During a system upgrade from Friday, Dec. 5, through Sunday, Dec. 7, the AAFP website, on-demand courses and CME purchases will be unavailable.

    • Help us advocate for you. Share how the cyber outage has affected your practice.

    Change Healthcare Cybersecurity Attack and Outage

    The Feb. 21 cyberattack on Change Healthcare continues to have a widespread negative impact on patients and practices. UnitedHealth Group is regularly sharing updated information on restoration timelines and resources.

    Since the attack and outage, the AAFP continues to closely monitor the situation and has:

    • Reached out to UnitedHealth Group and urged them to minimize disruptions to physicians, practices and patients and provide financial assistance. 
    • Shared the family physician perspective on the attack and its potential fallout with Congress and the White House. 
    • Continued working to ensure that disruptions to claims submission, payment processes and other Change Healthcare products do not hamper care delivery.

     

    Class action lawsuits and claims: Considerations

    There are numerous Change Healthcare class action lawsuits and individual claims for financial compensation being pursued against the company. Physicians who experienced disruptions due to the Change Healthcare event and are interested in understanding their options may want to:

    • Consult with Legal Counsel: Consider speaking with a healthcare attorney—either locally or with firms already involved in related claims—to assess the viability of joining or initiating a lawsuit. Legal professionals can help determine if there’s a basis for compensation and help guide the next steps.
    • Carefully Read and Retain Any Notices You Receive: These may contain instructions and deadlines that can affect your ability to obtain relief, to join an ongoing lawsuit or to otherwise pursue your potential claims.
    • Retain Documentation: Collect and retain any documents and other evidence you have regarding any disruptions to your systems or practice and any losses you may have sustained. A legal advisor can help you identify the types of documentation that may serve as evidence of any damages you may have suffered and support your claims.
    • Explore Existing Class-Action Lawsuits: Physicians/practices may be eligible to join ongoing class-action lawsuits related to the outage. These suits often consolidate similar claims and can reduce the burden of pursuing individual legal action. A legal advisor can help identify relevant cases and advise you on your options.
    • Understand the Legal Process and Risks: Civil litigation can be lengthy and complex, with no guarantee of sufficient compensation. Consider the potential benefits as well as the time, cost, and emotional investment required before proceeding.
    • Stay Informed: The federal district court in Minnesota has established a website to keep plaintiffs, potential plaintiffs and the public informed of developments in the pending consolidated federal cases regarding the Change Healthcare data breach. There are other websites that provide information and track developments in the litigation as well.

    HIPAA notices

    Physicians and health care providers who are HIPAA Covered Entities (CEs) are legally required to notify their patients of any breach of protected health information. Notification can be delegated to a CE's business associate (BA) and includes reporting the breach to HHS and issuing a notice to the public via media if the breach affects 500 or more patients. 

    Change Healthcare (CHC) has announced that it will issue breach notifications and complete reporting on behalf of all affected CEs. (See FAQ answer to “Will I have to do my own notifications?” for details.) Letters should start reaching potentially affected patients in late July 2024.

    The AAFP is engaged in ongoing advocacy on this topic and continues to seek additional clarifying guidance from HHS to ensure minimal impact to physicians and their patients.

    Legal Penalties

    Affected CEs can reasonably assume that the responsibility of notifying patients will be completed by CHC. If CHC unexpectedly does not fulfill this notification obligation, the CE would be liable for a HIPAA violation. However, the secretary of HHS has the authority to waive investigation, enforcement and penalties as long as a HIPAA violation was not “due to willful neglect.” 

    It's reasonable to believe that the secretary would exercise one or more of these discretions should CHC not complete the patient notifications it has publicly announced it will perform. 

    Patient resources

    The sample notice information Change Healthcare has provided includes information that answers patient questions about the breach, such as:

    • A list of things patients can do to protect their privacy
    • Details on obtaining free credit reporting and monitoring services
    • Call center support

    Funding assistance and MIPS relief

    Optum's Temporary Funding Assistance Program

    Follow these steps to potentially access temporary funding provided by Optum Financial Services:

    For answers to common questions about funding assistance, visit Optum's webpage for the program.

    HHS and CMS Announcements

    The U.S. Department of Health and Human Services is maintaining a list of information about private payers to help you connect with them for support and more.

    CMS advanced payment program will stop taking new applications for those affected by the outage on July 12, 2024:


    Practices can now cite the Change Healthcare outage when applying to CMS for a Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) exception for the 2024 performance year.

    FPM's Getting Paid blog entry on CMS' announcements summarizes the 2023 MIPS reporting relief available to physicians.

    Share your experience

    AAFP advocacy

    The AAFP is engaged in ongoing advoacy for family physicians on this cybersecurity issue.

    Copyright © 2025 American Academy of Family Physicians. All Rights Reserved.