US Department of Health and Human Services (HHS) Addresses Cyberattack at UnitedHealth Subsidiary

Xavier Becerra, Secretary of the U.S. Department of Health and Human Services (HHS), has addressed the “far-reaching” implications of the recent cyberattack on Change Healthcare in a letter to heath care leaders.

The March 10 letter, which is also signed by U.S. Department of Labor Secretary Julie Su, goes over the well-publicized impact the attack had on the industry as a whole, especially pharmacies, and outlines Biden administration initiatives to mitigate future problems.

It also lists steps that HHS expects Change Healthcare’s parent, UnitedHealth Group, to take in order to address the crisis. In that sense it can be seen as a blueprint for governmental expectations of big players in highly consolidated industries that are hit by cyberattacks.

The letter said that UnitedHealth should ensure that no provider is compromised by cash flow challenges stemming from the attack. Specifically, it requests expedited delivery of funds to impacted providers.

UnitedHealth Group should “communicate more frequently and more transparently, both within the health care community and with state Medicaid agencies.”

The letter requests a list of impacted providers and the states where they are located for Medicaid agencies. It called for greater access to UnitedHealth programs “by providing less restrictive terms and by addressing providers’ concerns regarding indemnification and arbitration requirements.”

Other requests call for UnitedHealth to simplify electronic data interchange requirements and timelines, and accept paper claims; ensure the effectiveness of UnitedHealth financial backstop programs; and prioritize under-resourced, lower-margin providers. 

The letter expresses appreciation for the actions taken by clearinghouses to enable switching from Change Healthcare systems, and encourages them “to offer easy-to-implement, standard terms for additional providers who want to switch, and avoid cost-prohibitive pricing.”

The letter ends with a reminder that the interconnectedness of domestic health care underlines the urgency of strengthening cybersecurity resiliency across the system.