HHS’ Letter to Healthcare Leaders on Cyberattack on Change Healthcare

Dear Health Care Leaders,

As you know, last month Change Healthcare was the target of a cyberattack that has had significant impacts on much of the nation’s health care system. The effects of this attack are far-reaching; Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one in every three patient records. The attack has impacted payments to hospitals, physicians, pharmacists, and other health care providers across the country. Many of these providers are concerned about their ability to offer care in the absence of timely payments, but providers persist despite the need for numerous onerous workarounds and cash flow uncertainty.

In a situation such as this, the government and private sector must work together to help providers make payroll and deliver timely care to the American people. The Biden-Harris Administration has taken action by removing challenges for health care providers and addressing this cyberattack head on. Now, we are asking private sector leaders across the health care industry – especially other payers – to meet the moment.

The Biden-Harris Administration remains committed to ensuring that all Americans can access needed care in spite of this cyberattack. We urge the private sector to quickly identify and carry out solutions. Specifically, we call on UHG, other insurance companies, clearinghouses, and health care entities to take additional actions to mitigate the harms this attack places on patients and providers, particularly our safety net providers.

We urge UnitedHealth Group to:

• Take responsibility to ensure no provider is compromised by their cash flow challenges stemming from this cyberattack on Change Healthcare.
• Ensure expedited delivery of funds to impacted providers for all receiving advanced payment from UnitedHealth Care.
• Communicate more frequently and more transparently, both within the health care community and with state Medicaid agencies.
• Ensure ease of access to UHG programs, both by providing less restrictive terms and by addressing providers’ concerns regarding indemnification and arbitration requirements.
• Provide Medicaid agencies with a list of providers impacted in their states.
• Expedite activation and ensure effectiveness of all programs UHG announces to serve as a financial backstop, and prioritize under-resourced, lower margin providers.

We urge insurance companies and other payers to:

• Make interim payments to impacted providers. Larger payers in particular have the balance sheet stability to advance payments. Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments.
• In particular, for Medicaid plans, consider making interim payments to impacted providers.
• Ease the administrative burden on providers by simplifying electronic data interchange requirements and timelines and by accepting paper claims. 
• Pause prior authorizations and other utilization management requirements; use all available leeway on deadlines.

While we believe payers have a unique responsibility and opportunity to address the challenge before us, we urge action on the part of any health care entity that can step up. For example, we appreciate the actions taken by clearinghouses to enable switching from Change Healthcare systems, and we encourage them to offer easy-to-implement, standard terms for additional providers who want to switch, and avoid cost-prohibitive pricing.

In addition to the actions outlined above, earlier this week, the U.S. Department of Health and Human Services (HHS) announced steps that the Centers for Medicare & Medicaid Services (CMS) is taking to assist states and health care providers to continue to serve patients and avoid disruptions. Specifically, CMS has streamlined the process for providers to change clearinghouses to ensure continuity of payments, encouraged insurance plans to remove or relax prior authorization requirements in both Medicare and Medicaid, and directed Medicare Administrative Contractors (MACs) to be prepared to accept paper claims submissions during the course of the outage. Just yesterday, CMS provided instructions to MACs about how to consider applications for accelerated payments from Medicare Part A providers and for advance payments from Part B providers and suppliers.

Overall, this incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem. That’s why, in 2023, HHS released a concept paper that outlines HHS’ cybersecurity strategy. The concept paper builds on the National Cybersecurity Strategy that President Biden released in 2023, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks. Also, in 2021, the Department of Labor released Cybersecurity Program Best Practices to assist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks. We urge you to visit the HPH Cyber Performance Goals website and implement these steps to stay protected.

Sincerely,

Xavier Becerra
Secretary, U.S. Department of Health and Human Services

Julie A. Su
Acting Secretary, U.S. Department of Labor