Change Healthcare moves toward restoration as feds step in

A month after UnitedHealth Group’s Change Healthcare was hit by one of the most devastating cyberattacks in healthcare history, the company is still working to bring its claims and payment processing services back online. Here’s the latest on the industry’s response to the ransomware incident. 

Making progress toward restoring services 

In a statement issued on March 18, leaders stated they are taking a phased approach to restoring the services that touch more than one in three patients in the United States. Pharmacy network services were restored to 99% of customers on March 7, followed by Change’s electronic payments platform on March 15. 

Earlier this week, the company began releasing medical claims preparation software, although a report from the Associated Press (AP) notes that there is no clear estimate for when services will be completely restored. 

“We continue to make significant progress in restoring the services impacted by this cyberattack,” said Andrew Witty, CEO of UnitedHealth Group. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”   

CMS, UHG support providers with funding and flexibilities 

UnitedHealth Group has advanced more than $2 billion to support providers during the extended downtime, and CMS has similarly offered flexibilities to those hit hardest by the inability to submit claims or process prescriptions. 

Just days after the attacks were discovered, CMS implemented a series of policies that allowed organizations to expedite a switch to a new clearinghouse, access funding advances, and temporarily sidestep certain administrative requirements, such as some prior authorizations, to keep care services on track for patients. 

The White House and HHS have been keeping close tabs on the situation through a series of industry meetings. On the same day as Change Healthcare released its latest statement, HHS Secretary Xavier Becerra and Deputy Secretary Andrea Palm met with payer and provider stakeholders to offer updates on the government’s efforts to mitigate the impacts of the attack. 

Officials stressed the importance of collaboration during this time and emphasized the importance of providing assistance to vulnerable providers, including small, rural, and safety-net healthcare providers who are still struggling with the attack’s impact on their cash flows. 

OCR makes moves to investigate Change Healthcare 

Meanwhile, the Office of Civil Rights (OCR) is moving in to investigate whether protected health information was exposed during the incident and whether Change Healthcare followed all the applicable laws around protecting patient privacy and data security. 

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” wrote OCR Director Melanie Fontes Rainer in a letter to the industry. 

Fontes Rainer noted that OCR has only “secondary” interest in investigating providers, plans, or business associates of Change Healthcare during its scrutiny, but reminded these and other organizations of their responsibility to ensure that business associate agreements are in place and that they participate in timely breach notification reporting as required by HIPAA. 

“OCR is committed to helping health care entities understand health information regulations and to collaboratively working with entities to navigate the serious challenges we face together,” she concluded. “OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.