Readout of Biden-Harris Administration Convening with Healthcare Community Concerning Cyberattack on Change Healthcare

On Tuesday, March 12, the U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra and Deputy Secretary Andrea Palm, led a convening of health care community leaders – joined by White House Domestic Policy Advisor Neera Tanden, White House Deputy National Security Advisor (DNSA) for Cyber and Emerging Technologies Anne Neuberger, and others from the federal government – to discuss concrete actions to mitigate harms to patients and providers caused by the cyberattack on Change Healthcare.

Over the weekend, Secretary Becerra and Acting Labor Secretary Julie Su called on UnitedHealth Group (UHG) and other payers to meet the moment, urging actions that complement those taken by the Biden-Harris Administration to ensure patients’ access to care and support providers.

Secretary Becerra and Domestic Policy Advisor Tanden made clear the government and private sector must work together to help providers make payroll and deliver timely care to the American people and that insurers help providers in this moment of challenge. Since February 21, when HHS first learned of the Change Healthcare attack, it has been in near-constant communication with countless stakeholders to understand the impact on the ground and step in to help facilitate solutions with urgency. Centers for Medicare & Medicaid Services (CMS) Administrator Chiquita Brooks-LaSure also announced that guidance to states is forthcoming to provide needed flexibilities for states to support Medicaid providers and suppliers during this time.

Biden-Harris Administration officials directly heard concerns from representatives of provider groups – hospitals, children’s health providers, physicians, infusion centers, pharmacies, community health centers, long-term care facilities – across the country on the broad impact the cyberattack on Change Healthcare has had on the health care sector. They highlighted gaps in the response from payers, including the need for more immediate payment options, direct communications and relaxed billing and claims processing requirements.

Health care payers were then called upon and committed to continued coordination to meet the need – considering additional steps to reduce red tape, provide accessible funding opportunities through advanced payments, and through other means to provide productive solutions to address the cash flow issues that providers are experiencing. Biden-Harris Administration officials called upon the payers to respond with urgency and noted they will follow-up with the payer community about the actions and commitments voiced today.

The DNSA Neuberger noted the interconnectedness of the domestic health care ecosystem and the urgency of strengthening cybersecurity resiliency across the sector, by implementing HHS’s voluntary HPH Cyber Performance Goals (CPGs). Department of Labor Principal Deputy Assistant Secretary for Employee Benefits, Ali Khawar reminded the participants of DOL’s Cybersecurity Program Best Practices for plan sponsors, plan fiduciaries, record keepers and plan participants in the health care community.

List of Administration participants:

• HHS Secretary Xavier Becerra
• HHS Deputy Secretary Andrea Palm
• Neera Tanden, White House Domestic Policy Advisor
• Anne Neuberger, White House Deputy National Security Advisor for Cyber and Emerging Technology
• Dawn O’Connell, Administrator and Assistant Secretary for Preparedness and Response
• Carole Johnson, Administrator of Health Resources and Services Administration
• Chiquita Brooks-LaSure, Administrator for the Centers for Medicare & Medicaid Services (CMS)
• Jonathan Blum, Principal Deputy Administrator and Chief Operating Officer, CMS
• Ben Smith, Deputy Director of the Indian Health Service
• Bertha Alisia Guerrero, Director of the Office of Intergovernmental and External Affairs
• Ali Khawar, Department of Labor Principal Deputy Assistant Secretary for Employee Benefits

List of Stakeholder participants:

• Alliance of Community Health Plans
• America’s Essential Hospitals
• America’s Health Insurance Plans
• American Academy of Family Physicians
• American Academy of Pediatrics
• American Health Care Association | National Center for Assisted Living
• American Hospital Association
• American Medical Association
• American Osteopathic Association
• American Pharmacists Association
• American Society of Consultant Pharmacists
• American Society of Health-System Pharmacists
• AmeriHealth Caritas
• Association for Community Affiliated Plans
• Availity
• BlueCross BlueShield Association
• Centene
• Children’s Hospital Association
• The Cigna Group
• CVS Health
• Elevance Health
• Federation of American Hospitals
• Humana
• Infusion Providers Association
• Kaiser Permanente
• LeadingAge
• Medicaid Health Plans of America
• National Alliance of State Pharmacy Associations
• National Association of Chain Drug Stores
• National Association of Community Health Centers
• National Community Pharmacists Association
• National Hispanic Medical Foundation
• National Rural Health Association
• Pharmaceutical Care Management Association
• Prime Therapeutics
• UnitedHealth Group

These efforts are part of HHS’ broader cybersecurity strategy. HHS continues to urge everyone to implement the aforementioned CPGs designed to help health care organizations strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.

HHS Actions on Change Healthcare to Date

Once the U.S. Department of Health and Human Services (HHS) was notified of the cyberattack on Change Healthcare systems on February 21, 2024, HHS acted to address the impacts. Within first 24 hours the Administration for Strategic Preparedness and Response (ASPR), in its role as “sector risk management agency,” stood up an interagency response team and began coordinating with federal partners (e.g., Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigations, Veterans Affairs) and across HHS to develop a comprehensive understanding of the situation and to coordinate the federal response. HHS began direct communication with UnitedHealth Group (UHG) leadership on day one, with an initial focus on scope and magnitude of impact.

HHS continued coordination as the situation progressed, continuing engagement with UHG to both assess timeline to restoration and system-wide impacts, and to press UHG for a swift and effective response to mitigate harms to patients and providers. ASPR continues to lead interagency actions, including the development and distribution of actionable threat intelligence with the healthcare sector and actions to ensure a system-wide response, coordination with Department of Labor and the Small Business Administration for potential private market supports, and communication with industry.

HHS has also been in consistent communication with other private sector health care entities – including private payers and clearinghouses – to ensure a systemwide response to increase claims flow and advanced payments wherever appropriate. HHS is in regular contact with state partners and with numerous external stakeholders, including physicians, hospitals, pharmacies, and other health care providers, to understand the nature of the impacts and to assess the effectiveness of the system-wide response. As CMS has received reports of any obstacles with claims processing or enrollment delays, the Agency has followed up with the Medicare Administrative Contractors (MACs) to troubleshoot issues. HHS is working with Members of Congress to facilitate assistance to providers and hospitals struggling with cash flow issues.

HHS, through ASPR and in partnership with Office of the Chief Information Officer (OCIO), conducted a comprehensive initial assessment of impacts on agencies within HHS and continues to monitor for additional impacts. As a result, the Indian Health Service (IHS) and Health Resources and Services Administration (HRSA) are communicating with leaders to address and mitigate effects.

And last, HHS, through the Centers for Medicare & Medicaid Services, took the following policy and administrative actions:

• swift policy action through Medicare Parts A and B to ensure health care providers have adequate cash flow and to prevent patient harms.
• announced that they streamlined the process for providers to change clearinghouses to ensure continuity of payments, encouraged insurance plans to remove or relax prior authorization requirements in both Medicare and Medicaid, and directed MACs to be prepared to accept paper claims submissions during the course of the outage.

Key Actions:

• On March 5, HHS announced that CMS had taken steps to assist providers to continue to serve patients. Specifically, CMS announced that they had streamlined the process for providers to change clearinghouses to ensure continuity of payments, encouraged insurance plans to remove or relax prior authorization requirements in both Medicare and Medicaid, and directed MACs to be prepared to accept paper claims submissions during the course of the outage.
• On March 5, HHS announced hospitals paid under Medicare Part A may submit accelerated payment requests to their respective servicing MACs for individual consideration.
• On March 7, HHS officials participated in a roundtable with the American Medical Association to discuss the impact of the breech on physicians and ensured that leadership from UHG attended to hear the providers’ concerns.
• On March 7, at the urging of HHS, UHG announced steps that they are taking to restore services for providers to ensure that they are able to submit claims.
• On March 9, CMS announced that applications are being considered for advance payments for Part B suppliers. These applications are available on all of the MACs’ websites.
• On March 9, CMS provided instructions to MACs about how to consider applications for accelerated payments from Medicare Part A providers and for advance payments from Part B providers and suppliers
• On March 8, HHS staff briefed Congressional staff on the scope of the incident and the Department’s response.
• On March 10, HHS Secretary Becerra and Acting Labor Secretary Su sent an open letter to health care leaders urging the private sector, especially other insurance companies, to work with the government to address the impacts on the cyberattack on health care providers.
• On March 12, HHS Secretary Becerra and Deputy Secretary Palm hosted a roundtable with health care leaders, including UHG, other insurance companies, and provider associations to discuss direct actions taken by these leaders to address the impact of the cyberattack.