CMS Responds to Cyberattack on Change Healthcare

Since February 21, the health care industry has been rocked by a significant cyberattack targeting Change Healthcare, the largest claims processing system in the United States. As a result, health providers are struggling to submit claims, and pharmacies are facing operational challenges. The incident, which has left a trail of disruption across the medical sector, underscores the vulnerability of the health care ecosystem to cyber threats.

This past Friday, CMS issued an Informational Bulletin aimed at guiding state Medicaid agencies in responding to the impacts of the cyberattack. It states that CMS will refrain from enforcement actions regarding specific Medicaid requirements, ensuring crucial Medicaid funds reach providers without disruption. This measure aims to safeguard access to Medicaid services, prevent adverse health outcomes, and mitigate financial challenges for providers. The period of non-enforcement will extend until June 30, 2024.

Change Healthcare, owned by UnitedHealth Group, has been the primary target of the attack. Despite recent assurances from UnitedHealth Group regarding the full restoration of its claims network this week, the aftermath of the cyberattack has prompted calls for investigations and raised concerns about the industry’s preparedness to fend off similar incidents in the future.

While Change Healthcare has made significant progress, with approximately 99% of claims now flowing in their pharmacy services according to a recent United Health Group press release, challenges persist for smaller health care providers, particularly in rural areas. These providers had previously requested further guidance and clarity when to expect Change will come back online in order to navigate the cash crunch caused by the disruption in claims processing.