Change Healthcare Cyberattack Prompts U.S. Legislative Proposal for Provider Payments

Source: AM Best | Published on March 26, 2024

Focus on healthcare providers amid Change Healthcare cyberattack

In the wake of the Change Healthcare cyberattack, a U.S. senator has introduced legislation allowing for advance and accelerated payment to impacted health care providers who, along with their vendors, meet minimum cybersecurity standards.

The attack on UnitedHealth Group subsidiary Change “paralyzed billing services for providers nationwide, leaving many in danger of becoming financially insolvent,” according to a statement from Sen. Mark Warner, a Democrat from Virginia, who sits on the Senate Finance Committee and co-chairs the Senate Cybersecurity Caucus.

UnitedHealth keeps advancing money — now exceeding $2.5 billion — to providers as some Change Healthcare systems remain down long after the attack was identified on Feb. 21.

The company said it is making advances to providers who receive payments from payers processed by Change Healthcare, UnitedHealthcare medical, dental and vision providers and providers who have “exhausted all available connection options — or are in the process of implementing workaround solutions — and work with other payers who have opted not to advance funds while the Change systems are down.”

The Health Care Cybersecurity Improvement Act of 2024 introduced by Warner would modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program.

“It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” Warner said. “The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

UnitedHealth still hasn’t said what provider or insured data may have been breached in the attack. The company said its “privacy office and security information teams are actively engaged and working to understand the impact to members, patients and customers.”

Last week, Change said it started releasing medical claims preparation software, calling it an “an important step in the resumption of services.” Earlier, it restored processes such as electronic prescribing.

It expects more products to become eligible in the coming weeks. For instance, the week of April 8 Change said payer products Health Qx and Risk Manager will become available and manual print implementation should resume for payer customers.

The Office for Civil Rights at the U.S. Department of Health and Human Services is investigating Change and UnitedHealth to decide if protected health information was breached and the companies’ compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. The office administers and enforces HIPAA requirements.

It said the cyber incident has posed a “direct threat to critically needed patient care and essential operations of the health care industry.”

States, including Arkansas, are also taking action after the attack on Change, which processes 15 billion health care transactions annually and touches one in three U.S. patient records. Arkansas Attorney General Tim Griffin said his office will investigate Change Healthcare under the state’s Personal Information Protection and Deceptive Trade Practices Act. Griffin said he wants to know if confidential medical information was compromised and/or laws violated.

“Additionally, my office will look into whether Change Healthcare used reasonable security procedures and practices to protect this information as required by Arkansas law,” Griffin said in a statement.

The Maryland Department of Health said it determined that the Change cyberattack didn’t immediately or directly put the department at risk.” However, we continue to monitor the impact of this outage on providers and patients,” it said on its website.

UnitedHealth said it doesn’t appear Optum, UnitedHealthcare or UnitedHealth Group systems were affected by the attack, which was carried out by a cybercrime threat actor self-identified as ALPHV/Blackcat.

UnitedHealth Group plans to release first-quarter financial results and hold an earnings conference call on April 16.

Most underwriting entities of UnitedHealth Group Inc. currently have a Best’s Financial Strength Rating of A+ (Superior).