Provider Groups Urge HHS, Congress To Mitigate Damage From Change Cyberattack

An article from

Dive Brief:

• Provider groups are urging the federal government to help mitigate the damage after a cyberattack against UnitedHealth Group’s Change Healthcare has taken down many of the technology firm’s systems for nearly two weeks. 
• In a Friday letter to the HHS Secretary Xavier Becerra, the American Medical Association pushed the agency to offer emergency funds to physicians who’ve struggled to submit claims and receive payment since the outage.
• The American Hospital Association urged Congress on Monday to press the HHS for support. The organization wants the HHS to speed advanced Medicare payments, issue guidance to other payers and implement a financial assistance program. 

Dive Insight:

The attack on Change, which was acquired by insurer UnitedHealth Group in 2022, has limited providers’ ability to handle many critical operations, including receiving payment from patients and insurers, verifying coverage, submitting prior authorization requests or exchanging clinical records. 

The financial impact could become particularly dire, the provider groups wrote. The outage at Change costs providers more than $100 million each day, according to an estimate from risk assurance firm First Health Advisory cited by the AMA. 

“It is especially challenging financially at the beginning of the year since many practices do not carry over reserves,” AMA CEO and Executive Vice President James Madara wrote in the letter. “We are particularly concerned about small, safety net, rural, and other less-resourced practices that often serve underserved patient communities.”

UnitedHealth’s efforts to mitigate the financial impact haven’t been enough, the AHA said. The healthcare conglomerate set up a temporary financial assistance program for providers, but the AHA argued not enough hospitals could access the funds, and the terms behind the loans were onerous. 

Workarounds to processes shut down by the Change outage are also labor-intensive and time-consuming, the provider groups wrote. Practices are filing claims on paper when they can, but many insurers no longer accept paper claims, the AMA said.

The physician group urged the HHS to issue guidance on next steps for practice and use “enforcement discretion where available.” The AMA also asked the agency to continue to facilitate communication between Change and the healthcare sector so practices can stay up-to-date on new developments.

The attack on Change comes as the industry faces increased cyber threats. Last week, Change confirmed the ransomware group AlphV, also known as Blackcat — which has been targeting the healthcare sector — had claimed responsibility for the attack.

Over the past five years, the HHS’ Office for Civil Rights tracked a 256% increase in large data breaches involving hacking and a 264% jump in ransomware, a type of malware that denies users access to their data until a ransom is paid.