’s network outage is jeopardizing the health of millions of Americans,” the second lawsuit asserts.

The complaint also states, “The combination of unmedicated patients and [financially] handicapped hospitals paints a bleak future.”

10 a.m. CT: In news that many healthcare stakeholders have been awaiting, UnitedHealth Group (UHG) has posted a projected timeline for restoring key functionality to Change Healthcare following the cyberattack more than two weeks ago.

The company’s incident page was updated late on March 7 with an alert that electronic payment transmittal will be restored beginning Friday, March 15, while access to Change Healthcare’s claims network and software will be restored during the week of March 18.

In the meantime, “We strongly recommend providers pursue multiple paths and workarounds, including our iEDI claim submission system and alternative clearinghouses,” the latest update says. “If there’s anything we’ve learned as an industry, it’s that system redundancy is critical given the current environment.”

Electronic prescribing, along with associated claims submission and payment transmission, was “fully functional” at the time of the alert.

The news follows reports earlier this week that a sizable ransom apparently was paid to the ransomware gang said to be responsible for the attack.

In other news, UHG subsidiary UnitedHealthcare announced it will advance funds to provider partners “representing the difference between their historical payment levels and the payment levels post-attack.” UHG also urged other payers to make cash advances available.

In an accommodation regarding Optum’s loan program, UHG extended the payback period from five days to 30 days. That followed criticism from the American Hospital Association and others that the five-day period made the loan program an untenable option.

UHG is describing the Optum loan program as “a funding mechanism of last resort, especially for small and regional providers.” Providers first should attempt to establish alternative connection options while Change Healthcare remains down and should seek advances from their payer partners. If those steps fall short, they can turn to the Optum loan program.

March 7 updates

4:30 p.m. CT: The federal government’s response to the Change Healthcare cyberattack should be more robust and should mirror the early response to the COVID-19 pandemic, the National Association of Medicaid Directors (NAMD) wrote in a blog post. The organization’s concerns echo those of the American Hospital Association and other groups that criticized HHS’s stated response to the situation (see the March 5 update).

“Of particular concern [are] the safety-net providers (federally qualified health centers and critical access hospitals) and providers of behavioral health and community-based long-term services and supports that serve large numbers of Medicaid members and are at particular risk for having to stand down on providing service because of their thin operating margins,” NAMD wrote. “These provider constraints threaten access to care and risk exacerbating longstanding disparities, particularly for people of color, people with disabilities and people in rural areas.”

The post adds that “while states are doing everything they can to respond — including standing down on prior authorization requirements and directing pharmacies to provide emergency refills and 30-day supplies of medication; connecting at-risk members to one-on-one care management support; in states that use these arrangements, requesting that their managed care organizations make advance payments to providers; and supporting providers in moving to different payment clearinghouses — states do not have the financial capacity to pay providers exclusively out of state funds for any length of time.”

HHS should implement some of the same protocols that were used during the COVID-19 public health emergency, NAMD states. Specifically, state Medicaid programs should be authorized to:

  • Make emergency supplemental payments that qualify for federal matching, can be instituted immediately and can be granted accommodations with respect to documentation of services
  • Waive utilization management practices and co-payments that are embedded in their state plans

12:45 p.m. CT: The American Academy of Ophthalmology recently posted practice management tips for navigating the Change Healthcare cyberattack. Among the recommendations are requesting extensions from vendors on accounts receivable and discussing with physician owners what a potential delay in pay would look like.

Hospitals are posting patient messaging regarding anticipated billing issues. One hospital’s notice includes the assurance that patient care will not be affected amid the shutdown, but it describes the need for patients to become more proactive with their insurance carrier. For example, patients should make a point of getting verification for coverage of services.

They also should avoid mailing payment in the return envelope that came with their bill. The envelope goes to a Change Healthcare address.

“Those payments can’t be posted as paid while Change Healthcare’s system is down,” the notice states.

Payments can be made at hospital or clinic sites, mailed directly to the hospital or made through the patient portal.

Importantly, the notice also advises patients to “beware of scams trying to take advantage of the disruption. We may contact you via phone or U.S. mail if you owe a bill, or to verify insurance coverage. We do NOT ask for financial information via text.”

March 6 updates

4 p.m. CT: Clay J. Countryman, partner with Breazeale, Sachse & Wilson, LLP, in Baton Rouge, La., provided a letter with recommendations and resources for HFMA members to consider in managing the operational and financial impacts from the Change Healthcare cyberattack. Countryman represents clients from across the healthcare industry, with a primary focus on healthcare business transactions, and is a former chair of the Health Law section of the American Bar Association.

The letter details considerations around:

  • Connections to Change Healthcare’s systems
  • Operational impacts involving patient care
  • Mitigation steps related to cybersecurity and technical infrastructure
  • Financial impacts
  • Potential breaches of patient information
  • Management of claims processing and claims transaction clearinghouses
  • Action steps to address financial and related issues

12 p.m. CT: The Medical Group Management Association recently posted guidance for physician practices that face challenges managing cash flow after the cyberattack on Change Healthcare.

Areas of focus should include:

  • Immediate cash flow management
  • Strategic financial planning
  • Transparent patient communication
  • Operational streamlining
  • External support and advocacy

Operational streamlining may need to include “[adjusting] clinical and administrative staff schedules where possible through reduced hours, rotational shifts or temporary remote work to right-size payroll costs,” according to the guidance.

March 5 updates

5 p.m. CT: HHS and CMS have offered their most extensive comments and guidance to date on the Change Healthcare cyberattack.

In a statement, HHS addressed the cash-flow concerns and operational challenges facing providers. Among the notes in the statement was the opportunity for Medicare providers to switch to a new clearinghouse for claims processing if necessary. Providers should contact their Medicare administrative contractor (MAC) if they are seeking to make such a change.

“CMS has instructed the MACs to expedite this process and move all provider and facility requests into production and [to be] ready to bill claims quickly,” the statement reads. State Medicaid and CHIP programs likewise are encouraged to assist in the process. MACs also must be prepared to accept paper claims as needed.

“If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers or extensions, or contact CMS regarding quality-reporting programs,” the statement reads.

In addition, Medicare Advantage (MA) and Medicare Part D plans are being encouraged to waive or relax prior-authorization and other utilization management requirements, and MA plans should consider offering advance funding to providers that have been especially impacted by the attack. Medicaid and CHIP managed care plans should look into offering similar accommodations.

MACs will be putting out information this week about applying for Medicare accelerated payments, according to the statement.

Hospital advocates said the response contained in the statement is too narrow, given the havoc being inflicted on business and finance processes throughout the industry.

“The magnitude of this moment deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it,” the American Hospital Association (AHA) said in a written statement. “The measures announced today do not do that and are not an adequate whole-of-government response.”

The AHA said it will push for legislative solutions if necessary. One advocate in Congress for providers is Sen. Charles Schumer (D-N.Y.), majority leader, who wrote a letter to CMS urging the agency to make available Medicare accelerated and advance payments and to streamline claims processing and payments to the extent possible.

The Federation of American Hospitals likewise said that although HHS’s statement reflects the gravity of the situation, “more must be done as the fallout spreads, disrupting patient care and undermining caregivers.”

3 p.m. CT: Reports over the past two days indicate UnitedHealth Group may have paid a ransom totaling $22 million in Bitcoin to the perpetrators of the Change Healthcare cyberattack.

A report from Reuters and another from WIRED suggest the ALPHV/Blackcat ransomware group has received the payment. UnitedHealth Group and Change Healthcare declined to address the reports.

Even if true, it is unclear whether and how quickly the situation would be resolved.

UnitedHealth Group’s recently launched incident page includes the following tip for providers, indicating there is still a long way to go in getting everything back to normal even if a ransom has been paid.

“We acknowledge there are still a number of providers who are not able to submit claims or receive payment.  

“Our strong recommendation is for providers and revenue cycle vendors to connect to our EDI [electronic data interchange] option. This will work for the vast majority of providers who cannot submit today. There are some cases where other approaches need to be designed due to connection incompatibility. We regard EDI to be the most expeditious way to help solve this problem. We fully acknowledge that not all functionality will be in place and will create some rework burden, but we are recommending this approach to get claims flowing.

“To support these efforts, as of March 5, 2024, we began hosting an ongoing series of webinars on EDI. Our teams are ready to engage and help those payers and providers get claims connections built quickly through this secure and verified platform.”

1 p.m. CT: The loan program offered by UnitedHealth Group and Optum for providers affected by the Change Healthcare cyberattack is not being greeted enthusiastically by provider advocates.

The American Hospital Association (AHA) wrote a letter to UnitedHealth Group saying the loan program is inadequate. One key drawback is that it focuses only on payments that are being deferred because of the Change Healthcare shutdown, rather than the “equally problematic issue” that providers cannot submit claims through the clearinghouse.

The AHA also took issue with the terms and conditions of the program, among them a five-day turnaround time for making repayment after receiving notice.

“We have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” the letter states.

The American Medical Association (AMA) wrote a letter to HHS, saying the department should “utilize any available emergency funds and authorities to provide critical financial resources to physicians, ensuring they can continue to deliver essential healthcare services during these challenging times.”

A recurring theme in feedback from providers is that the workarounds being proposed by UnitedHealth Group and Optum are not tenable.

“Practices are being instructed to use direct data entry and portals to submit claims, which are quite labor-intensive compared with using their regular practice management systems that pre-populate data,” the AMA wrote. “These ‘workarounds’ are adding extensive administrative burdens as well as substantial costs to physician practices for this extra manual work. In addition, practices are filing claims on paper when available, but many insurance companies no longer accept paper claims.”

March 1 updates

Optum has begun providing substantive details on Change Healthcare’s efforts to rebuild its systems after the Feb. 21 shutdown due to the cyberattack.

Friday’s update to the incident page included the note that the company’s Rx ePrescribing service was functional after a new instance was installed. The Clinical Exchange ePrescribing tools for providers were still not operational, the company clarified.

Parent company UnitedHealth Group launched a new webpage that includes an FAQ featuring information about recommended workarounds for providers, among other topics.

“Change Healthcare recommends that providers use the applicable payer’s portal to check claim status, as well as complete eligibility verifications and prior authorizations. If a portal is not available, the recommended approach is calling the appropriate payer’s provider service line,” the webpage states.

“Hospitals, health systems and providers have connections to multiple clearinghouses and have access to manual workarounds. In addition, many providers maintain their own direct connectivity to Medicare, state Medicaid and state health plans. This combination can represent between 50% and 75% of patient mix/claim volume. For these submitters, claims are processing successfully to these payers.”

The FAQ also has information about the loan program being offered to providers dealing with constrained cash flows because of the inability to submit claims and receive payments.

The financial assistance includes no interest, fees or other associated costs, according to the webpage. Providers must register for the program at optum.com/temporaryfunding. They will need to sign up for an Optum Pay account if they don’t have one already.

Given the typical lag between claims submission and payment transmittal, many providers may have to wait before applying, the company indicated: “This is not a program for providers who have had claims submission disruptions but rather for those whose payment distribution has been impacted.”

Feb. 29 updates

In a nod to the fact that a restoration of Change Healthcare’s systems probably will take at least a few weeks, parent company UnitedHealth Group has been preparing to offer a loan to healthcare providers who have been unable to submit claims for services since the Feb. 21 start of the fallout from the attack.

STAT reported (login required) that Dirk McMahon, COO of UnitedHealth Group, told providers this week that a loan program will be set up to help provider-customers for the duration of the shutdown.

Terms of the loan have not been publicly disclosed. Optum Bank already has a working-capital loan program for providers that is advertised as being interest-free while featuring a “transparent and affordable upfront fee.”

In other news, Optum updated the recurring message about the shutdown for the first time since Feb. 23. The post on the incident page did not provide substantive information about a resolution to the issue. It acknowledged ALPHV Blackcat as the perpetrator of the attack and identified two third-party consultants that are helping with the recovery.

“Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need,” the message states.

On Feb. 28, Reuters reported that ALPHV Blackcat claimed it had stolen “millions of sensitive records, including medical insurance and health data,” via the attack. However, the group quickly deleted the dark-net post in which it made that statement.

Feb. 28 updates

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and HHS issued a joint advisory regarding the ransomware gang that is said to have perpetrated the cyberattack on Change Healthcare. The implication behind the alert is that the group is not done targeting the healthcare sector.

Of nearly 70 organizations that are known to be victims of the ALPHV Blackcat ransomware group since December, healthcare has been the most common target, according to the alert.

“This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” the alert states.

The alert includes indicators of compromise that can be seen in an organization’s technical infrastructure, along with a recommended incident response and mitigation steps.

Optum did not provide new information on the Change Healthcare attack, including when the situation could be resolved.

Feb. 27 updates

UnitedHealth Group said 90% of Change Healthcare’s pharmacy clients have found electronic workarounds to the claims-processing snag brought on by the cyberattack on the company’s systems, according to a CNBC report. The remainder have established offline workarounds.

UHG also noted that cash-flow issues should not immediately hit providers because of the typical one- to two-week lag between processing and payment delivery.

However, that does not speak to the prospect that the ongoing shutdown will cause delays in when providers can expect to be paid for claims they otherwise would have submitted during the past week, even if they manage to quickly establish workarounds via other clearinghouses and manual processes.

To mitigate the likely financial crunch, HHS should offer guidance on how providers can access Medicare advance or accelerated payments and should expedite the processing of applications, among other steps, the American Hospital Association wrote in a Feb. 26 letter.

Optum did not provide new information on the attack, including when the situation could be resolved.

Feb. 26 updates

Note: In the original story below, the date of UnitedHealth Group’s filing with the SEC has been corrected from Feb. 21 to Feb. 22.

Optum did not share updated information Monday on the attack or a timeline for repairing Change Healthcare’s systems.

Reuters reported that the perpetrator of the attack was the Blackcat ransomware gang.

The Health Information Sharing and Analysis Center offered additional guidance for IT professionals to consider as they evaluate their organization’s connectivity to UnitedHealthcare and Optum.

The practice management software company Therapy Brands posted an extensive list of payers for which claims and payments cannot be processed while Change Healthcare is out of operation.

Original story (Feb. 25)

The cyberattack that disabled operations at Change Healthcare starting Feb. 21 has hampered billing and payment operations and other processes across the healthcare industry.

The company, which was bought by UnitedHealth Group in October 2022 and subsequently combined with Optum, is a leading technology provider of end-to-end revenue cycle management, clinical decision support and pharmacy benefit solutions, among other offerings.

On its incident page, Optum listed more than 100 Change Healthcare services that were affected. Among various other core functions being impacted are benefits verification, claims submission and status updates, remittance information transmittal and prior authorization.

As of Feb. 25, Optum had not offered new information about the attack nor a timeline for when Change Healthcare’s systems will be up and running.

“Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact,” Optum stated. “This action was taken so our customers and partners do not need to.”

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” the company added.

In a Feb. 22 filing with the Securities and Exchange Commission, UnitedHealth Group attributed the attack to a malicious actor affiliated with a nation-state. The company did not specify how it made that assessment.

The FBI and HHS had not made public any details about the attack as of Feb. 25.

Precautionary measures advised for hospitals

Although Optum has said it retains a “high level of confidence” that its operations and those of UnitedHealthcare were not affected by the attack on Change Healthcare, the American Hospital Association (AHA) advised hospitals to temporarily disconnect from Optum if they determine there’s any chance they could be exposed to damage.

“Due to the sector-wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain healthcare technologies and clinical authorizations provided by Optum across the healthcare sector,” the AHA wrote in a bulletin.

“Based upon the statements from Change Healthcare that they became aware of an ‘outside threat’ and disconnected ‘in the interest of protecting our partners and patients,’ we recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.

“It also is recommended that organizations which utilize Optum’s services prepare related downtime procedures and contingency plans should Optum’s services remain unavailable for an extended period.”

Columbia University, which is affiliated with NewYork Presbyterian and Weill Cornell Medicine in New York City, sent out a Feb. 22 staff alert saying emails from Optum and UnitedHealth Group, along with those from Change Healthcare, were being blocked out of an abundance of caution.

“Please do not connect to these domains from any device,” the alert stated.

An update the next day said it was safe to reconnect with the UHG and Optum networks. Emails from Change Healthcare and CareMount Medical, a regional medical group acquired by Optum in 2022, were still being blocked.

Headaches for providers, pharmacies and consumers

Since the attack, anecdotal reports have suggested hospitals and pharmacies are being significantly disrupted, although how widespread the problem is remains unclear. Hospital processes that likely would be hampered by a prolonged shutdown include payment and reimbursement transmissions, while care delivery could be affected if Change Healthcare’s prior authorization and care coordination services are unavailable.

As an example of the far-reaching impact, the revenue cycle management company Availity announced it had disconnected “all inbound and outbound transactions from Change Healthcare, Optum and United Healthcare” on Feb. 21. Three days later, it had reconnected with UnitedHealthcare and Optum.

Whereas hospitals face a slew of potential back-office and cash-flow challenges stemming from the attack, the pharmacy aspect has posed the most immediate consumer-facing issue.

For example, Tricare, the healthcare program for active-duty military service-members and their families, published a bulletin saying it would resort to using a manual procedure to fill prescriptions until the issue is resolved.

“Military pharmacies will give priority to urgent prescriptions followed by routine prescriptions,” the bulletin states. “Each military hospital and clinic will continue to offer pharmacy operations based on their local manning and resources. Please be patient while pharmacies take longer than usual to safely fill prescription needs.”

A CNN report profiled a patient who had to pay $1,600 out-of-pocket to get a Paxlovid prescription filled because CVS Health and other pharmacies could not bill her through her insurance.

The American Pharmacists Association said that as a result of the shutdown, “Many pharmacies throughout America could not transmit insurance claims for their patients. This is resulting in delays in getting prescriptions filled. As of Friday afternoon [Feb. 23], the situation was still not resolved and pharmacies across the nation are reporting significant backlogs of prescriptions they are unable to process.”

Advertisements

googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );