Change Health Cyberattack Update
In late February, Change Healthcare, a unit of UnitedHealth Group (UHG), faced a significant cybersecurity incident, disrupting healthcare operations nationwide. The attack, attributed to the ransomware group BlackCat, rendered electronic claims submission, real-time eligibility verification, and electronic remittance advice (ERAs) non-operational. Home care agencies and other health care organizations are encountering delays in claims processing and payments, resulting in substantial impacts on revenue and cash flow.
Optum and Change Healthcare News
Systems are coming back up, and per Change Healthcare, pharmacy claims processing is functional. Other applications will be brought up in a logical, orderly sequence. Providers will be informed regarding when to expect different applications to be available. Systems affecting access to care are being prioritized.
Change Healthcare reports that the latest data shows 90% of claims are flowing uninterrupted. Optum expects to begin testing and reestablishing connectivity to their claims network and software on March 18, restoring service through that week. Electronic payment functionality will be available for connection beginning March 15.
Providers will receive communications as needed informing them of the steps necessary to reconnect to each application as it is brought back online. Systems may run on multiple paths temporarily.
Change Healthcare has a dedicated website to update providers on this incident. They recommend using the applicable workarounds they have established—in particular, using their new iEDI claim submission system -in the interest of system redundancy given the current environment. Relay Health has also stepped up as an alternative clearinghouse.
Note that UHG has stated that all systems that are currently up and running are safe, and attestations to their safety will be provided as soon as possible.
Change Healthcare notes the need for industry-wide improvements to develop redundancy in systems to avoid this type of disruption in the future.
Provider Support and Critical Next Steps
In a meeting with the Department of Health (DOH/the Department), HCP learned that Licensed Home Care Services Agencies (LHCSA) are the sector experiencing the most impact from this cyber security event.
In response to this crisis, and recognizing that financial issues lead to clinical issues, DOH has provided crucial guidance to healthcare providers (HCP):
- Agencies impacted by the cyberattack should report the severity of the impact through the Health Emergency Response Data System (HERDS) surveys.
- Ensuring up-to-date contact information in the Health Commerce System (HCS) is critical to streamline communication with the Department, thereby reducing response time.
- Providers facing payroll issues or service suspensions due to the cyberattack can reach out to Mildred (Millie) Ferriter, Director for the Division of Quality and Surveillance within the Center for Home and Community Based Services at DOH.
As stated on the incident website, for Medicare Advantage plans, including Dual Special Needs Plans, Optum is temporarily suspending prior authorizations for most outpatient services.
Temporary Emergency Funding Available
On March 3, 2024, HCP issued an Emergency Preparedness Alert regarding temporary emergency funding assistance accessible through Optum Financial Services. Change Healthcare acknowledges the urgency of restoring payment operations and has collaborated with Optum Financial Services to provide short-term funding assistance to the most severely impacted partners.
Individual payors are being urged to provide temporary assistance to providers.
Optum is now expanding its program beyond UnitedHealthcare’s temporary provider funding relief. The funding program now includes providers who have exhausted all available connection options and who work with a payer who has opted not to advance funds while Change Healthcare systems remain down. This expansion is a funding mechanism of last resort, especially for small and regional providers, and will be evaluated on a case-by-case basis.
These programs operate on a week-to-week basis, with funding amounts determined by prior claims volume and provider impact level. Recipients must register for the programs via an active Optum Pay account, which will also be used for fund disbursement and repayment. If you do not have an existing Optum Pay account, sign up to receive log-in information. Repayment is not expected until 30 days after billing and payment systems have been restored.
You must enroll to determine your eligibility. There are no enrollment fees for the basic Optum Pay account or the temporary funding program, however, there are origination fees, according to DOH. Change Healthcare stresses that this program is NOT for providers with claims submission disruptions. It is only for those whose payment distribution has been impacted. Funding amounts will be determined by prior claims volume and provider impact level.
Wait times for eligibility for the initial temporary assistance program are estimated at four to five days. DOH reports that several agencies have had success with this program. Turnaround time has been as short as 12 hours, and some agencies report already receiving checks.
NYS Department of Financial Services
On March 8, 2024, the NYS Department of Financial Services (DFS) issued an Insurance Circular Letter instructing insurers. including Medicaid Managed Care Plans, that certain preauthorization and review requirements, appeal timeframes, reconsideration timeframes, claim submission timeframes, and eligibility verifications should be suspended or tolled when necessary.
Additionally, DFS is urging insurers to have realistic expectations regarding claims submission times, eligibility verifications, and appeals, allowing a reasonable amount of additional time for affected providers. Insurers are instructed to work with providers to minimize and resolve payment delays, and to provide payment via non-electronic means upon a provider’s request.
Note that providers may need to attest to the need for extensions due to the disruption caused by the cybersecurity incident.
HHS Response
The US Department of Health and Human Services (HHS) is actively engaged in addressing the fallout from the cyberattack. HHS has coordinated with UHG leadership, state partners, and relevant agencies to mitigate the impact on health care providers.
The HHS announcement included immediate steps taken by the Centers for Medicare and Medicaid Services (CMS) to assist providers in serving patients amidst the cyberattack fallout. CMS continues to engage with the health care community and has offered flexibilities to assist providers, including expedited processing for electronic data interchange (EDI) enrollment, relaxed prior authorization requirements for Medicare Advantage and Part D plans, and support for Medicaid and CHIP managed care plans to ease authorization and utilization management requirements.
HCP Support
HCP’s Public Policy team will continue to monitor and report on the impact of this wide-reaching cyberattack, including relief measures and actions providers can take to protect themselves. Members are encouraged to visit the Health and Public Health (HPH) HPH Cyber Performance Goals website for details on steps to stay protected.
For additional assistance, including questions regarding the iEDI option, email Optum’s Client Services Assistance at Optum.