Ranking Member Cassidy, Tuberville Urge Transparency from HHS on Response to Change Healthcare Cyberattack

WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Tommy Tuberville (R-AL) urged the Department of Health and Human Services (HHS) to provide additional information on how it has responded to the recent cyberattack on Change Healthcare that has wreaked havoc on patients and health care providers.  

On February 21, Change Healthcare reported that hackers compromised its systems, resulting in a network outage of many of its services. Change Healthcare offers a number of services to health care providers nationwide, such as claims management tools for pharmacy and medical services that provide real-time adjudication of claims between PBMs, pharmacies, and payers. The disruption of these services has impacted providers across the country, resulting in as many as 25 percent of health care practices being on the verge of bankruptcy. Shockingly, it took 13 days after the cyberattack was publicly reported for HHS to issue a formal statement on the incident.  

HHS is responsible for coordinating cybersecurity activities for the health care sector. Despite the widespread negative effects across the health care system, HHS has failed to provide substantive and regular updates to Congress on its response to the cyberattack. This lack of timeliness has led to uncertainty in the health care sector and raises questions about whether HHS is fully prepared for future cyber incidents. The senators urged HHS to explain its delays in responding to the Change Healthcare cyberattack and how it is working with all affected stakeholders to ensure patients are not further delayed in receiving care.  

“The recent cyberattack involving Change Healthcare has been enormously disruptive to the health care sector, and has hindered patients from accessing timely care,” wrote the senators. “HHS’ response to this incident has been inadequate, as the agency has not provided sufficient information to Congress about the attack at a time when the health care sector faces record cybersecurity incidents.” 

Read the full letter here or below. 

Dear Secretary Becerra:

Cybersecurity attacks pose a grave risk to patients and payers. As the Sector Risk Management Agency (SRMA) for the Health and Public Health (HPH) sector, the Department of Health and Human Services (HHS) is the primary coordinating body for cybersecurity incidents. However, recent cyberattacks raise questions about HHS’ ability to effectively execute this role.

The recent cyberattack involving Change Healthcare has been enormously disruptive to the health care sector, and has hindered patients from accessing timely care. HHS’ response to this incident has been inadequate, as the agency has not provided sufficient information to Congress about the attack at a time when the health care sector faces record cybersecurity incidents.^[1] For example, Change Healthcare first reported the cyberattack on February 21, yet HHS only released its first formal statement outlining steps for affected parties on March 5 — nearly two weeks later. This incident has impacted providers across the country, potentially putting as many as 25% of practices on the verge of bankruptcy.^[2] The breadth of this situation requires regular communication and immediate action, especially with members of Congress.

Providing up-to-date information and coordination about cybersecurity incidents is one of HHS’ key duties as SRMA. It is troubling that HHS has failed in this critical area. As such, in an effort to better understand the facts surrounding Change Healthcare’s cybersecurity incident, [we] ask that you answer the following questions, on a question-by-question basis, by April 3, 2024:

1. When did HHS receive notification from Change Healthcare that a cyberattack occurred?

2. Change Healthcare first reported that a cyberattack had occurred on February 21. However, HHS did not issue a formal statement outlining steps for affected parties until March 5.

1. Why did HHS wait 13 days to issue this statement?
2. How does HHS intend to improve its role in providing regular updates to Congress?

3. Has HHS identified any unauthorized access or breach of any federal systems as a result of the cyberattack?

4. What steps is HHS taking to ensure that affected providers do not suffer from any secondary cybersecurity intrusions as a result of the original incident?

5. What tools has HHS offered to affected entities to identify and patch any cybersecurity vulnerabilities?

6. What steps is HHS taking to ensure that there are adequate flexibilities for providers to submit claims for reimbursement to UnitedHealth Group (UHG) or other private payers in light of the Change Healthcare attack?

7. Will HHS provide an extension for the submission of claims to the federal Independent Dispute Resolution (IDR) process under the No Surprises Act for providers and payers affected by the Change Healthcare attack?

8. What steps is HHS taking to ensure that prevailing parties under the No Surprises Act receive timely payment by entities affected by the Change Healthcare attack?

9. The Administration for Strategic Preparedness & Response (ASPR) is designated to serve as the SRMA on behalf of HHS. ASPR, however, has thus far shared limited information about the cyberattack.

1. What specific steps has ASPR taken to coordinate the response to this incident?
2. How does it intend to communicate additional details to Congress?

10. How is HHS coordinating its immediate response with other federal agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Securities and Exchange Commission (SEC)?

11. ASPR has stated that it intends to make improvements to its cybersecurity reporting and monitoring systems for future cybersecurity incidents. Please provide specific improvements it intends to make, the anticipated timeline for making such improvements, and any limitations ASPR has identified that need improvements.