Tuberville Presses HHS for Answers in Wake of Change Healthcare Cyber Attack

Cyber Attack Affecting Healthcare Across Alabama

WASHINGTON – Yesterday,U.S. Senator Tommy Tuberville (R-AL) and U.S. Senator Bill Cassidy (R-LA) urged the Department of Health and Human Services (HHS) to provide additional information on how it has responded to the recent cyberattack on Change Healthcare that has wreaked havoc on patients and health care providers in Alabama and across America.

“HHS’ response to this incident has been inadequate, as the agency has not provided sufficient information to Congress about the attack at a time when the health care sector faces record cybersecurity incidents,” wrote the Senators.

Read the full letter below or here.

Dear Secretary Becerra:

Cybersecurity attacks pose a grave risk to patients and payers. As the Sector Risk Management Agency (SRMA) for the Health and Public Health (HPH) sector, the Department of Health and Human Services (HHS) is the primary coordinating body for cybersecurity incidents. However, recent cyberattacks raise questions about HHS’ ability to effectively execute this role.

The recent cyberattack involving Change Healthcare has been enormously disruptive to the health care sector, and has hindered patients from accessing timely care. HHS’ response to this incident has been inadequate, as the agency has not provided sufficient information to Congress about the attack at a time when the health care sector faces record cybersecurity incidents.^[1] For example, Change Healthcare first reported the cyberattack on February 21, yet HHS only released its first formal statement outlining steps for affected parties on March 5 — nearly two weeks later. This incident has impacted providers across the country, potentially putting as many as 25% of practices on the verge of bankruptcy.^[2] The breadth of this situation requires regular communication and immediate action, especially with members of Congress.

Providing up-to-date information and coordination about cybersecurity incidents is one of HHS’ key duties as SRMA. It is troubling that HHS has failed in this critical area. As such, in an effort to better understand the facts surrounding Change Healthcare’s cybersecurity incident, [we] ask that you answer the following questions, on a question-by-question basis, by April 3, 2024:

1. When did HHS receive notification from Change Healthcare that a cyberattack occurred?

2. Change Healthcare first reported that a cyberattack had occurred on February 21. However, HHS did not issue a formal statement outlining steps for affected parties until March 5. 
   • Why did HHS wait 13 days to issue this statement?
   • How does HHS intend to improve its role in providing regular updates to Congress?

3. Has HHS identified any unauthorized access or breach of any federal systems as a result of the cyberattack?

4. What steps is HHS taking to ensure that affected providers do not suffer from any secondary cybersecurity intrusions as a result of the original incident? 

5. What tools has HHS offered to affected entities to identify and patch any cybersecurity vulnerabilities?

6. What steps is HHS taking to ensure that there are adequate flexibilities for providers to submit claims for reimbursement to UnitedHealth Group (UHG) or other private payers in light of the Change Healthcare attack?

7. Will HHS provide an extension for the submission of claims to the federal Independent Dispute Resolution (IDR) process under the No Surprises Act for providers and payers affected by the Change Healthcare attack?

8. What steps is HHS taking to ensure that prevailing parties under the No Surprises Act receive timely payment by entities affected by the Change Healthcare attack? 

9. The Administration for Strategic Preparedness & Response (ASPR) is designated to serve as the SRMA on behalf of HHS. ASPR, however, has thus far shared limited information about the cyberattack.
   • What specific steps has ASPR taken to coordinate the response to this incident?
   • How does it intend to communicate additional details to Congress?

10. How is HHS coordinating its immediate response with other federal agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Securities and Exchange Commission (SEC)?

11. ASPR has stated that it intends to make improvements to its cybersecurity reporting and monitoring systems for future cybersecurity incidents. Please provide specific improvements it intends to make, the anticipated timeline for making such improvements, and any limitations ASPR has identified that need improvements.

BACKGROUND

Change Healthcare provides nationwide services to healthcare providers including claims management tools for pharmacy and medical services that provide real-time adjudication of claims between PBMs, pharmacies, and payers. On February 21, Change Healthcare reported a network outage of many of its services due to hackers that compromised its systems. The outage of the platform’s services has impacted providers and patients across the country, resulting in as many as 25 percent of health care practices being on the verge of bankruptcy. To make matters worse, it took 13 days for Change to cyberattack formally report the cyberattack to HHS.

Health care entities across Alabama, including hospitals, doctors’ offices, and pharmacies, have had their reimbursements majorly disrupted by the Change Healthcare hack. As a result, these entities are struggling to make ends meet, keep their doors open, and provide care to Alabamians. Change Healthcare processes around one-third of the insurance claims throughout the United States, and that translates to a multi-million-dollar impact on the Alabama health care system.

HHS is responsible for coordinating cybersecurity activities for the health care sector. Despite the widespread negative effects of this cyberattack across the health care system, HHS has failed to provide substantive and regular updates for Congress on its response. This lack of timeliness has led to uncertainty in the health care sector and raises questions about whether HHS is fully prepared for future cyber incidents. The senators urged HHS to explain its delays in responding to the Change Healthcare cyberattack and how it is working with all affected stakeholders to ensure patients are not further delayed in receiving care.

Senator Tommy Tuberville represents Alabama in the United States Senate and is a member of the Senate Armed Services, Agriculture, Veterans’ Affairs, and HELP Committees.

###