Change Healthcare cyberattack and outage: What you need to know
By News Staff
The Change Healthcare cyberattack in February 2024 resulted in the largest known health care data breach in U.S. history, affecting approximately 193 million individuals. Though most Change Healthcare systems were restored by late April 2024, physician practices continue to experience related financial, administrative, legal and compliance impacts.
The AAFP will continue to monitor the situation and keep members updated. Here is what family physicians need to know now.
Patient notifications
Change Healthcare and UnitedHealth Group notified patients regarding the breach of protected health information. Notification mailings and credit‑monitoring enrollment periods have been largely completed.
Deadlines have passed for MIPS and regulatory relief
CMS offered limited relief for practices affected by the cyberattack, including Extreme and Uncontrollable Circumstances (EUC) reweighting for the 2023 MIPS performance year. Final application deadlines for cyberattack‑related MIPS relief closed in 2024.
Though practices can no longer apply for new MIPS exceptions related to the Change Healthcare outage, they are advised to retain documentation in case of future audits or targeted reviews.
Recovery, reconciliation and accountability
Practices should not expect new system restoration announcements. The focus has shifted to long‑term recovery and accountability. Ongoing issues for practices are largely related to:
Claims reconciliation and payment delays
Repayment of temporary funding or loans
Regulatory reporting and audits
Legal and compliance follow‑up
Patient questions related to the data breach
Considerations for class action lawsuits and claims
There are numerous class action lawsuits and individual claims for financial compensation being pursued against the company. Physicians who experienced disruptions due to the Change Healthcare event and are interested in understanding their options may want to:
- Consult with legal counsel: Consider speaking with a health care attorney—either locally or with firms already involved in related claims—to assess the viability of joining or initiating a lawsuit. Legal professionals can help determine if there’s a basis for compensation and help guide the next steps.
- Carefully read and retain notices: These may contain instructions and deadlines that can affect your ability to obtain relief, to join an ongoing lawsuit or to otherwise pursue your potential claims.
- Retain documentation: Collect and retain any documents and other evidence you have regarding any disruptions to your systems or practice and any losses you may have sustained. A legal advisor can help you identify the types of documentation that may serve as evidence of any damages you may have suffered and support your claims.
- Explore existing class-action lawsuits: Physicians/practices may be eligible to join ongoing class-action lawsuits related to the outage. These suits often consolidate similar claims and can reduce the burden of pursuing individual legal action. A legal advisor can help identify relevant cases and advise you on your options.
- Understand the legal process and risks: Civil litigation can be lengthy and complex, with no guarantee of sufficient compensation. Consider the potential benefits as well as the time, cost and emotional investment required before proceeding.
- Stay informed: The federal district court in Minnesota has established a website to keep plaintiffs, potential plaintiffs and the public informed of developments in the pending consolidated federal cases regarding the data breach. There are other websites that provide information and track developments in the litigation as well.
Lessons learned: Practice resilience and cybersecurity
The Change Healthcare incident highlighted the risks of heavy reliance on a single clearinghouse or vendor. The AAFP encourages practices to consider:
Establishing secondary clearinghouse or payment pathways
Maintaining the ability to submit manual or paper claims when necessary
Reviewing business associate agreements and cybersecurity requirements
Developing and annually testing a cybersecurity response and downtime plan