Congressional hearing highlights impact of Change Healthcare cyberattack

| April 22, 2024

Congressional hearing highlights impact of Change Healthcare cyberattack

Help the AMA and the College advocate for you – please complete the AMA’s new brief survey about current problems you are experiencing related to the Change Healthcare cyberattack. Responses are due Wednesday, April 24.

Last February’s devastating cyberattack on Change Healthcare has garnered the attention of Congressional leaders. Last week, the House Energy & Commerce Committee’s Health Subcommittee held a hearing titled “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.”

Despite widespread disappointment from Congressional leaders that the UnitedHealth Group (UHG) CEO was not in attendance, the hearing featured witness testimony from cybersecurity leaders, public policy directors, a health IT professional, an American Hospital Association representative, and an orthopedic surgeon. The three-hour hearing allowed the witnesses to describe the disruptions caused by the cyberattack on Change Healthcare and the urgent need for Congressional action to minimize the chances and potential disruptions of cyber incidents in the future.

The need for financial assistance to improve cybersecurity
There is bipartisan agreement that there needs to be heightened cybersecurity risk management and standards in the health sector. The Committee and witnesses agreed that protocols and risk management should be spread across the many players in health care. However, many expressed concern that medical practices (especially small and rural practices) would face significant problems implementing any cybersecurity requirements without assistance from the federal government. Witnesses advocated for federal funding to assist entities that must implement new cybersecurity requirements.

Witnesses also articulated the importance of focusing new cybersecurity requirements on the “highest value” targets. In many cases, vendors that hold large amounts of protected health information (PHI) are higher value targets than medical practices. ACAAI’s Advocacy Council agrees that heightened cybersecurity requirements are necessary to help avoid another attack – like the recent Change Healthcare attack – from infiltrating an allergy practice but believes allergy practices should have plentiful access to federal funding to sufficiently implement, support, and maintain any new cybersecurity requirements.

The House Energy & Commerce Committee’s Health Subcommittee’s hearing also discussed the importance of easing access to financial support following a cyberattack. Committee members and witnesses agreed federally supported financial assistance programs took too long to take effect – this is largely because a cyberattack usually does not constitute a Federal Emergency Management Agency (FEMA) National State of Emergency. To remedy this problem, witnesses proposed creating a lower-level state of emergency for cyberattacks that would allow funds to be distributed to providers in a timely manner to ensure patients are treated and medical practices can pay their bills. ACAAI’s Advocacy Council would stand behind any federal legislation that would ease payments to physicians following a cyberattack.

Concerns with consolidation/vertical Integration in the health sector
Another area that received major hearing coverage was the harms of health care consolidation/vertical integration. There was widespread concern among members of Congress and witnesses that health care consolidation and vertical integration posed major consequences for cybersecurity. Ironically, the prime example is UHG, the world’s biggest privately owned health care conglomerate. UHG acquired Change Healthcare in late 2022. The Department of Justice (DOJ) unsuccessfully challenged the acquisition. Large health care companies have access to abundant amounts of sensitive PHI, which makes them especially high-value targets for cybercriminals. When probed about whether vertical integration in the health sector could lead to higher national security risks, the witnesses unanimously agreed this was the case, as health care is considered critical infrastructure.

Notably, it was highlighted that Optum (the subsidiary of UHG that owns Change Healthcare) is capitalizing on the issues it has caused by acquiring vulnerable clinics financially struggling due to the cyberattack. The hearing called attention to Corvallis Clinic in Oregon, which recently requested emergency acquisition by Optum due to a major cash flow disruption. According to the witnesses, this is just one of many such instances.

Looking ahead
More hearings on the cyberattack are expected soon. The Senate Finance Committee is expected to announce a hearing with UHG CEO Andrew Witty in the coming days. The Senate Committee on Health, Education, Labor and Pensions (HELP) is holding private meetings with UHG. It is unclear if these meetings will lead to a HELP Committee hearing.

The ACAAI Advocacy Council intends to emphasize the need for financial support to medical practices in the event of new cybersecurity legislation during discussions with lawmakers at their upcoming annual Capitol Hill Day early next month.

If your practice has been adversely impacted by the Change Healthcare cyberattack, please reach out to us at We want to hear from you.