Skip to content
a screen shot of a computer

The Change Healthcare Data Breach and Navigating Your Exposure

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, fell victim to the most consequential cyber-ransom attack to hit the healthcare industry.   

Change Healthcare provides a significant number of critical functions, such as the management of clinical criteria used for pre-authorization, verification of coverage, and the processing of patient claims to third-party payers. This cyberattack has led to a catastrophic financial burden that potentially threatens the existence of many healthcare providers across the nation due to extensive delays in providing care to patients and submitting claims for payment.

Further, the ransomware attack led to a freeze of the organization's billing and care portals, barring providers throughout the country from ordering prescriptions, billing claims, collecting revenue, and providing optimal patient care. The American Hospital Association (“AHA”) later advised health systems to disconnect from any integrated applications or portals tied Change Healthcare to mitigate their exposure. 

Overview of the Change Healthcare data breach 

According to Change Healthcare, it initially recognized the cyber threat on February 21, 2024, after an external actor gained access to one of their internal portals. While Change Healthcare disconnected its systems to isolate the breach, healthcare systems and providers throughout the U.S. were hit with myriad administrative and revenue-related issues. Providers lost access to critical functions, such as claims processing and electronic bill pay services, creating harrowing administrative burdens and financial insecurities.  

AHA’s plea to HHS 

On February 26, the American Hospital Association sent a letter to Health and Human Services (“HHS”) Secretary Becerra focusing on the critical financial issues impacting providers as a result of the ransomware attack:  

  • The advancement of Medicare payments.
  • Guidance to all third-party payers on issuing periodic interim payments.  
  • Ensuring that United Healthcare takes the appropriate steps to:  
    • Remedy the situation as quickly as possible.
    • Provide meaningful financial assistance programs.
    • Conduct timely updates to providers. 

As of March 4, various outlets reported that according to an online hacking community, a $22 million payment was made to a bitcoin wallet that belongs to the group claiming responsibility for the breach.   

HHS’ response to the cyber-ransom attack 

On March 5, HHS said it will work toward aiding hospitals in maintaining needed cashflow due to the Change Healthcare ransomware attack, but it fell short in addressing the impacts on physicians. 

More specifically, HHS said hospitals facing cash-flow issues from the IT outage will be able to submit accelerated payment requests, similar to the process that was in place during COVID, to the Medicare Administrative Contractors (“MACs”) for consideration. HHS indicated more details will follow from the MACs in the upcoming days. The American Medical Association (“AMA”) was supportive of the plan but stated that the physicians need financial relief as well. "Many physician practices operate on thin margins, and we are especially concerned about the impact on small and/or rural practices as well as those that care for the underserved," AMA President Jesse Ehrenfeld, MD, stated on March 5. Further, the AMA urged the HHS to offer similar financial assistance to physicians, such as accelerated payment requests being offered to hospitals, to keep them whole during this crisis. 

Change Healthcare’s response 

To mitigate the challenges and bridge the financial gap presented by this downtime, Change Healthcare rolled out various programs for providers: 

  • Live Updates: A website with updates on the cyberattack containing information for providers, pharmacies, and chief information security officers.
  • Financial Assistance: Change and its parent company UnitedHealth, introduced a temporary funding assistance program to help providers affected by payer system outages.  
  • E-Prescribing Workarounds for Pharmacies: The new instance was launched after a successful round of testing with vendors and retail pharmacies.
  • Industry Visibility: The AHA is staying in "close contact at the highest levels" with Optum and Change Healthcare parent company UnitedHealth Group to minimize disruptions to hospital leaders. The Joint Commission and AHA have said hospitals and health systems should prepare for approximately a month of downtime after a ransomware attack. 

Next steps for your organization 

Keep cash flowing   

During times of outage (natural or man-made) having a proactive downtime plan to address revenue leakage is key to business continuity. To aid your organization through navigating system downtime and revenue gaps, focus on these core areas: 

  • Alternate clearinghouses for billing of claims to reduce held claims inventory. (Providers should contact their MAC if they want to make such a change.)
  • Utilize payer portals for claim submission and/or reconsiderations, corrections, and appeals.
  • Review and submit applications for Medicare accelerated payments. (MACs will offer information about applying for Medicare accelerated payments.)
  • Work with all major third-party payers on the issuance of periodic interim payments.
  • Redeploy billing staff for deeper focus on: 
    • Previously billed and adjudicated claims, specifically first- and second-passed denied claims.
    • Accounts receivable “swat teams” focused on aged claim buckets for all payor types.
    • Patient balances and in-house patient collections.
  • Work with payer provider reps to resolve systemic issues impacting significant claims from being approved for payment.
  • Manage the quality of claim touches by billers to ensure the most immediate and actionable results.
  • Ensure that scrubber edits are capturing a vast majority of the rejection reason codes to minimize claim submission delays.
  • Ensure that physicians complete their progress notes within 48 hours of service. 

As of March 9, 2024, the Center for Medicare and Medicaid Services (“CMS”) announced it is extending financial relief for health systems impacted by the Change Healthcare outage.

Mitigate the risk of exposure and future attacks 

Change Healthcare’s data breach, while extremely costly in scale and exposure, is unfortunately part of a growing list of cyberattacks in the healthcare industry. The combination of valuable personal data, quickly evolving digital health practices, and an increasing volume of payor transactions has made the industry ripe for cybercrime; organizations need to proactively protect their systems. Here are a few strategies healthcare leaders can employ to mitigate risk and protect their patients and organization. 

  • Ensure regular review and adoption of recommendations across all sources including AHA, CISA, HHS, Change Healthcare incident page, etc.
  • Create a set of questions related to the breach required to be completed by Change Healthcare to reestablish connectivity to the system. Can they provide some level of assurance that the incident has been contained? What security improvements/changes have been made to identify and thwart future attacks?
  • Document the process for reconnecting and verifying application functionality once connectivity is reestablished.
  • Review cybersecurity recommendations to reduce the risk of ALPHV Blackcat threat group attacks. The group has targeted the healthcare space extensively and guidance indicates that this will continue.  
  • Notify cyber liability insurance providers for potential cyber incident and/or business interruption claims, even if the scope of impact is not readily apparent currently. Policies typically have timely notification language.  
  • Have a backup clearinghouse vetted and ready to implement.
  • Update disaster recovery and business continuity plans to ensure there are appropriate alternate processes for key IT systems and third-party vendors.   

Ask for help 

Healthcare has unfortunately proven itself as a lucrative industry for cybercriminals looking to steal data and hold critical services for ransom. Make sure you stay informed on the Change Healthcare situation as it develops further. Finally, understand you are not alone in this, and success rarely occurs on an island. No matter your practice’s exposure, having a proactive risk mitigation strategy team is key to your success. Make sure you have an experienced response team in place to protect your practice and patients today and going forward. If you have questions about next steps for your organization, contact us below. 

This article was created with contributions from the entire EisnerAmper Healthcare Industry Group. 

What's on Your Mind?


Start a conversation with the team

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.