Mich. A.G. Nessel Urges UnitedHealth Group to Help Patients and Providers Harmed by Cyberattack on Change Healthcare (2024)

LANSING, Michigan, April 27 -- Michigan Attorney General Dana Nessel issued the following news release on April 26, 2024:

Michigan Attorney General Dana Nessel has joined a bipartisan, multistate coalition of 22 attorneys general in sending a letter to UnitedHealth Group, Inc. -- the nation's largest health insurer and the parent company of Change Healthcare -- urging the corporation to take more meaningful action to better protect providers, pharmacies, and patients harmed by the recent catastrophic outage of Change Healthcare.

On February 21, 2024, Change Healthcare experienced a cyberattack by ALPHV/Blackcat, which crippled its platform. In the intervening weeks, providers, pharmacies, and facilities have reported catastrophic disruptions to care infrastructure, inability to verify coverage or obtain prior authorization, and inability to process claims or obtain reimbursem*nts. Patients report delayed or denied access to prescription drugs, and difficulty scheduling appointments or procedures. The Change Healthcare outage profoundly disrupted patient care and has put some providers on the precipice of financial ruin.

Change Healthcare runs the nation's biggest electronic data clearinghouse. Its technological infrastructure is used by tens of thousands of providers, pharmacies, and insurers to verify insurance, confirm pre-authorization of procedures or services, exchange insurance claims data, and perform other administrative tasks essential to the delivery of health care.

UnitedHealth Group acquired Change Healthcare in 2022.

"Cyberattacks in the healthcare sector are becoming frighteningly frequent," Nessel said. "It is the duty of organizations that hold our most personal and sensitive data to vigorously defend against cyberattacks, and when they fail in that defense they should take all reasonable efforts to protect the patients they left vulnerable. The steps we are requesting should be as commonplace as the attacks on personal health data have become. I proudly stand with my colleagues in asking UnitedHealth to take meaningful action to make providers and patients whole and limit the ongoing harm and effects of this security failure."

Nessel and the bipartisan coalition call upon UnitedHealth Group to act quickly to limit the harm to the states' care providers and patients. Specifically, they ask UnitedHealth Group to take the following steps:

* Enhance and expand financial assistance, free of onerous terms, to all affected providers, facilities, and pharmacies.

* Ensure their financial assistance programs are not providing more advantageous financial assistance to providers, practices, or facilities that are owned by UnitedHealth Group.

* Shield the business information of providers and pharmacies from United's other corporate lines of business.

* Suspend requirements for prior authorizations, contemporaneous notifications of change of status, and other documentation requirements.

* Provide a dedicated help line for providers, facilities, pharmacies, and state Attorneys General.

* Proactively inform providers, facilities, pharmacies, and industry groups associated with each, of the steps they can take to preserve claims and receive prompt reimbursem*nt.

* Expeditiously resolve the claims backlog and ensure prompt reimbursem*nt of claims.

* Ensure providers, facilities, pharmacies, regulators, affected patients, and the public are informed of what data was compromised and what steps, if any, are needed for providers and patients to mitigate future identity theft or systems risks.

UnitedHealth Group reported $22 billion in profits in 2023. Even with the February cyberattack in its first quarter, UnitedHealth Group reported revenue of $99.8 billion, up $7.9 billion from same period the previous year.

In contrast, many hospitals and clinics are operating under tremendous financial strain, relying upon critical infrastructure such as Change Healthcare or adjacent vendors to maintain the operations that support their patient care. The two months of near collapse of the nation's biggest claims management system since the cyberattack on Change Healthcare has pushed many entities -- particularly small independent medical providers and pharmacies -- to make difficult choices, such as seeking financial assistance with disadvantageous terms or delaying payroll.

Joining AG Nessel in sending the letter to UnitedHealth Group are Minnesota Attorney General Keith Ellison, who leads the letter, and a bipartisan group of attorneys general from Arizona, California, Connecticut, the District of Columbia, Hawaii, Maine, Massachusetts, Minnesota, Mississippi, Nebraska, Nevada, New Hampshire, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, South Dakota, Utah, Vermont, and Washington.

* * *

April 25, 2024

To: Mr. Andrew Witty, Chief Executive Officer, UnitedHealth Group Inc., 9900 Bren Road East, Minnetonka, MN 55343, [emailprotected]

Re: Change Healthcare Disruptions

Dear Mr. Witty:

The undersigned Attorneys General write to express our concern with UnitedHealth Group Inc. subsidiary Change Healthcare's response to the lengthy disconnection and subsequent limited restoration of its platform services as a result of a cyberattack. Providers, pharmacies, and patients have reported catastrophic disruptions and wholly inadequate responses from Change Healthcare and its payor partners that either directly or indirectly rely upon Change. Health care entities and pharmacies within our jurisdictions have indicated that they are in jeopardy of collapse. Patients describe disruptions to their care and delayed or denied access to prescription drugs as a consequence of Change Healthcare's failures. You must do more than you are currently to avoid imposing further harm to our states' health care infrastructure and the patients who rely upon it.

On February 21, 2024, Change Healthcare reported enterprise-wide connectivity issues and the unavailability of some applications./1 Over the next several days, United continued to communicate that Change Healthcare was "experiencing a cyber security issue" but that other systems at UnitedHealthcare and UnitedHealth Group were still functional./2 More than a week later, Change Healthcare indicated the cybersecurity incident was an attack by ALPHV/Blackcat. United asserted, "Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need."/3

On March 1, there were several developments. First, United reported it had "completed standing up a new instance of Change Healthcare's Rx ePrescribing service. (Clinical exchange ePrescribing providers' tools are still not operational.)"/4 Second, Optum launched a Temporary Funding Assistant Program./5 And, third, a Bitcoin wallet tied to cybersecurity threat actor ALPHV/Blackcat received a $22 million suspected ransom payment./6 On March 7, United announced that it had launched a "[n]ew instance of the Rx Connect (Switch) service" and was "working to restore full service and connectivity claim traffic, and had thus begun enabling Rx Connect, Rx Edit, and Rx Assist services."/7

As of United's March 28 update, Change was still working to restore access for providers that lost claims and ERA connectivity, and pledging to work "[o]ver the next several weeks . . . with government payers and intermediaries to transition providers enrolled in Change Healthcare connections to the Optum iEDI Clearinghouse."/8 In that update, issued more than a month after the initial disruption, United continued to urge partners and providers to "please allow us and the payers time to complete this effort."/9

Since February 21, 2024, the undersigned Attorneys General have received a series of increasingly dire messages from facilities, care providers, and patients in our states. They report disruptions to care and prescription drug access, catastrophic billing and payment backlogs, and other problems stemming from the extended breakdown of Change Healthcare. Facilities that use Change Healthcare as their backbone to track services and claims have been unable to timely complete prior authorizations, confirm benefits, document and submit claims, and in some instances have even lost access to basic care IT infrastructure.

Though providers and facilities who directly contract with Change Healthcare reported the most substantial impacts to their ability to continue providing care and remain solvent, they were not the only parties affected by the outage. As you are intimately aware, Change Healthcare's platform is woven throughout the nation's health care delivery infrastructure./10 Even parties who do not wittingly use Change Healthcare have endured the effects of Change's failures as insurers-- BlueCross, UCare, and others--have seen their systems hobbled by the disruption of Change. As a consequence, care providers and facilities initially had to choose whether to provide care or prescriptions to patients without completing the requisite approvals and preapprovals (thus risking they would later not be reimbursed by insurers) or refusing to provide those services and jeopardizing the health of patients. The overwhelming majority of providers continued to provide care in good faith. Accordingly, they continued to accumulate claims they could not submit through any commercially reasonable or scalable process, and they continued to amass financial obligations to their providers, vendors, and others they could not pay without reimbursem*nts coming through the door. Facing these immediate financial burdens, some took out lines of credit or loans to pay rent and payroll. These impacts are particularly acute for small independent providers who do not retain bookkeeping and IT staff to navigate other avenues of documentation and claims submission.

To date, both Change Healthcare's and UnitedHealth Group's responses to the crisis have been inadequate. Care providers and non-UHG facilities are unable to reach Change Healthcare staff who can provide timely information about what data has been breached, which patients and systems may have ongoing cyber vulnerability, to what extent independent analysis has been completed to ensure vulnerabilities have been reduced or eliminated, how they can receive financial support that does not impose unreasonable conditions such as waiver of liability, or how they can document and submit claims during the outage. For the limited subset who have successfully navigated Change's and United's financial help systems, the offer of financial support has been paltry, with independent providers being quoted relief of as little as $10 per week. Furthermore, some providers understand that accepting short-term financial aid will waive any claims they may have against Change or United as a consequence of the breach. We are also deeply concerned by the perception that practices owned by United may be getting more immediate relief and more favorable terms from the financial assistance program.

The undersigned Attorneys General are writing to inform you that you have an obligation to take action to limit the harm to our states' care providers and patients. Immediate steps must be taken to protect our care infrastructure for the duration of the outage and in the weeks following while Change, United, and all other plans and providers work through the backlog of claims:

* Enhance and expand financial assistance to all affected providers, facilities, and pharmacies. We understand that some initial onerous terms, such as a waiver of claims, have been removed. Obtaining financial assistance should not require an affected entity to agree to choice of law, choice of venue, statute of limitations, or other onerous terms. We encourage Change to further revise its terms to provide longer pay back periods and permit repayment through offsets of claims paid.

* Ensure your financial assistance programs are not providing more advantageous financial assistance to providers, practices, or facilities that are owned by United or one of its subsidiaries.

* Shield the business information of providers and pharmacies from United's other corporate lines of business (e.g., Optum as a provider and United as an insurer).

* Suspend requirements for prior authorizations, contemporaneous notifications of change of status, and other documentation requirements, the absence of which United would ordinarily use as a basis to deny claims and encourage other carriers to do the same.

* Provide a dedicated help line for providers, facilities, and pharmacies to resolve unanswered questions or stalled claims, and adequately staff it such that questions are resolved promptly.

* Provide a dedicated complaint resolution mechanism for state Attorneys General and relevant state agencies.

* Proactively inform providers, facilities, pharmacies, and industry groups associated with each, of the steps they can take to preserve claims and receive prompt reimbursem*nt.

* Expeditiously resolve the claims backlog and ensure prompt reimbursem*nt of claims.

* Provide to the undersigned offices independent analysis confirming your companies' systems are secure and the vulnerabilities that contributed to the cyberattack have been addressed.

* Identify the specific steps you are taking to expeditiously resolve the claims backlog and ensure prompt reimbursem*nt of claims and provide an update as to what percentage of providers are fully reconnected to Change.

While we expect that your companies will take these actions, please understand that this letter should not be construed as a settlement offer, waiver, or suspension of any ongoing or contemplated investigations or other legal action that the undersigned Attorneys General may take against your companies. The undersigned expressly reserve all rights available to them.

We trust that, after receiving this letter, your companies will work with the Attorneys General to assist our providers, pharmacies, and patients who have been adversely affected by the cyberattack.

We look forward to a prompt update on your efforts.

Sincerely,

/s/ Keith Ellison

KEITH ELLISON

Minnesota Attorney General

/s/ Rob Bonta

ROB BONTA

California Attorney General

/s/ Brian L. Schwalb

BRIAN L SCHWALB

District of Columbia Attorney General

/s/ Aaron M. Frey

AARON M. FREY

Maine Attorney General

/s/ Dana Nessel

DANA NESSEL

Michigan Attorney General

/s/ Mike Hilgers