HHS and DOL Call on UnitedHealth Group to Step Up to Help Hospitals, Physicians in Aftermath of Cyberattack

Special Bulletin

HHS and DOL Call on UnitedHealth Group to Step Up to Help Hospitals, Physicians in Aftermath of Change Healthcare Cyberattack

March 11, 2024

The Department of Health and Human Services (HHS) and Department of Labor (DOL) yesterday called on UnitedHealth Group (UHG) to “take responsibility” for the adverse impacts of the Change Healthcare cyberattack. Change Healthcare is part of Optum and owned by UHG.

In a letter sent yesterday to all providers, HHS Secretary Xavier Becerra and DOL Acting Secretary Julie A. Su asked for greater transparency and expedited payments to impacted providers, among other things.

The departments also urged other commercial insurance companies and payers to make interim payments to providers, ease administrative burdens, and pause prior authorizations and other utilization management requirements.

AHA Take

In a statement yesterday AHA President and CEO Rick Pollack said, “We welcome the letter from the Department of Health and Human Services and Department of Labor that recognizes the unprecedented nature of the Change Healthcare cyberattack and its far-reaching impacts on hospitals, physicians and the health care sector. We particularly appreciate the federal government’s call on UnitedHealth Group for increased transparency about this incident and urging the company to step up to take needed actions to provide meaningful payments to hospitals, physicians and other providers so that they can continue timely care for patients.

“It’s critical that all payers help providers during this incident to ensure patient care is not compromised. That includes easing administrative burdens, pausing prior authorizations and requirements on timely billing, and providing advanced payments to hospitals and physicians, among other things, until this issue is fully resolved. Just like the impacted providers, these payers are not responsible for the cyberattack; however, as hospitals and doctors have not wavered from their responsibility to care for their patients despite significant hardship, all payers must too honor their responsibility to support hospitals, physicians and patients for care delivered without delay.

“We recognize that the federal government does have statutory limitations to require private payers to take all the actions that may be needed, and Congress may need to take specific steps to ensure the health care system is not disrupted for patients. We will continue to work with Congress and policymakers as the impacts from the cyberattack persist.”


Throughout the last few weeks, the AHA has been urging UHG to take action to minimize disruption to patient care and hospital operations resulting from this attack. In addition, AHA has urged Congress and HHS to support hospitals and providers impacted by the attack.

The Centers for Medicare & Medicaid Services (CMS) March 9 issued a notice formally announcing terms for hospitals, physicians and other providers impacted by the Change Healthcare cyberattack to apply for accelerated and advance payments. CMS stated that hospitals, health systems and others should contact their Medicare Administrative Contractors for more information and to apply. For more information, see the March 9 AHA Special Bulletin.

Further Questions

If you have further questions, please contact Molly Smith, AHA group vice president of policy, at mollysmith@aha.org.