The most significant and consequential cyberattack in American history began Feb. 21 against UnitedHealth Group's Change Healthcare, crippling financial operations for hospitals, insurers, pharmacies
HHS / American Taxpayers bail out UnitedHealth Group while they fumble crisis response and require physicians to reapply every 7 days for funding
(UnitedHealthcare Group CEO Andrew Witty talks about “Values Based Care” with CNBC interviewer General Reporter Bertha Coombs in 2022. Bertha mentions the benefits of a Single Payer National Health Program. Witty is currently being investigated by the United States Department of Justice for architecting multiple White Collar Health Care crimes including systemic over-billing, antitrust crimes, squandering resources earmarked for cyber security and for methodically violating HIPAA patient privacy. American taxpayers are currently saving his company as the federal government sends federal emergency funding to clinics the cyber attack damaged.)
The UnitedHealth Group’s Change Healthcare cyberattack mismanagement: A timeline
The most significant and consequential cyberattack in American history began Feb. 21 against UnitedHealth Group's Change Healthcare, crippling financial operations for hospitals, insurers, pharmacies and medical groups nationwide. Here is the timeline of the response mismanagement since it began, including regulatory and policy updates:
March 19
A bipartisan group of nearly 100 federal lawmakers urged HHS to use its full authority to ensure payments are being made to hospitals, physicians and Medicare Advantage plans, along with state Medicaid programs. Congress is also asking HHS to address "the inability of many patients to receive timely access to medications" and to continue its conversations with UnitedHealth about recovery efforts.
March 18
UnitedHealth Group said it has advanced more than $2 billion to providers and is launching software for medical claims preparation. The company has restored 99% of pharmacy network services. Change's electronic payments platform was restored March 15, with payer implementations underway.
Fifteen insurers and trade groups met with Biden administration officials to discuss the industry's ongoing response to the attack. Stakeholders discussed how progress has been made in reestablishing claims processing systems, though small, rural and safety-net providers specifically are still reporting issues with cash flow.
Fitch Ratings said the attack could negatively affect the credit profiles of smaller healthcare providers, pharmacies and other companies that rely on Change services. Higher-rated companies are assumed to have the flexibility to withstand the disruptions.
March 15
An American Hospital Association survey of nearly 1,000 hospitals conducted between March 9 and 12 found that 94% of hospitals have felt financial impact from the attack, and more than half have reported a "significant or serious" impact. Seventy-four percent of hospitals reported a direct effect on patient care.
Provider claims to payers have dropped by more than one-third, according to an analysis of 1,850 hospitals and 250,000 physicians nationwide by Kodiak Solutions. Through March 9, the total estimated cash flow impact for hospitals reporting data to Kodiak is $6.3 billion in delayed payments.
March 14
The American Medical Association said "it is dumbfounding that following weeks of silence and a lack of assistance to struggling practices in the wake of the Change Healthcare cyberattack, AHIP's response is a 'business as usual' approach to prior authorization. This approach is particularly galling since service outages have exacerbated the administrative burdens and care delays already associated with this process."
March 13
The federal government launched an investigation into UnitedHealth and Change over the cyberattack within the context of HIPAA compliance.
The AHA urged Congress to consider existing statutory limitations that could limit aid from CMS and HHS to hospitals and providers.
March 12
AHIP President and CEO Mike Tuffin said suspending prior authorization requirements could do more harm than good and that individual plans and providers are in the best position to assess how to maintain appropriate payments in a timely manner.
Officials with the Biden administration summoned UnitedHealth Group CEO Andrew Witty to the White House, urging the company to provide more emergency funding to providers.
Highmark Health detailed an advance funding program for providers struggling with cash flow, becoming the first Blue Cross Blue Shield company to do so. The company is not waiving prior authorizations at this time.
March 11
Massachusetts hospitals are losing at least $24 million a day due to the cyberattack, the state hospital association reported.
The AMA called for and offered to help create a list of all payers that are offering advance provider payments.
March 10
HHS called on UnitedHealth to "take responsibility to ensure no provider is compromised by their cash flow challenges" and to expedite the delivery of payments. The government urged the company to communicate about recovery efforts more frequently and with more transparency to both the healthcare system and state Medicaid agencies.
For all payers, HHS asked that interim payments be made to affected providers and that prior authorization and other utilization management requirements be put on hold temporarily.
March 9
CMS expanded its response to the attack to include advance payments to physicians and other outpatient care providers experiencing claims disruptions.
March 8
The AHA said it will take several weeks, if not months, before hospitals and other healthcare providers can fully recover from the attack. Moody's said the fallout will affect hospitals' credit ratings as they search for alternative claims filing methods.
March 7
UnitedHealth Group released a timeline for restoring key Change Healthcare systems, and CEO Andrew Witty committed to making things right "as fast as possible."
As of March 7, Change's pharmacy electronic prescribing is fully functional for claim submission and payment transmission. Change is expected to have its electronic payment platform available for connection March 15. Its medical claims network and software are expected to start testing for reconnection March 18, with the company working throughout that week to restore service.
Until March 31, UnitedHealth has suspended Medicare Advantage and D-SNP prior authorizations for most outpatient services.
March 6
Lawsuits began rolling in against UnitedHealth Group over the cyberattack. At least five federal lawsuits have been filed this month against the company, court records show.
March 5
HHS accelerated payments to hospitals affected by the cyberattack and instituted other workarounds for providers. CMS encouraged Medicare Advantage organizations and Part D sponsors to remove or relax prior authorizations.
Elevance Health's CFO Mark Kaye said the company initially saw a 15% to 20% reduction in the daily volume of data it receives from providers following the attack, and now is down about 10% relative to normal daily volumes. Humana's CFO, Susan Diamond, said about 20 percent of the company's medical claims submitted by providers go through Change Healthcare's system before they reach the payer, making it difficult to gauge total medical expenses.
March 4
The AHA called Change Healthcare's temporary funding program for affected providers inadequate, while U.S. Senate Majority Leader Chuck Schumer asked CMS to speed up payments to hospitals.
Larger health systems are bleeding more than $100 million daily because of the interruptions, cybersecurity company First Health Advisory told multiple news outlets. Despite this, some health systems resumed normal operations. Renton, Wash.-based Providence resumed normal operations, utilizing electronic prescriptions via Epic and phasing out the use of paper scripts.
The Department of Homeland Security warned healthcare organizations to look out for "malicious cyber actors [that] target the Healthcare and Public Health Sector for financial gain, cyber espionage purposes or ideological reasons."
March 3
ALPHV/BlackCat received a bitcoin payment worth over $20M on March 3, Reuters reported. A cybersecurity firm said the destination of the funds was associated with the ransomware group that claimed responsibility for the hack. UnitedHealth Group did not comment on if it had paid the group, but said it was focused on the investigation and recovery of Change's services.
March 1
Optum introduced a temporary funding assistance program for providers struggling with cash flow after the attack. Change also implemented a workaround system for its e-prescribing program for pharmacies. The company said it was working with Microsoft and Amazon Web Services to do an additional scan of its cloud environment.
Feb. 29
Change Healthcare confirmed ALPHV/BlackCat represented itself as the group behind the attack. The ransomware group claimed it had stolen 6 terabytes worth of data from Change, including medical records, patient Social Security numbers, and information on active military personnel. Ransomware groups are known to exaggerate the amount of data they have to demand higher payments.
Change said it was working with cybersecurity firms Palo Alto Network and Mandiant, a Google subsidiary, and law enforcement to address the cyberattack.
Feb. 27
HHS warned hospitals to be wary of ALPHV/BlackCat, the group that claimed responsibility for hacking Change Healthcare. Most of the group's 70 victims since December have been in the healthcare industry, the agency said, and the ransomware gang's leaders have encouraged members to target hospitals.
In a message to providers, Aetna said it was aware some providers in its network may not be receiving timely payments. The insurer said it was prioritizing workarounds to get payments to providers. Aetna said it would not liberalize any prior authorization requirements at that time.
Feb. 26
Ransomware group BlackCat claimed responsibility for the attack, sources with knowledge of the incident told Reuters.
Fitch and Moody's said the incident carries legal and reputational risks for UnitedHealth Group but will not affect credit ratings.
UnitedHealth Group said 90% of the 70,000-plus pharmacies in the U.S. using Change Healthcare's platform modified electronic claims processing to mitigate effects of the hack. The remaining 10% have offline processing workarounds, the company said.
Feb. 22
As hospitals, health systems and pharmacies reported disruptions from the attack, the AHA urged facilities to disconnect from Optum's systems. A spokesperson for Danville, Pa.-based Geisinger Healthcare said the system immediately disconnected from Change's systems following the attack.
UnitedHealth Group said it suspected a "nation-state group" was behind the attack.
Feb. 21
Optum reported "enterprise-wide connectivity" issues early in the morning. Later in the day, Optum said Change Healthcare was experiencing a network disruption due to a cybersecurity threat, and it immediately disconnected Change's systems after the attack was discovered.