AHA Letter to House E&C Subcommittee for May 1 Hearing on Change Healthcare Cyberattack
April 29, 2024
The Honorable Cathy McMorris Rodgers Chair Committee on Energy and Commerce U.S. House of Representatives Washington, DC 20515 | The Honorable Frank Pallone, Jr. Ranking Member Committee on Energy and Commerce U.S. House of Representatives Washington, DC 20515 |
The Honorable Morgan Griffith Chair Subcommittee on Oversight and Investigations Committee on Energy and Commerce U.S. House of Representatives Washington, DC 20515 | The Honorable Kathy Castorr Ranking Member Subcommittee on Oversight and Investigations Committee on Energy and Commerce U.S. House of Representatives Washington, DC 20515 |
Dear Chair McMorris Rodgers, Ranking Member Pallone, Chair Griffith and Ranking Member Castor:
On behalf of AHA’s nearly 5,000 member hospitals, health systems and other health care organizations, our clinician partners — including more than 270,000 affiliated physicians, 2 million nurses and other caregivers — and the 43,000 health care leaders who belong to our professional membership groups, the American Hospital Association (AHA) writes to you in advance of the May 1 hearing with UnitedHealth Group regarding the Change Healthcare cyberattack. We applaud your attention to this important issue that has touched nearly every part of the U.S. health care system, threatening both patient access to care and the financial stability of providers.
As you prepare for this hearing, we wanted to provide an update regarding outstanding issues continuing to impact patients, hospitals and health systems, as well as discuss actions for Congress and the Administration to consider going forward.
HOSPITALS AND HEALTH SYSTEMS ARE COMMITTED TO CYBERSECURITY
Cybersecurity is critical to ensuring that hospitals can provide safe, high-quality care to their communities. Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks that can disrupt patient care and erode privacy by the loss of personal health care data. The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), the National Security Council, the Cybersecurity and Infrastructure Security Agency and many others to prevent and mitigate cyberattacks.
As data theft and ransomware attacks targeting health care have increased dramatically over the past several years, the AHA has worked closely with federal agencies and the hospital field to build trusted relationships and channels for the mutual exchange of cyber threat information, risk mitigation practices, and resources to implement these practices. The AHA’s work in this area was critically important and allowed us to quickly assist members in their response to the Change Healthcare cyberattack.
BACKGROUND ON THE CYBERATTACK AND CHANGE HEALTHCARE
On Feb. 21, Change Healthcare, a subsidiary of UnitedHealth Group, was the victim of the most significant and consequential cyberattack on the U.S. health care system in American history. Change Healthcare is the predominant source of more than 100 critical functions that keep the health care system operating. Among them, Change Healthcare manages the clinical criteria used to authorize a substantial portion of patient care and coverage, processes billions of claims, supports clinical information exchange, and processes drug prescriptions. Significant portions of Change Healthcare’s functionality were incapacitated and are still being brought back online. As a result, patients struggled to get timely access to care and billions of dollars stopped flowing to providers, thereby threatening the solvency of our nation’s provider network including hospitals, health systems, physicians, pharmacists and virtually every other type of care provider.
According to Change Healthcare, the company processes 15 billion health care transactions annually and touches 1 in every 3 patient records. These transactions include a range of services that directly affect patient care, including insurance eligibility verifications and pharmacy operations, as well as claims transmittals and payment. Change Healthcare is involved from when a provider office runs an insurance card to verify insurance benefits, to when a doctor receives a ping from the medical record with a clinical care recommendation, to when a lab shares results with a primary care provider, to when a provider bills an insurer for the care, and the insurer sends payment. Change Healthcare is involved in transactions regardless of whether patients are enrolled in a public coverage program like Medicare or private insurance through an employer. The company processes $2 trillion in health care payments each year out of the total $4.5 trillion spent on health care in the U.S. That means one company has some responsibility for more than 44% of all the dollars flowing through the health care system.
This unprecedented attack against one of America’s largest health care companies imposed significant consequences on patients and the hospitals, health systems and other providers who care for them. In some communities, patients struggled to obtain prescriptions or faced delays in scheduling care or receiving and paying bills. Responses to a March AHA survey representing nearly 1,000 hospitals found that 74% reported direct patient care impact, including delays in authorizations for medically necessary care.1
CURRENT STATE OF PLAY
As a recent Fortune magazine article on the subject described it: “Even now, two months out from the attack, many of Change Healthcare’s services have yet to be fully restored and some of the most burning questions remain unanswered.”2 This is consistent with what we are hearing from the AHA membership. Since the AHA first learned of the attack, we have remained in communication with UnitedHealth Group leadership to lend our support and share our members’ challenges because of the Change Healthcare outage.
During the early days and weeks of the event, it was very difficult to obtain clear information from UnitedHealth Group. Initially, there was little communication and a minimization from UnitedHealth Group about the impact this event was having on the ability to process medical claims. While this event had disparate impacts on providers, all communities felt the effects in some way. Change Healthcare’s loss of functionality due to the cyberattack prevented most payers’ ability to process claims and complete other critical functions for the delivery and payment of care.
As a result of the inability to process claims, hospitals, health systems and other providers have experienced extraordinary reductions in cash flow. In the March AHA survey, 94% of hospitals reported that the Change Healthcare cyberattack was impacting them financially, with more than half reporting the impact as “significant or serious.” Indeed, a third of the survey respondents indicated that the attack disrupted more than half of their revenue. According to Kodiak Solutions, a revenue cycle data analytics firm, the value of claims submitted dropped $6.3 billion for their 1,850 hospital and 250,000 physician clients in just the first three weeks after the attack.3 Now two months in, many hospitals are still not back to full operations.
The staggering loss of revenue has meant that some hospitals and health systems had to seek alternate ways to ensure they could pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary, and environmental services. In addition, replacing previously electronic processes with manual processes has often proved ineffective and is adding considerable administrative costs for providers, as well as diverting team members from other tasks. Nearly all hospitals that responded to AHA’s survey have implemented one or more workarounds with varying degrees of success and at high cost.
While much of the claims and payment system functionality has been restored, it remains unclear as to how long it will take for all operations to return to normal. This is because reconnecting is not the only step to recovery. The disruption and delay in claims submission will inevitably lead to many denials, especially as most payers did not waive certain administrative requirements impacted by the Change Healthcare outage. Specifically, we are already aware of denials due to providers inability to obtain prior authorization, and we also expect to see denials due to providers not meeting contractual “timely filing” deadlines. Providers will need to appeal these denials, which is a labor and time intensive process, to attempt to receive payment for the care provided, a labor and time intensive process. Providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks. Therefore, hospitals, physicians and patients are continuing to experience financial and operational impacts. In the AHA’s March survey, 60% of hospitals reported they expect it would take between two weeks and three months to resume normal operations once Change Healthcare’s full prior functionality is established, and some expect impacts to linger for even longer.
The burden — financial and workload — has been immense. While some hospitals were able to access Medicare’s advance and accelerated payments (AAP) and UnitedHealth Group’s temporary financial assistance program, many had to pull from reserves or take out private loans to continue providing 24/7 care for their communities. And while insurers have likely borne some mitigation costs because of the cyberattack, they still generally are on track to meet their annual earnings projections.456 In early March, the AHA notified UnitedHealth Group that their assistance program was insufficient in addressing the needs of providers due to both inadequate amounts and onerous terms. We appreciate that the company subsequently made changes that enabled more providers to participate.
It is unclear what other impacts may emerge over the coming weeks and months, and we urge Congress and the Administration to continue oversight of the aftermath of the attack.
OUTSTANDING ISSUES TO CONSIDER
Cybersecurity Risk Not Isolated to a Single Organization
The Change Healthcare cyberattack was not an attack on a hospital and yet nearly every hospital felt the impact to varying degrees. In many cases, impacted hospitals did not even use Change Healthcare, but their payer partners or vendors did. Organizations need to be thinking broadly about their security risks, including outside their organizations.
In fact, hospitals and health systems are not the primary source of cyber risk exposure facing the health care sector. A review of the top data breaches in 2023 shows that over 95% of the most significant health sector data breaches, defined by those where over 1 million records were exposed, were related to “business associates” and other non-hospital health care entities, including the Centers for Medicare & Medicaid Services (CMS), which had a breach included in the top 20 largest data breaches last year. Despite this, there has been misplaced focus on implementing cyber requirements for hospitals. To make meaningful progress in the war on cybercrime, Congress and the Administration must focus on the entire health care sector and not just hospitals.
The AHA supports the voluntary consensus-based cybersecurity practices such as those announced in January by HHS. These cybersecurity performance goals (CPGs) are targeted at defending against the most common tactics used by cyber adversaries to attack health care and related third parties, such as exploitation of known technical vulnerabilities, phishing emails and stolen credentials.
Some have suggested that hospitals and health systems are not subject to requirements for cybersecurity. That is not the case. In fact, the AHA was meaningfully involved in the development of the CPGs and will continue to work collaboratively with HHS, the Healthcare Sector Coordinating Council and other federal partners to enhance cybersecurity efforts for the entire health care field. This includes hospitals and health systems, technology providers, payers, pharmacists and other vendors, to ensure we are all protected against the primary source of cyber risk — criminal and nation state-supported cyber adversaries.
In addition, hospitals and health systems are “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) and must comply with the defined set of mandatory safeguards under the HIPAA Security Rule. These safeguards include information access management, security incident procedures and data back-up plans, to name just a few. Failure to comply with these requirements can carry severe monetary penalties. In addition, the various accrediting bodies, like the Joint Commission, align their accrediting standards with these requirements and Medicare’s Conditions of Participation (CoPs) require hospitals to protect patient health information from unauthorized disclosures and reference the need for hospitals to follow applicable federal laws and regulations, which include HIPAA’s various security rules.
Unfortunately, the President’s FY 2025 budget recommends new penalties for hospitals and health systems for not meeting what the Administration refers to as “essential cybersecurity practices,” which we understand would be based on the consensus-based cybersecurity practices previously referenced. Beginning in FY 2029, the Administration proposes to codify in regulation the required adoption of these essential practices. Hospitals failing to meet these standards would face penalties of up to 100% of the annual Medicare market basket increase and, beginning in FY 2031, potential additional penalties of up to 1% off the base payment. Critical access hospitals that failed to adopt the essential practices would incur a payment reduction of up to 1%, but their total penalty would be capped. While it is coupled with funding purported to assist hospitals in defending against cyberattacks, the per hospital benefit would be extremely limited resulting in a de facto unfunded mandate.
While the AHA supports the consensus-based cybersecurity practices and is supporting our members in their adoption, we strongly object to the proposed penalties. First, as noted above, it is well-documented that the vast majority of the cybersecurity risk in the health care sector is from vulnerabilities in third-party technology, not hospitals’ primary systems. Enforcing hospital adoption of these practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date. Instead, Congress and other policymakers should focus their efforts on ensuring all health care stakeholders adopt appropriate cyber hygiene practices with a particular priority on third-party technologies.
Second, no organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.
Finally, defense alone is not enough. Congress should call on federal agencies to protect hospitals and health systems — and the patients they care for — by deploying a strong and sustained offensive cyber strategy to combat this ongoing and unresolved national security threat. Health care is a top critical infrastructure sector with direct impact to public health and safety and must be protected. Any cyberattack on the health care sector that disrupts or delays patient care creates a risk to patient safety and crosses the line from an economic crime to a threat-to-life crime. These attacks should be aggressively pursued and prosecuted as such by the federal government. We use the term “prosecuted” in all sense of the definition related to the totality of the government’s capabilities and authorities, including intelligence and military authorities. Imposing swift and certain consequences upon cyber adversaries, who are often provided safe harbor in noncooperative foreign jurisdictions, such as Russia, China, Iran and North Korea, is essential to reducing the cyber threats targeting health care and the nation.
Government’s Role in Mitigating the Impact of Cyberattacks
The Change Healthcare incident has demonstrated that there is no consensus on the role of the government in terms of assisting with the impact of such a cyberattack on a private company and, when the government does see a role, it does not necessarily have the authority to act quickly or broadly. In the case of Change Healthcare, for example, CMS has been instrumental in helping financially support providers when much of their payments went down. However, the agency did not act until day 18 of the initial event when it issued a notice formally announcing terms for impacted hospitals, physicians and other providers to apply for AAPs. Through this communication, it also relayed the limits of CMS’ authority. While we appreciated the agency urged commercial insurance companies and payers to do their part by making interim payments to providers, easing administrative burdens, and pausing prior authorizations, requirements on timely billing and other utilization management requirements, the agency acknowledged it did not have authority to require that payers do any of these things. However, taxpayers are one of the largest sources of revenue for most commercial insurers. Given the critical role of the federal government in protecting our nation’s health care infrastructure, we must ensure that CMS and other appropriate agencies have the statutory authority to act quickly and provide broad support, including by compelling private payers to do their part.
Breach Notification and Office for Civil Rights Investigation
Unfortunately, it appears that the Change Healthcare hackers indeed obtained access to protected health information (PHI) or personally identifiable information (PII). Moreover, UnitedHealth Group has stated that the breach “could cover a substantial proportion of people in America.”7 While the full scope of the breach may take months to fully understand, at some point, consumers will need to be notified if their data was compromised.
Importantly, UnitedHealth Group has offered to “make notifications and undertake related administrative requirements on behalf of any provider or customer” at the appropriate time. We appreciate UnitedHealth Group’s announcement that it will undertake this responsibility to “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack.” We urge Congress and the Office for Civil Rights to hold UnitedHealth Group to this promise.
The Reach of UnitedHealth Group
The cyberattack against Change Healthcare revealed to many for the first time the scale of UnitedHealth Group.
UnitedHealth Group’s broad scope means that it is engaged in some way in the health care experience of most Americans. This could be either directly (an individual enrolled in a UnitedHealthcare health plan) or indirectly (a patient’s doctor relying on InterQual clinical guidelines for clinical decision support). Examples of the scope and scale of UnitedHealth Group’s role in the U.S. health care system can be illustrated by its many subsidiaries:8
- UnitedHealthcare provides health care coverage to 52 million people, including through plans offered through the Medicare and Medicaid programs.
- Change Healthcare facilitates electronic transactions, such as claims submission, eligibility checks, payment processing between providers and insurers, and clinical records sharing between clinicians.
- OptumRx manages 22% of the prescriptions filled in the U.S.
- OptumCare is the largest employer of physicians in the country, with over 10% of physicians in the U.S. employed or affiliated.
- OptumFinancial holds more than $22 billion in banking assets, much of it related to health savings accounts.
The scope of UnitedHealth Group raises concerns about providers ability to care for patients and communities in times of disruption. It also raises the question of how providers will have the ability to secure their systems from cyber risk, when a company of this scale could not protect itself, its patients or its clients.
CONCLUSION
We stand ready to work with Congress, Change Healthcare and its corporate ownership to ensure hospitals and health systems have the resources they need to continue serving their patients and communities. At the same time, we also must enact policies that bolster support for the entire health care system’s efforts to protect health care services, data and patients from cyberattacks.
Thank you for your continued attention to this issue. If you have any questions, please contact me at shughes@aha.org, or Lisa Kidder Hrobsky, senior vice president of federal relations, advocacy and political affairs, at lkidder@aha.org.
Sincerely,
/s/
Stacey Hughes
Executive Vice President
Attachment: AHA Testimony for Committee on Energy and Commerce Subcommittee on Health April 16 Hearing on “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.”
__________
1The AHA issued a survey to all U.S. hospitals on Friday, March 9, 2024. These results reflect responses representing 960 hospitals as of the morning of Tuesday, March 12, 2024.
2 America’s health system is still in crisis after its biggest cyberattack ever—but the ‘catastrophe’ is just a blip for the giant company that got hacked, Fortune (Apr. 23, 2024), https://fortune.com/2024/04/23/change-healthcare-cyberattack-unitedhealth-hack-ransomware/.
4 https://www.elevancehealth.com/newsroom/elv-quarterly-earnings-q1-2024
5 https://www.unitedhealthgroup.com/content/dam/UHG/PDF/investors/2024/UNH-Q1-2024-Release.pdf
6 https://humana.gcs-web.com/financial-information/quarterly-results
7 UnitedHealth Group News Release, “UnitedHealth Group Updates on Change Healthcare Cyberattack,” Apr. 22, 2024.