Letter to Health Care Leaders on Cyberattack on Change Healthcare – HHS.gov
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Dear Health Care Leaders,
As you know, last month Change Healthcare was the target of a cyberattack that has had significant impacts on much of the nation’s health care system. The effects of this attack are far-reaching; Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one in every three patient records. The attack has impacted payments to hospitals, physicians, pharmacists, and other health care providers across the country. Many of these providers are concerned about their ability to offer care in the absence of timely payments, but providers persist despite the need for numerous onerous workarounds and cash flow uncertainty.
In a situation such as this, the government and private sector must work together to help providers make payroll and deliver timely care to the American people. The Biden-Harris Administration has taken action by removing challenges for health care providers and addressing this cyberattack head on. Now, we are asking private sector leaders across the health care industry – especially other payers – to meet the moment.
The Biden-Harris Administration remains committed to ensuring that all Americans can access needed care in spite of this cyberattack. We urge the private sector to quickly identify and carry out solutions. Specifically, we call on UHG, other insurance companies, clearinghouses, and health care entities to take additional actions to mitigate the harms this attack places on patients and providers, particularly our safety net providers.
We urge UnitedHealth Group to:
We urge insurance companies and other payers to:
While we believe payers have a unique responsibility and opportunity to address the challenge before us, we urge action on the part of any health care entity that can step up. For example, we appreciate the actions taken by clearinghouses to enable switching from Change Healthcare systems, and we encourage them to offer easy-to-implement, standard terms for additional providers who want to switch, and avoid cost-prohibitive pricing.
In addition to the actions outlined above, earlier this week, the U.S. Department of Health and Human Services (HHS) announced steps that the Centers for Medicare & Medicaid Services (CMS) is taking to assist states and health care providers to continue to serve patients and avoid disruptions. Specifically, CMS has streamlined the process for providers to change clearinghouses to ensure continuity of payments, encouraged insurance plans to remove or relax prior authorization requirements in both Medicare and Medicaid, and directed Medicare Administrative Contractors (MACs) to be prepared to accept paper claims submissions during the course of the outage. Just yesterday, CMS provided instructions to MACs about how to consider applications for accelerated payments from Medicare Part A providers and for advance payments from Part B providers and suppliers.
Overall, this incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem. That’s why, in 2023, HHS released a concept paper that outlines HHS’ cybersecurity strategy. The concept paper builds on the National Cybersecurity Strategy that President Biden released in 2023, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks. Also, in 2021, the Department of Labor released Cybersecurity Program Best Practices to assist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks. We urge you to visit the HPH Cyber Performance Goals website and implement these steps to stay protected.
Sincerely,
Xavier Becerra
Secretary, U.S. Department of Health and Human Services
Julie A. Su
Acting Secretary, U.S. Department of Labor
Receive the latest updates from the Secretary, Blogs, and News Releases
Receive latest updates
For general media inquiries, please contact media@hhs.gov.
Receive the latest updates from the Secretary, Blogs, and News Releases.
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775
