HHS seeks payers' input on Change cyberattack response

The recent cyberattack on Change Healthcare, a prominent healthcare technology company, has prompted the US Department of Health and Human Services (HHS) to seek input from payers on how to effectively respond to such incidents. 

What happened 

The cyberattack on Change Healthcare, which occurred on September 28th, 2023, involved a ransomware organization employing a tactic known as "double-extortion." The attackers exfiltrated data and encrypted several systems, impacting approximately 2.7 million patients. 

In response to the cyberattack, HHS, led by Secretary Xavier Becerra and Deputy Secretary Andrea Palm, convened a meeting with payers to discuss potential actions to mitigate the harm caused by the incident. 

Going deeper

During the meeting, Secretary Becerra and Advisor Tanden acknowledged the adjustments made to improve claims processing but called for further support to providers, particularly those serving vulnerable populations, rural hospitals, and smaller institutions. They emphasized the need for continued collaboration between the government and the private sector to ensure healthcare providers can meet their financial obligations and deliver timely care.

What was said

Dr. Jesse Ehrenfeld, president of the American Medical Association, slammed insurer group AHIP's inaction in response to the recent cyberattack, stating, “It is dumbfounding that following weeks of silence and a lack of assistance to struggling practices in the wake of the Change Healthcare cyberattack, AHIP's response is a 'business as usual' approach to prior authorization.” 

Ehrenfeld criticized this approach, particularly as service outages have worsened administrative burdens and care delays associated with the process. He pointed out the contrast between prioritizing profits over the stability of the care delivery system and the Biden Administration's call for health plans to meet the moment.

In the know

HHS was informed of the cyberattack on Change Healthcare systems on February 21. Since then, HHS and other federal agencies have undertaken several actions:

• On March 13, the Centers for Medicare and Medicaid Services (CMS) issued a set of responses to frequently asked questions concerning the availability of accelerated and advance payments.
• Also, on March 13, HHS distributed a questionnaire to payers who attended a meeting on March 12 regarding the Change Healthcare cybersecurity incident.
• Additionally, on March 13, HHS' Office of Civil Rights (OCR) released a "Dear Colleague" letter addressing the cybersecurity incident affecting Change Healthcare, a branch of UHG, and other healthcare organizations. Due to the significant scale of the attack and public interest, OCR declared in the letter that it had initiated an investigation into the cyberattack on Change Healthcare and United Health. 
• On March 15, CMS reopened the 2023 Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) Exception Application to offer relief to clinicians affected by the cybersecurity incident in terms of reporting requirement deadlines.
• Furthermore, on March 15, CMS announced flexibilities aimed at assisting state Medicaid agencies in providing necessary relief to Medicaid providers and ensuring access to healthcare coverage. 

Why it matters 

The HHS's efforts to seek input from payers on the response to the Change cyberattack reflect a collaborative approach to address the challenges posed by cybersecurity threats. The healthcare industry can enhance its preparedness and response capabilities by using the expertise and resources of both the public and private sectors. Organizations need to pay close attention to the information provided in this scenario by the HHS and others to safeguard patient data, maintain the continuity of care, and ensure the overall security and integrity of the healthcare system.