Change Healthcare Cyber Attack: What We Know So Far

Many in the healthcare community have been impacted by the February 21, 2024 cyber attack on Change Healthcare. With a situation as complex as this, Radiation Business Solutions knows the importance of staying up to date on government initiatives, industry next steps, and how this affects your role and day-to-day priorities. Here, we have compiled a succinct overview of what we know so far.


Change Healthcare Cyber Attack Overview 

  • The cyberattack on Change Healthcare, which was acquired by UnitedHealth Group in 2021, was perpetrated by hackers identifying as the “Blackcat” ransomware group. 
  • Disruptions from the attack impacted electronic pharmacy refills and insurance transactions. 


U.S. Government’s Response and Call for Responsibility

  • U.S. government officials urged UnitedHealth Group to expedite payments to healthcare providers following the attack on Change Healthcare’s tech unit. 
  • The U.S. Department of Labor and the U.S. Department of Health and Human Services (HHS) called upon UnitedHealth to ensure providers aren’t compromised by cash flow challenges due to the cyberattack. 


What’s the impact?  

  • Billing groups are resorting to paper claims and transitioning clients to Availity’s clearing house for claims processing. 
  • Many physician practices have not been able to submit claims, according to the American Medical Association(AMA), and “a considerable proportion of revenue cycle processes have ground to a halt.” The group, in a March 1st letterto HHS, identified top concerns among practices since the incident, including the interruption of administrative and billing processes, practices having to take on “enormous” administrative burdens, and significant data privacy fears. 


UHC’s Restoration Timeline as of Today

  • Pharmacy services are now reported to be fully functional with electronic prescribing and claim submission/payment transmission.
  • Testing and re-establishment of connectivity to the claims network and software expected to begin on March 18.
  • A temporary funding assistance programfor providers has been set up through Optum, which is also owned by UnitedHealth Group.  


Government Initiatives

  • HHS urged private sector entities to identify and implement solutions to mitigate harm to patients and providers.
  • CMS announced the opportunity for physicians impacted by the cyberattack to request advance Medicare payments.
  • Convening of healthcare community leaders by HHS Secretary Xavier Becerra and Deputy Secretary Andrea Palm, along with other federal government representatives, to discuss concrete actions to mitigate harms caused by the cyberattack on Change Healthcare.
  • For physician practices that participate in the Merit-based Incentive Payment System (MIPS) as part of Medicare’s Quality Payment Program, CMS is offering a two-week extension on the data submission deadline as an accommodation stemming from the Change Healthcare outage. 


What’s Next?

  • Multiple lawsuits have been filed against Change Healthcare, alleging that they did not have adequate cybersecurity measures in place to prevent the attack.


So, what’s the bottom line?  All entities and providers who utilize Change Healthcare are subject to severe delays in payment. We, like you, continue to do everything we can to mitigate the effect of this situation for our clients.  The experience has been an opportunity to learn some important lessons about the dangers of depending on one single resource for claim submission.  We’re making changes to ensure that when something like this happens again, we are not likely to experience the same level of disruption to payments.

For more information, or to discuss this matter further with a member of the Radiation Business Solutions team, please contact us at