The most significant and consequential cyberattack in American history began Feb. 21 against UnitedHealth Group's Change Healthcare, crippling financial operations for hospitals, insurers, pharmacies and medical groups nationwide.
Becker's has compiled a timeline of the attack since it began, including regulatory and policy updates, along with statements from affected stakeholders.
Editor's note: This article was updated March 26 and will continue to be updated.
March 25
Rep. Jamie Raskin, a Maryland Democrat and ranking member of the House Oversight Committee, sent a letter to UnitedHealth CEO Andrew Witty, saying he is "concerned that UnitedHealth Group is restricting the ability of federal agencies to provide applicable assistance to Change Healthcare." Rep. Raskin asked UnitedHealth to give a briefing to oversight committee staff. The Senate Finance Committee is also working to secure a hearing with Mr. Witty this spring.
March 22
Change began restoring its biggest clearinghouse platforms and started processing $14 billion in claims.
March 21
The AHA wrote to HHS, urging it to clarify whether hospitals should be notifying patients about protected health information that may have been compromised and saying that Change should be responsible for notifications. State hospital associations reminded members about state-level data breach notification laws and advised them to review their various obligations during a possible breach.
March 20
Providers have begun to file lawsuits against UnitedHealth over the cyberattack. At least six federal lawsuits were filed between March 14 and 20.
UnitedHealth said it restored Amazon Web Services from backups for Assurance, a claims and remittance management program, and claims clearinghouse Relay Exchange.
March 19
A bipartisan group of nearly 100 federal lawmakers urged HHS to use its full authority to ensure payments are being made to hospitals, physicians and Medicare Advantage plans, along with state Medicaid programs. Congress is also asking HHS to address "the inability of many patients to receive timely access to medications" and to continue its conversations with UnitedHealth about recovery efforts.
March 18
UnitedHealth Group said it has advanced more than $2 billion to providers and is launching software for medical claims preparation. The company has restored 99% of pharmacy network services. Change's electronic payments platform was restored March 15, with payer implementations underway.
Fifteen insurers and trade groups met with Biden administration officials to discuss the industry's ongoing response to the attack. Stakeholders discussed how progress has been made in reestablishing claims processing systems, though small, rural and safety-net providers specifically are still reporting issues with cash flow.
Fitch Ratings said the attack could negatively affect the credit profiles of smaller healthcare providers, pharmacies and other companies that rely on Change services. Higher-rated companies are assumed to have the flexibility to withstand the disruptions.
March 15
An American Hospital Association survey of nearly 1,000 hospitals conducted between March 9 and 12 found that 94% of hospitals have felt financial impact from the attack, and more than half have reported a "significant or serious" impact. Seventy-four percent of hospitals reported a direct effect on patient care.
Provider claims to payers have dropped by more than one-third, according to an analysis of 1,850 hospitals and 250,000 physicians nationwide by Kodiak Solutions. Through March 9, the total estimated cash flow impact for hospitals reporting data to Kodiak is $6.3 billion in delayed payments.
March 14
The American Medical Association said "it is dumbfounding that following weeks of silence and a lack of assistance to struggling practices in the wake of the Change Healthcare cyberattack, AHIP's response is a 'business as usual' approach to prior authorization. This approach is particularly galling since service outages have exacerbated the administrative burdens and care delays already associated with this process."
March 13
The federal government launched an investigation into UnitedHealth and Change over the cyberattack within the context of HIPAA compliance.
The AHA urged Congress to consider existing statutory limitations that could limit aid from CMS and HHS to hospitals and providers.
March 12
AHIP President and CEO Mike Tuffin said suspending prior authorization requirements could do more harm than good and that individual plans and providers are in the best position to assess how to maintain appropriate payments in a timely manner.
Officials with the Biden administration summoned UnitedHealth Group CEO Andrew Witty to the White House, urging the company to provide more emergency funding to providers.
Highmark Health detailed an advance funding program for providers struggling with cash flow, becoming the first Blue Cross Blue Shield company to do so. The company is not waiving prior authorizations at this time.
March 11
Massachusetts hospitals are losing at least $24 million a day due to the cyberattack, the state hospital association reported.
The AMA called for and offered to help create a list of all payers that are offering advance provider payments.
March 10
HHS called on UnitedHealth to "take responsibility to ensure no provider is compromised by their cash flow challenges" and to expedite the delivery of payments. The government urged the company to communicate about recovery efforts more frequently and with more transparency to both the healthcare system and state Medicaid agencies.
For all payers, HHS asked that interim payments be made to affected providers and that prior authorization and other utilization management requirements be put on hold temporarily.
March 9
CMS expanded its response to the attack to include advance payments to physicians and other outpatient care providers experiencing claims disruptions.
March 8
The AHA said it will take several weeks, if not months, before hospitals and other healthcare providers can fully recover from the attack. Moody's said the fallout will affect hospitals' credit ratings as they search for alternative claims filing methods.
March 7
UnitedHealth Group released a timeline for restoring key Change Healthcare systems, and CEO Andrew Witty committed to making things right "as fast as possible."
As of March 7, Change's pharmacy electronic prescribing is fully functional for claim submission and payment transmission. Change is expected to have its electronic payment platform available for connection March 15. Its medical claims network and software are expected to start testing for reconnection March 18, with the company working throughout that week to restore service.
Until March 31, UnitedHealth has suspended Medicare Advantage and D-SNP prior authorizations for most outpatient services.
March 6
Lawsuits began rolling in against UnitedHealth Group over the cyberattack. At least five federal lawsuits have been filed this month against the company, court records show.
March 5
HHS accelerated payments to hospitals affected by the cyberattack and instituted other workarounds for providers. CMS encouraged Medicare Advantage organizations and Part D sponsors to remove or relax prior authorizations.
Elevance Health's CFO Mark Kaye said the company initially saw a 15% to 20% reduction in the daily volume of data it receives from providers following the attack, and now is down about 10% relative to normal daily volumes. Humana's CFO, Susan Diamond, said about 20 percent of the company's medical claims submitted by providers go through Change Healthcare's system before they reach the payer, making it difficult to gauge total medical expenses.
March 4
The AHA called Change Healthcare's temporary funding program for affected providers inadequate, while U.S. Senate Majority Leader Chuck Schumer asked CMS to speed up payments to hospitals.
Larger health systems are bleeding more than $100 million daily because of the interruptions, cybersecurity company First Health Advisory told multiple news outlets. Despite this, some health systems resumed normal operations. Renton, Wash.-based Providence resumed normal operations, utilizing electronic prescriptions via Epic and phasing out the use of paper scripts.
The Department of Homeland Security warned healthcare organizations to look out for "malicious cyber actors [that] target the Healthcare and Public Health Sector for financial gain, cyber espionage purposes or ideological reasons."
March 3
ALPHV/BlackCat received a bitcoin payment worth over $20M on March 3, Reuters reported. A cybersecurity firm said the destination of the funds was associated with the ransomware group that claimed responsibility for the hack. UnitedHealth Group did not comment on if it had paid the group, but said it was focused on the investigation and recovery of Change's services.
March 1
Optum introduced a temporary funding assistance program for providers struggling with cash flow after the attack. Change also implemented a workaround system for its e-prescribing program for pharmacies. The company said it was working with Microsoft and Amazon Web Services to do an additional scan of its cloud environment.
Feb. 29
Change Healthcare confirmed ALPHV/BlackCat represented itself as the group behind the attack. The ransomware group claimed it had stolen 6 terabytes worth of data from Change, including medical records, patient Social Security numbers, and information on active military personnel. Ransomware groups are known to exaggerate the amount of data they have to demand higher payments.
Change said it was working with cybersecurity firms Palo Alto Network and Mandiant, a Google subsidiary, and law enforcement to address the cyberattack.
Feb. 27
HHS warned hospitals to be wary of ALPHV/BlackCat, the group that claimed responsibility for hacking Change Healthcare. Most of the group's 70 victims since December have been in the healthcare industry, the agency said, and the ransomware gang's leaders have encouraged members to target hospitals.
In a message to providers, Aetna said it was aware some providers in its network may not be receiving timely payments. The insurer said it was prioritizing workarounds to get payments to providers. Aetna said it would not liberalize any prior authorization requirements at that time.
Feb. 26
Ransomware group BlackCat claimed responsibility for the attack, sources with knowledge of the incident told Reuters.
Fitch and Moody's said the incident carries legal and reputational risks for UnitedHealth Group but will not affect credit ratings.
UnitedHealth Group said 90% of the 70,000-plus pharmacies in the U.S. using Change Healthcare's platform modified electronic claims processing to mitigate effects of the hack. The remaining 10% have offline processing workarounds, the company said.
Feb. 22
As hospitals, health systems and pharmacies reported disruptions from the attack, the AHA urged facilities to disconnect from Optum's systems. A spokesperson for Danville, Pa.-based Geisinger Healthcare said the system immediately disconnected from Change's systems following the attack.
UnitedHealth Group said it suspected a "nation-state group" was behind the attack.
Feb. 21
Optum reported "enterprise-wide connectivity" issues early in the morning. Later in the day, Optum said Change Healthcare was experiencing a network disruption due to a cybersecurity threat, and it immediately disconnected Change's systems after the attack was discovered.