**Updated March 18, 2024** [1]
Healthcare organizations nationwide are reeling from Change Healthcare’s recent cyber attack, experiencing delays in claims processing and significant impacts on revenue. The attack occurred on February 21, 2024, and prompted Change Healthcare to shut down its systems, including more than 100 applications across pharmacy, medical record, clinical, dental, patient engagement, and payment services. Change Healthcare has confirmed the ransomware group, BlackCat, is behind the attack, after initially suspecting a “nation-state associated cyber security threat actor.” Change Healthcare has been providing real-time updates via UnitedHealth Group’s website.
Q: Who is ALPHV/Blackcat?
A: BlackCat, also known as ALPHV or Noberus, typically follows a “ransomware-as-a-service” model, where developers create ransomware and affiliates use the ransomware to identify and attack “high-value victim institutions,” according to a December 2023 release from the Department of Justice. BlackCat is a particularly sophisticated ransomware strain because it is both human-operated and command-line driven, making it difficult for traditional detection tools to alert accurately on its presence within a system. BlackCat is known to use a variety of different encryption methods and has proven adept at gaining access to networks and moving within them.
Q: What services are affected by this cyber attack?
(Updated March 18, 2024)
A: Currently, electronic claims submission, real-time eligibility verification, and electronic remittance advice (ERAs) are not functional. Change Healthcare continues to update its webpage with details about workarounds and progress they have made.
On March 7, 2024, UnitedHealth Group released a timeline to restore Change Healthcare systems:
- Effective March 7, 2024, electronic prescribing, claim submission, and payment transmission functions are all fully functional for pharmacy services.
- UnitedHealth Group expects connection will be restored for electronic payments on March 15, 2024.
- Connectivity to the medical claims network and software will be tested beginning March 18, 2024, and full restoration is expected that week.
On March 18, 2024, UnitedHealth Group published a press release to provide a status update on the mitigation efforts.
- As of March 15, 2024, the electronic payments platform was restored.
- UnitedHealth Group began releasing and testing medical claims preparation software to restore batch claims and remittance services on March 18, 2024.
Q: How can I verify benefits and patient eligibility?
A: Provider organizations have the option to utilize payer portals to access eligibility information and check claims status. If the portal is unavailable, you may consider calling the payer’s provider service line; however, PYA recognizes not all organizations will have the resources or manpower available to resort to manual processes.
Q: What are my options to submit claims?
(Updated March 6, 2024)
A: Change is currently recommending its providers and vendors connect via its electronic data interchange (EDI) option and has launched a series of webinars and dedicated resources to assist with getting claims connections built.
Depending upon the staffing complement within your provider organization, you may be able to submit claims manually through payer portals and track claims status and updates. Additionally, you may elect to submit hard-copy claims to payers. While this is not an ideal solution, it may provide more timely receipt of delayed payments once Change Healthcare’s functions are restored. (Change notes that it “encourages [providers] to execute…continuity plans with clearinghouses and continue to use payor portals for claims submission, status and eligibility.”)
Alternatively, provider organizations may hold claims for submission until functions are restored and, in the meantime, consider drawing upon a line of credit or requesting temporary funding from UnitedHealth Group (as outlined below).
Finally, some clearinghouses such as Availity are offering “digital continuity” solutions to support key transactions.[2]
Q: Are there other options available to offset revenue impacts?
A: To address short-term cash flow needs, provider organizations may consider drawing upon existing lines of credit and/or requesting increases to existing lines of credit. Other options include temporary reallocation of funds to supplement revenue. Depending on your individual payer contracts, you may also have the right to be paid interest on claims that were not paid timely.
Q: What is UnitedHealth Group’s temporary financial assistance program?
(Updated March 6, 2024)
A: For provider organizations impacted by payer system outages, UnitedHealth Group has established a temporary funding assistance support program to help with short-term cash flow needs. These funds are available to affected providers with no fees or interest.[3]
To determine your provider organization’s eligibility and funding amount, you must register for the program and have an Optum Pay account in place. Details on the application process can be found here.
Note that funding payments do not automatically renew; provider organizations must evaluate its needs and elect to accept funding each week. Additionally, for providers who are unable to utilize an EDI solution, Change indicates that it will proactively reach out to those providers (identified based on its internal data) with access to a supplemental funding program. Additional details on this supplemental program are anticipated Friday.
Q: Are there any drawbacks to UnitedHealth Group’s temporary financial assistance program?
A: On March 4, 2024, the American Hospital Association (AHA) released a letter to UnitedHealth Group, noting concerns with the program’s terms and conditions. Per the AHA, the agreement:
- Requires repayment of loans within five days of receiving notice;
- Allows Optum Financial Services to recoup funds “immediately and without prior notification”;
- Permits UnitedHealth Group to change the agreement simply by providing notice;
- Requires providers to give UnitedHealth Group and its subsidiaries access to past, current, and future claims payment data; and
- Contains broad waivers of liability and strict limitations on damages.
Q: Is the federal government providing any assistance to impacted organizations?
(Updated March 18, 2024)
A: On March 5, 2024, the U.S. Department of Health and Human Services (HHS) released a statement with flexibilities the Centers for Medicare & Medicaid Services (CMS) has outlined to support impacted organizations.
- Medicare providers wanting to change their clearinghouse should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment to change during the outages. CMS has instructed the MACs, and encouraged other payers including state Medicaid and Children’s Health Insurance Program (CHIP), to expedite this process;
- CMS will encourage Medicare Advantage (MA) organizations and Part D sponsors to “remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages”;
- CMS also encourages Medicaid and CHIP managed care plans to implement the same strategies of “removing or relaxing prior authorization and utilization management requirements, and consider offering advance funding to providers, on behalf of Medicaid and CHIP managed care enrollees to the extent permitted by the State”;
- Impacted organizations should contact their MAC if they are having difficulty filing claims for more information on exceptions, waivers, and extensions;
- CMS has contacted all MACs to ensure they are prepared to accept paper claim submissions.
On March 9, 2024, CMS made Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments available to Part A providers and advance payments available to Part B suppliers impacted by the cyber attack.
- CHOPD payments and advanced payments may be granted in amounts representative of up to 30 days of claims payments to eligible providers and suppliers;
- CHOPD payments and advanced payments are not available for providers receiving Periodic Interim Payments;
- CHOPD payments and advanced payments must be requested for individual providers or suppliers (i.e., unique National Provider Identifier (NPI) and Medicare ID (PTAN) combinations);
- The average 30 day payment is based on the total claims paid to the provider or supplier between August 1, 2023 and October 31, 2023, divided by three;
- CHOPD payments and advanced payments will be repaid through automatic recoupment from Medicare claims for a period of 90 days;
- A demand will be issued for any remaining balance on day 91 following the issuance of the accelerated or advance payment;
- The rules governing CMS’s payments to MA organizations and Part D sponsors remain unchanged.
Review CMS’s CHOPD statement for specific required certifications, acknowledgement of terms, and payment amounts. All MACs will provide public information on how to submit a request for CHOPD payments or advance payments in the coming days. CMS is continuing to work with States, encouraging Medicaid managed care plans to make prospective payments to impacted providers as well.
On March 15, 2024, CMS released additional guidance on Medicaid and CHIP flexibilities, including steps states can take to assist Medicaid providers impacted by the cyber attack.
- CMS encourages states to make fee-for-service interim payments, rather than advance payments, utilizing current state plan rates;
- States are required to submit a state plan amendment (SPA) to expedite the CMS approval timeline to receive interim payments, and are encouraged to submit by March 31, 2024 or notify CMS of their intent to submit by April 10, 2024;
- The interim payments may be retroactively effective to the day of the cyber attack and will end no later than June 30, 2024;
- CMS also encourages Medicaid managed care organizations to make interim payments, waive or modify prior authorization and early refill requirements, and temporarily suspend cost sharing requirements, pending SPA submission and CMS approval.
Q: How can I protect my organization going forward?
A: It is vital that your organization has business contingency plans in place to address cyber attacks, or similar disruptions in revenue cycle processes such as proactively securing lines of credit to be utilized in the event of payment disruption. Ensure your organization has payer portal logins for all payers with significant claims volume and policies and procedures outlining changes to operations in the event of a cyber attack on a vendor, or a cyber attack on your own organization.
As it pertains specifically to BlackCat attacks, protecting active directory (AD) is the most effective way to prevent BlackCat from proliferating within the network and accomplishing its goals. Effectively defending AD requires a multipronged approach that includes hardening, detecting reconnaissance activity and other indicators of compromise (IoCs), and preventing domain compromise.
PYA continues to monitor the situation and will provide updates as we become aware of them. Stay tuned and check back for the latest on the Change Healthcare cyber attack and subsequent response.
If you would like assistance with revenue cycle processes or cybersecurity measures, one of our executive contacts would be happy to assist. You may e-mail them or call (800) 270-9629.
[1] Updates are based on “HHS Statement Regarding the Cyberattack on Change Healthcare” press release as accessed on March 6, 2024 and “Information on the Change Healthcare Cyber Response” updated by Change on March 7, 2024 and accessed on March 8, 2024.
[2] PYA does not endorse any product or service provider but shares this information for user research purposes.
[3] PYA notes that this program is not for providers who have had claims submission disruptions but rather for those with payment distribution impacts.
