Daily updates: What to know about the Change Healthcare cyberattack 

A February 21, 2024 ransomware attack on Change Healthcare has impacted healthcare organizations throughout the United States. According to the Change Healthcare website, the company connects with 1 of every 3 patient records in the US and processes 15 billion electronic healthcare transactions a year, making it one of the largest clearinghouses in the industry. 

The American Hospital Association has stated that the attack against Change Healthcare is “the most serious incident of its kind leveled against a U.S. health care organization.” In the wake of the attack, service disruptions have prevented pharmacies, healthcare providers, and medical billing companies from verifying insurance and processing financial transactions. 

Staying informed can help healthcare businesses minimize the fallout, reduce financial delays, and protect patients from harmful care interruptions. This explainer will get you up to speed about the Change Healthcare cyberattack.

Change Healthcare, a subsidiary of Optum healthcare technology company, provides a range of digital services including patient records sharing, revenue cycle management, insurance verification, and Rx processing. On February 21, 2024, a hacker group carried out a ransomware attack on Change Healthcare, causing a shutdown of all services.

For more information about how the cyberattack is impacting practices, check out our guide "Change Healthcare cybersecurity attack: What does this mean for my practice?"

This section will be updated with ongoing developments.

May 28, 2024: The Nebraska Attorney General's Office issued a consumer alert regarding the data breach, expressing concern that a delay in notifying impacted Nebraskans will limit their ability to take proactive steps to prevent further harm. 

Issued Friday, May 24, the alert warns that many Nebraskans are likely to have sensitive data exposed, including names, phone numbers, email addresses, Social Security numbers, medical record numbers, and payment information. To prevent or mitigate identity or financial theft, the alert recommends ordering new credit cards, freezing credit accounts, and monitoring bank and credit statements for suspicious activity. 

In April, UnitedHealth Group promised to notify impacted consumers. However, UHG has also stated that due to the complex nature of the breach, it may take several months to identify and notify impacted individuals.

Follow this timeline of events to stay up-to-date on the Change Healthcare cyberattack.

February 21, 2024: Change Healthcare began experiencing ongoing, enterprise-wide connectivity issues.

February 22, 2024: Change Healthcare confirmed the disruption was caused by a cybersecurity issue. All other systems across Optum and parent company United Health Group (UHG) were reported as unaffected.

February 23, 2024: UHG took immediate action to disconnect all Change Healthcare systems to prevent further impact.

February 29: 2024: Cyber crime threat actor ALPHV/Blackcat took responsibility for the attack. 

March 1, 2024: Change Healthcare’s new version of their ePrescribing system was made available

March 4, 2024: Optum launched a temporary funding assistance program to help organizations manage short-term cash flow needs.

March 5, 2024: The US Department of Health and Human Services (HHS) released a statement announcing flexibilities for Medicare providers designed to ensure continuing care delivery. These include expedited claims processing, relaxing of prior authorization, exceptions, waivers, and extensions.  

March 6, 2024: In a statement, Rick Pollack, President and CEO of the American Hospital Association, said the measures announced by HHS on March 5 are inadequate compared to the far-reaching impact of the Change Healthcare incident. “The magnitude of this moment,” the statement says, “deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it.”

The American Medical Association credited HHS for its initial steps, but is urging federal officials to go “above and beyond what has been put in place and include financial assistance such as advanced payments for physicians.”

March 7, 2024: UnitedHealth Group posted an updated timeline on their website regarding restoring Change Healthcare systems. On their website, they shared that electronic prescribing is fully functional again with pharmacy claim submission and payment transmission also available. 

They also stated their electronic payment functionality will be available for connection beginning March 15, 2024 and that their claims network and software will be available March 18, with services being restored throughout that week.

The company also announced it will provide further funding assistance to medical, dental, and vision providers. More information is available on the Optum website. 

According to UnitedHealth Group, there is no indication that any of their other systems have been affected by the cyberattack.

March 9, 2024: The Centers for Medicare & Medicaid Services (CMS) initiated Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Part A providers and advance payments to Part B suppliers. See this CMS fact sheet for more information.

March 12, 2024: The Centers for Medicare & Medicaid Services (CMS) has extended the 2023 MIPS data submission deadline until April 15 due to the Change Healthcare cyberattack.

Health and Human Services (HHS) Secretary Xavier Becerra and other White House officials met with UnitedHealth and industry organizations to discuss the attack.

March 13, 2024: The Office of Civil Rights said it will investigate the cyberattack and see whether Change Healthcare followed laws protecting patient privacy.

March 14, 2024: UnitedHealth Group said its pharmacy network is back online.

March 15, 2024: UnitedHealth Group said Change Healthcare’s electronic payments platform was restored and is now proceeding with payer implementations. It also noted that it will take time to fully bring all payers and providers back online.

March 18, 2024: UnitedHealth Group said its medical claims preparation software, Assurance, is back online.

March 19, 2024: Representatives Mariannette Miller-Meeks (R-IA), Robin Kelly (D-IL), and 94 other bipartisan members of the House of Representatives sent a letter to HHS Secretary Xavier Becerra about the ongoing struggles due to the Change Healthcare Cyberattack, focusing on issues like filing claims and the stringent repayment terms for advance payments. They also raised concerns about patients having to pay out-of-pocket for services because of the cyberattack and the need for measures to prevent malicious actors from gaining access to private healthcare information.

March 25, 2024: UnitedHealth Group announced last week that its largest clearinghouse, Relay Exchange, will begin processing a backlog of more than $14 billion in medical claims. UHG expects to restore several of Change Healthcare’s products this week, with service reconnection continuing at least through the week of April 8. The company recently stated that it has already advanced more than $2 billion to help providers in need. 

Currently under federal investigation for HIPAA violations related to the attack, UHG also faces a growing number of class action lawsuits. On March 25, US Representative Jamie Raskin, Ranking Member of the Committee on Oversight and Accountability, sent a letter to UHG requesting a briefing and information on the cyberattack and resulting system outages. 

According to an American Hospital Association (AHA) survey, the cyberattack has financially impacted 94% of US hospitals, with 74% reporting a direct impact on patient care. Weeks after the attack, many independent practices are still managing cash flow issues. On March 22, US Senator Mark R. Warner, member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, introduced legislation that would guarantee advance and accelerated payments to providers who meet minimum cybersecurity standards in the event of a cyber incident.

April 1, 2024: On Monday, March 25, the Departments of Health and Human Services (HHS), Administration for Strategic Preparedness and Response (ASPR), and Centers for Medicare & Medicaid Services (CMS) released national guidance for providers impacted by the Change Healthcare cyberattack. An accompanying letter says the guidance is intended to help providers work with payers, access resources, obtain advanced payments, connect to alternative clearinghouses, and other services that mitigate ongoing issues related to the cyberattack.

Many industry voices, including independent providers, media leaders, and medical societies, have criticized Change Healthcare’s preparedness and post-attack response. Meanwhile, on March 27, the US Department of State’s Rewards for Justice (RFJ) program issued a reward of up to $10 million for information regarding “ALPHV BlackCat actors, their affiliates, activities, or links to a foreign government,” and anyone who engages in “certain malicious cyber activities.” 

A March 31 update states that UnitedHealth Group and Optum are continuing to restore impacted Change Healthcare products and services, “beginning with medical network and transaction services such as Pharmacy solutions, Exchange clearinghouse, Assurance Reimbursement Management, Clearance Patient Access Suite and Reimbursement Manager as well as claims and eligibility transactions.” 

April 9, 2024: A dark web post shared by cybersecurity analyst Dominic Alvieri on Monday, April 8, suggests that a second ransomware group has threatened to expose data allegedly stolen from Change Healthcare. While ALPHV/BlackCat has claimed responsibility for the attack, a new group, RansomHub, says it now possesses the alleged 4TB of data stolen from Change Healthcare and will demand an additional ransom. UnitedHealth Group may have made a $22 million payment in bitcoins to ALPHV/BlackCat in February before that group announced its dissolution. 

It’s unclear whether the new group, RansomHub, is a rebrand of ALPHV/BlackCat; a separate entity that obtained the stolen data from former ALPHV/BlackCat affiliates; or a scam banking on UnitedHealth Group’s willingness to make another hefty payment. Regardless, the new threat clearly demonstrates the potential for healthcare cybersecurity breaches to have unexpected and long-lasting repercussions.

Last week, Change Healthcare asked the United States Judicial Panel to consolidate at least 24 class action lawsuits into a large proceeding overseen by the US Middle District Court of Tennessee. The April 3 filing states that most of the cases were filed in the Middle District and that this Court is well-equipped to handle a “complex multi-district litigation related to a cyberattack.” Change Healthcare is also headquartered in the Middle District.

In an April 3 update, UnitedHealth Group said it has advanced nearly $4.7 billion to providers in need. Service restoration is ongoing.

April 15, 2024: A survey by the American Medical Association, released on Wednesday, April 10, underscores the devastating impact the cyberattack has had on smaller practices. Among 1400 participants, 80% said unpaid claims have caused revenue loss, while 85% said they’ve had to allocate additional staff and resources to manage revenue cycle tasks. In comments, some participants expressed fears of losing their business or bankruptcy. 

Many Change Healthcare products have been partially or fully restored. However, the restoration of several services is ongoing. These include Clinical Exchange (e-prescribing, ordering, and resulting), Payer Connectivity Services, and a Payer Print Communication Multi-Channel Distribution System, which facilitates the printing and distribution of payment-related documents. 

On Friday, April 12, WIRED magazine reported that it received screenshots from a ransomware group appearing to be files stolen from Change Healthcare. RansomHub, the second group to demand a ransom from UnitedHealth Group, sent screencaps that appear to be patient records and Change Healthcare’s business documents. WIRED couldn’t conclusively verify the screenshots’ authenticity; regardless, it's clear that RansomHub’s threats should be taken seriously.

April 22, 2024: In an April 16 hearing, lawmakers from the US House Subcommittee on Health focused on cybersecurity vulnerabilities in the health sector, highlighted by the Change Healthcare cyberattack. The Subcommittee requested testimony from cybersecurity experts, key witnesses, and representatives from UnitedHealth Group. However, UHG didn’t show up.

Nevertheless, participants answered questions and discussed issues regarding recent data breaches and how federal oversight and private sector initiatives can work to bolster defenses across the industry. Lawmakers sharply criticized UHG for both its poor response to the cyber incident and its acquisition of Change Healthcare last year, saying consolidation makes the entire sector less secure.

Last week, Energy & Commerce Committee Chair Rep. Cathy McMorris Rodgers, Oversight & Investigations Subcommittee Chair Rep. Morgan Griffith, and other ranking lawmakers sent an 8-page letter to Andrew Witty, CEO of UHG, demanding answers. Witty has agreed to testify before the Subcommittee on May 1, 2024. 

"Americans are still dealing with the fallout of the Change Healthcare hack. Individuals and smaller providers, in particular, have struggled financially following the cyberattack, threatening critical access for patients,” Rodgers and Griffith said in a joint statement. “While we’re disappointed that UnitedHealth could not join us for the recent Health Subcommittee hearing on cybersecurity, we look forward to learning more on what happened in the lead up to, and in the weeks following, the attack.”

April 30, 2024: On April 22, UnitedHealth Group said in a statement that it believes files containing personal information were accessed during the cyberattack, potentially affecting “a substantial proportion of people in America.” UHG stresses that so far, no evidence suggests that doctors' charts or full medical histories have been captured. 

In written testimony ahead of May 1 hearings in both the House and the Senate, UHG CEO Andrew Witty revealed that the hackers used compromised credentials to remotely access a Change Healthcare Citrix portal. He admitted the portal didn’t have multi-factor authentication, a basic and highly effective cybersecurity measure.

Meanwhile, in an April 25 letter to Witty, 22 State Attorneys General expressed concern for the cyberattack’s impact on State Health Care Infrastructure. The letter demanded that UHG do more to help affected patients and providers. 

The AMA released the results of a follow-up to a survey published earlier this month showing that 85% of participating practices continue to experience disruptions in claim payments. As a result, 62% are still dipping into personal funds to cover practice expenses, 42% still can’t afford to buy supplies, and 34% can’t make payroll.

May 7, 2024: On May 1, UnitedHealth Group CEO Andrew Witty testified at 2 separate federal hearings about the Change Healthcare attack and its aftermath. Reiterating his written testimony, Witty told subcommittees from both House and Senate that he authorized a ransom payment of $22 million in Bitcoin to the attack group ALPHV/BlackCat on March 1.

The hearings also covered the lessons of the Change Healthcare attack regarding cybersecurity in the healthcare sector, emphasizing the importance of multi-factor authentication and third-party risk management. The scope of the attack’s impact also scrutinized consolidation in the healthcare industry — and UHG’s controversial acquisitions. 

On the day of the hearings, the American Medical Association sent a letter to the Senate Finance Committee expressing concern regarding the attack's impact on independent physician practices and calling for more robust support for smaller businesses. 

“Although the hackers are ultimately to blame for this breach,” the letter says, “the AMA has been disappointed by the response of many of the most resourced players in the health care system to meet the moment thus far, especially in their failure to support physician practices serving small, rural, or underserved communities.” 

The most recent UHG update states that Change Healthcare’s payment processing services are now functioning at 86% of pre-incident levels. On major platforms, roughly 80% of functionality for other services such as eligibility software and analytical tools has been restored.

The Change Healthcare cyberattack impacts hospitals, medical billing companies, practices, providers, and patients. Service disruptions affecting patients include eligibility verification and prescription processing, which could lead to medication interruptions or delayed care. Business operations for providers, practices, and billing entities — such as claims, billing, revenue cycle management — and payments, are also impacted. 

The Change Healthcare ransomware attack has had a profound effect on impacted practices and medical billing companies.

On the medical billing company side, operational disruptions can cause reimbursement delays and interfere with cash flow. For medical practices, handling a backlog of prescriptions, billing, and insurance claims may cause a burden for administrative teams and increase operational costs. Practices must also worry about how service disruptions could compromise care quality and patient experience. If affected, your practice may experience the following:

The exact effect on your practice depends on multiple factors, such as whether you work directly with Change Healthcare or how many of your payers and other partnerships rely on the Change Healthcare system.

If your practice deals directly with Change Healthcare for Rx services, a new version of their ePrescribing system was made available on March 1, 2024. Optum has also announced a temporary funding assistance program to help providers whose payments from payers are impacted. 

On March 5th, 2024, the US Department of Health and Human Services (HHS) released a statement announcing flexibilities for Medicare providers designed to ensure continuing care delivery. These include expedited claims processing, relaxing of prior authorization, exceptions, waivers, and extensions.  

For medical practices and billing companies affected by the cyberattack, communicate with your payers about temporary solutions and what their exception policy is in regards to the outage and timely filing requirements. If you can, consider holding claims to allow Change Healthcare more time to come back online or until your payer opens additional transaction paths. 

If you decide to submit a claim manually, use caution regarding payers’ bandwidth to handle increased paper claims. Make sure to understand their preferred submission format before submitting paper claims so you can avoid processing and reimbursement delays.

Be sure to keep detailed records of claims processed at this time. This will facilitate reconciliation of discrepancies discovered later on. Each billing company and practice has their own unique circumstances too, so choose what works best for your business.

In its statement, HHS said that the Change Healthcare attack “is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” Ongoing government initiatives already focus on strengthening resilience against cyberattacks. The attack should result in a ramping up of those efforts. 

It also serves as a wakeup call across the healthcare industry. From large healthcare organizations to single providers, cyberattacks can have disastrous consequences.

To protect essential data, both practices and billing companies should review their own security protocols. Investments of time, labor, and staff training will be worth the effort towards preventing future attacks of this nature.

As of May 7, 2024, 2024, the Change Healthcare cyberattack is ongoing. Look on The Intake for updates as the situation continues to develop.