Timeline of Change Healthcare Cyberattack

Written by Mitchell Langley

March 19, 2024

Timeline of Change Healthcare Cyberattack

On February 21, a highly significant and impactful cyberattack commenced against UnitedHealth Group’s Change Healthcare, causing severe disruption to the financial operations of hospitals, insurers, pharmacies, and medical groups across the entire nation.

Here is a comprehensive timeline of the Change Healthcare Cyberattack, capturing key events, regulatory and policy developments, as well as statements from the affected stakeholders.

This article will continue to be updated. Last update: March 19

Change Healthcare Cyberattack Timeline

March 19: A group of almost 100 federal lawmakers, representing both parties, have come together to request that the Department of Health and Human Services (HHS) should use its authority to ensure that hospitals, physicians, Medicare Advantage plans, and state Medicaid programs receive timely payments. Congress is also urging HHS to address the issue of patients facing difficulties in accessing medications promptly. Additionally, they are requesting HHS to continue engaging in discussions with UnitedHealth regarding the ongoing recovery efforts.

March 18: UnitedHealth Group provided over $2 billion in financial assistance to healthcare providers and has also introduced new software for medical claims preparation. The company has successfully restored 99% of its pharmacy network services. Furthermore, Change’s electronic payments platform was fully restored on March 15, and payer implementations are currently in progress.

Recently, fifteen insurance companies and trade groups held a meeting with officials from the Biden administration to discuss the ongoing response to the Change Healthcare cyberattack. The participants highlighted the progress made in reinstating claims processing systems. However, certain challenges persist for small, rural, and safety-net providers, particularly related to cash flow issues.

Fitch Ratings has warned that the cyber attack could have adverse effects on the credit profiles of smaller healthcare providers, pharmacies, and other businesses that rely on Change’s services. Companies with higher credit ratings are presumed to possess the necessary flexibility to withstand these disruptions.

March 16: According to the latest Change Healthcare cyber attack update by Bloomberg, Insurers and health officials are expected to meet next week. Companies fear that push for payments can yield more complications. Continue Reading

March 15

According to a survey conducted by the American Hospital Association (AHA) between March 9 and 12, the financial impact of the UnitedHealth data breach has been significant for hospitals. The survey, which included nearly 1,000 hospitals, revealed that 94% of them have experienced financial consequences, with more than half reporting a “significant or serious” impact. Furthermore, 74% of hospitals reported a direct effect on patient care as a result of the cyberattack.

An analysis by Kodiak Solutions, examining data from 1,850 hospitals and 250,000 physicians across the country, indicates that provider claims to payers have decreased by over one-third. As of March 9, the total estimated cash flow impact for hospitals reporting data to Kodiak is approximately $6.3 billion in delayed payments.

March 14

The American Medical Association (AMA) expressed astonishment at AHIP’s response to the cyberattack aftermath. AMA criticized AHIP’s “business as usual” approach to prior authorization, highlighting the lack of assistance and silence experienced by struggling practices in the wake of the Change Healthcare cyberattack. The AMA emphasized that service outages have worsened the administrative burdens and delays in care already associated with the prior authorization process.

March 13

On March 13, the federal government initiated an investigation into UnitedHealth cyberattack, specifically focusing on their compliance with the Health Insurance Portability and Accountability Act (HIPAA). The investigation aims to assess any potential violations of HIPAA regulations in relation to the cyberattack incident.

The American Hospital Association (AHA) appealed to Congress to take into account existing statutory limitations that could restrict the aid provided by the Centers for Medicare and Medicaid Services (CMS) and the Department of Health and Human Services (HHS) to hospitals and healthcare providers.

March 12

Mike Tuffin, President and CEO of America’s Health Insurance Plans (AHIP), expressed concerns about suspending prior authorization requirements. Tuffin emphasized that individual plans and providers are best positioned to determine and ensure appropriate and timely payments, suggesting that a blanket suspension may have unintended consequences.

In response to the Change Healthcare cyberattack, officials from the Biden administration summoned UnitedHealth Group CEO Andrew Witty to the White House. During the meeting, the administration urged UnitedHealth to provide additional emergency funding to support healthcare providers.

Highmark Health, as the first Blue Cross Blue Shield company to do so, outlined an advance funding program to aid providers facing cash flow challenges. However, at this time, the company has not announced any waivers of prior authorization requirements.

March 11

According to the Massachusetts hospital association, hospitals in the state are experiencing daily losses of at least $24 million as a result of the Change Healthcare cyberattack. The financial impact on healthcare facilities is substantial, highlighting the urgent need for support and recovery.

In response to the situation, the American Medical Association (AMA) has issued a call for the creation of a comprehensive list of all payers that are providing advance payments to healthcare providers. The AMA has also offered its assistance in the development of such a list to facilitate communication and access to financial resources for affected providers.

March 10

The Department of Health and Human Services (HHS) addressed UnitedHealth, urging the company to take responsibility in ensuring that healthcare providers do not face financial challenges due to the cyberattack. HHS emphasized the need for UnitedHealth to expedite the delivery of payments to support affected providers.

The government called for increased communication from the company, urging them to provide more frequent and transparent updates on their recovery efforts to the healthcare system and state Medicaid agencies.

HHS also made a general request to all payers, urging them to make interim payments to affected providers and temporarily suspend prior authorization and other utilization management requirements. These measures are aimed at alleviating the financial burden on healthcare providers during this challenging period.

March 9

The Centers for Medicare and Medicaid Services (CMS) expanded its response to the Change Healthcare cyberattack by offering advance payments to physicians and other outpatient care providers who are facing disruptions in their claims processing.

March 8

According to the American Hospital Association (AHA), it will likely take hospitals and healthcare providers several weeks, if not months, to fully recover from the impact. Moody’s, a credit rating agency, has also acknowledged that hospitals may face challenges in their credit ratings as they explore alternative methods for filing claims. The fallout from the attack is expected to have a lasting impact on the healthcare industry.

March 7

UnitedHealth Group released a detailed timeline outlining the restoration process for key systems of Change Healthcare. CEO Andrew Witty expressed a commitment to resolving the situation promptly and appropriately.

As of March 7, Change Healthcare’s pharmacy electronic prescribing functionality has been fully restored, enabling claim submission and payment transmission.

The electronic payment platform is anticipated to be available for connection by March 15. Testing for reconnection of the medical claims network and software is scheduled to commence on March 18, with the company devoting the following week to the restoration of services.

In response to the ongoing situation, UnitedHealth has temporarily suspended Medicare Advantage and D-SNP prior authorizations for most outpatient services until March 31.

March 6

Legal action commenced against UnitedHealth Group in response to the Change Healthcare cyberattack. According to court records, at least six federal lawsuits have been filed against the company this month.

March 5

On March 5, the Department of Health and Human Services (HHS) took measures to support hospitals affected by the cyberattack. They expedited payments to these hospitals and implemented additional workarounds to assist healthcare providers during this challenging time.

The Centers for Medicare and Medicaid Services (CMS) encouraged Medicare Advantage organizations and Part D sponsors to either remove or relax prior authorization requirements, aiming to facilitate smoother healthcare processes for affected individuals.

Mark Kaye, the CFO of Elevance Health, reported an initial decrease of 15% to 20% in the daily volume of data received from providers following the attack. Currently, the volume remains approximately 10% below normal levels. Susan Diamond, CFO of Humana, mentioned that around 20% of the company’s medical claims, submitted by providers, pass through Change Healthcare’s system before reaching the payer.

March 4

The American Hospital Association (AHA) expressed dissatisfaction with Change Healthcare’s temporary funding program for affected providers, deeming it inadequate. Additionally, U.S. Senate Majority Leader Chuck Schumer urged the Centers for Medicare and Medicaid Services (CMS) to expedite payments to hospitals facing financial strains.

According to First Health Advisory, a cybersecurity company, larger health systems are reportedly incurring losses of over $100 million per day due to the ongoing disruptions caused by the UnitedHealth cyberattack. Despite these challenges, some health systems have managed to resume normal operations.

Providence, based in Renton, Washington, has successfully restored regular activities by leveraging electronic prescriptions through Epic and gradually transitioning away from paper scripts.

The Department of Homeland Security issued a warning to healthcare organizations, advising them to remain vigilant against “malicious cyber actors” who target the healthcare and public health sector for financial gain, cyber espionage, or ideological motives.

March 3

On March 3, it was reported by Reuters that ALPHV/BlackCat received a bitcoin payment amounting to over $22 million. A cybersecurity firm has identified that the destination of these funds is linked to the AlphV ransomware group claiming responsibility for the Change Healthcare cyberattack.  

While UnitedHealth Group did not provide any comments on whether they had made any payment to the group, they emphasized their focus on investigating the incident and working towards the recovery of Change Healthcare’s services.

March 1

In response to the financial challenges faced by providers following the Change Healthcare cyberattack, Optum has introduced a temporary funding assistance program to support their cash flow needs during this difficult period.  

Change Healthcare has implemented a workaround system for its e-prescribing program, ensuring that pharmacies can continue their operations smoothly despite the attack.

Feb. 29

Change Healthcare officially confirmed that ALPHV/BlackCat has identified itself as the responsible party behind the cyberattack. The ransomware group claimed to have stolen a significant amount of data from Change Healthcare, including medical records, patient Social Security numbers, and information on active military personnel, totaling approximately 6 terabytes.

Change Healthcare took immediate action by collaborating with renowned cybersecurity firms Palo Alto Network and Mandiant, a subsidiary of Google, as well as engaged with law enforcement authorities.

Feb. 27

The Department of Health and Human Services (HHS) issued a warning to hospitals, cautioning them about the threat posed by ALPHV/BlackCat. HHS highlighted that the majority of the group’s 70 victims since December have been in the healthcare industry, with the ransomware gang actively encouraging its members to target hospitals.

Aetna, in a message to healthcare providers, acknowledged the possibility of some providers in its network experiencing delays in receiving payments. The insurer assured that it was prioritizing the implementation of workarounds to ensure timely payments to providers. However, Aetna clarified that it would not be relaxing any prior authorization requirements during that time.

Feb. 26

The ransomware group BlackCat claimed responsibility for the attack, as reported by Reuters.

Fitch and Moody’s, the renowned credit rating agencies, stated that while the incident poses legal and reputational risks for UnitedHealth Group, it is not expected to impact their credit ratings.

UnitedHealth Group informed that over 90% of the 70,000-plus pharmacies in the United States, utilizing Change Healthcare’s platform, have implemented modifications to their electronic claims processing to mitigate the impact of the UnitedHealth cyberattack. The company also mentioned that the remaining 10% have implemented offline processing workarounds.

Feb. 22

In response to the attack, various hospitals, health systems, and pharmacies experienced disruptions. The American Hospital Association (AHA) advised these facilities to disconnect from Optum’s systems. Geisinger Healthcare, based in Danville, PA, disconnected from Change Healthcare’s systems following the cybersecurity incident.

UnitedHealth Group, acknowledging the severity of the Change Healthcare Cyberattack, indicated that it suspected the involvement of a “nation-state group” as the perpetrator.

Feb. 21

On February 21, Optum reported early morning disruptions in “enterprise-wide connectivity.” Subsequently, Optum disclosed that Change Healthcare had encountered a network disruption caused by a cybersecurity threat. As a precautionary measure, Optum promptly disconnected Change Healthcare’s systems upon discovering the attack.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!