Readout of Biden-Harris Administration’s Follow Up Meeting with Insurers Concerning Cyberattack on Change Healthcare

On Monday, March 18, the U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra and Deputy Secretary Andrea Palm led a convening of payers to discuss concrete actions to mitigate harms to patients and providers caused by the cyberattack on Change Healthcare. White House Domestic Policy Advisor Neera Tanden and White House Deputy National Security Advisor (DNSA) for Cyber and Emerging Technologies Anne Neuberger, and others from the federal government, also participated. This was a follow-up to last week’s meeting.

Since the last meeting, HHS surveyed payers for data and information relating to actions they were taking to help providers resolve issues stemming from the cyberattack. HHS teams then worked over the weekend to review the responses.

During the meeting, Secretary Becerra and Director Tanden discussed the adjustments made to improve claims processing, but urged more support to providers who remain in need, particularly those serving vulnerable populations, rural hospitals and smaller institutions. They made clear the government and private sector must continue to work together to help providers make payroll and deliver timely care to the American people.

Deputy Secretary Palm acknowledged steady progress in reestablishing claims processing and urged insurers to target advanced payments to small, rural, and safety-net health care providers who are still voicing concerns with cash flow.

DNSA Neuberger noted the interconnectedness of the domestic health care ecosystem and the urgency of strengthening cybersecurity resiliency across the sector. She urged insurers to implement HHS’ voluntary HPH Cyber Performance Goals (CPGs). Noting that many payers and providers will require third party certification of the cybersecurity of Change Healthcare’s system before reconnecting, she encouraged United Health Group (UHG) to communicate to providers about efforts to safely secure claims systems and the timeframe for those third-party assessments.

Secretary Becerra and Deputy Secretary Palm also urged United Health Group (UHG) to connect providers to needed supports. Director Tanden urged insurers to assess their own data to determine which providers are in need of additional supports, and directly engage them.

Representatives from the participating insurance providers offered updates on their efforts to date and outlined specific actions they will be taking to resolve outstanding issues. HHS and White House leadership pressed insurers to be targeted and specific in carrying out solutions, including increasing advanced payments where needed to the providers and communities still most in need.

List of Administration participants:

• HHS Secretary Xavier Becerra
• HHS Deputy Secretary Andrea Palm
• Neera Tanden, White House Domestic Policy Advisor
• Anne Neuberger, White House Deputy National Security Advisor for Cyber and Emerging Technology
• Chiquita Brooks-LaSure, Administrator for the Centers for Medicare & Medicaid Services (CMS)
• Jonathan Blum, Principal Deputy Administrator and Chief Operating Officer, CMS
• Melanie Fontes Rainer, Director of the HHS Office for Civil Rights
• Brian Mazanec, Deputy Assistant Secretary and Deputy Director for Preparedness, Administration for Strategic Preparedness and Response
• Bertha Alisia Guerrero, Director of the Office of Intergovernmental and External Affairs

List of Stakeholder participants:

• Alliance for Community Health Plans (ACHP)
• America’s Health Insurance Plans (AHIP)
• AmeriHealth Caritas
• Association of Community Affiliated Plans (ACAP)
• Blue Cross Blue Shield Association (BCBSA)
• Centene
• The Cigna Group
• CVS Health/Aetna
• Elevance
• HealthCare Services Corporation
• Humana
• Kaiser Permanente
• Medicaid Health Plans of America (MHPA)
• Molina
• UnitedHealth Group

These efforts are part of HHS’ broader cybersecurity strategy. HHS continues to urge everyone to implement the aforementioned CPGs designed to help health care organizations strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.

HHS Actions on Change Healthcare to Date

Once the U.S. Department of Health and Human Services (HHS) was notified of the cyberattack on Change Healthcare systems on February 21, 2024, HHS acted to address the impacts. The following are additional key actions taken by HHS since the last readout on Tuesday, March 12.

Additional Key Actions:

• On March 13, CMS released a set of answers to Frequently Asked Questions regarding the availability of accelerated and advance payments for Part A and Part B providers and suppliers, respectively.
• On March 13, HHS sent a survey to health care payers that participated in a March 12 convening on the Change Healthcare cybersecurity incident.
• On March 13, HHS’ Office of Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other health care entities. Given the unprecedented size of the attack and public interest, OCR announced in the letter that it opened an investigation of the cyberattack on Change Healthcare and United Health. The letter also made clear to the thousands of other covered entities affected by the breach that they are not OCR’s target. OCR enforces the HIPAA Security Rule which is the Department’s law enforcement tool to protect protected health information from cyber attacks.
• On March 15, CMS reopened the 2023 Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) Exception Application to provide relief to clinicians impacted by this cybersecurity incident on reporting requirement timeframes.
• On March 15, CMS, announced important flexibilities to help state Medicaid agencies provide needed relief to Medicaid providers and protect access to health care coverage. In particular, CMS announced flexibilities to ensure that states can start making interim payments to providers affected by the Change Healthcare cybersecurity incident.