Skip to main content

AG Nessel Urges UnitedHealth Group to Help Patients and Providers Harmed by Cyberattack on Change Healthcare

LANSING – Michigan Attorney General Dana Nessel has joined a bipartisan, multistate coalition of 22 attorneys general in sending a letter (PDF) to UnitedHealth Group, Inc. — the nation’s largest health insurer and the parent company of Change Healthcare — urging the corporation to take more meaningful action to better protect providers, pharmacies, and patients harmed by the recent catastrophic outage of Change Healthcare.

On February 21, 2024, Change Healthcare experienced a cyberattack by ALPHV/Blackcat, which crippled its platform. In the intervening weeks, providers, pharmacies, and facilities have reported catastrophic disruptions to care infrastructure, inability to verify coverage or obtain prior authorization, and inability to process claims or obtain reimbursements. Patients report delayed or denied access to prescription drugs, and difficulty scheduling appointments or procedures. The Change Healthcare outage profoundly disrupted patient care and has put some providers on the precipice of financial ruin.

Change Healthcare runs the nation’s biggest electronic data clearinghouse. Its technological infrastructure is used by tens of thousands of providers, pharmacies, and insurers to verify insurance, confirm pre-authorization of procedures or services, exchange insurance claims data, and perform other administrative tasks essential to the delivery of health care.

UnitedHealth Group acquired Change Healthcare in 2022.

“Cyberattacks in the healthcare sector are becoming frighteningly frequent,” Nessel said. “It is the duty of organizations that hold our most personal and sensitive data to vigorously defend against cyberattacks, and when they fail in that defense they should take all reasonable efforts to protect the patients they left vulnerable. The steps we are requesting should be as commonplace as the attacks on personal health data have become. I proudly stand with my colleagues in asking UnitedHealth to take meaningful action to make providers and patients whole and limit the ongoing harm and effects of this security failure.”

Nessel and the bipartisan coalition call upon UnitedHealth Group to act quickly to limit the harm to the states’ care providers and patients. Specifically, they ask UnitedHealth Group to take the following steps:

  • Enhance and expand financial assistance, free of onerous terms, to all affected providers, facilities, and pharmacies.
  • Ensure their financial assistance programs are not providing more advantageous financial assistance to providers, practices, or facilities that are owned by UnitedHealth Group. 
  • Shield the business information of providers and pharmacies from United’s other corporate lines of business.
  • Suspend requirements for prior authorizations, contemporaneous notifications of change of status, and other documentation requirements.
  • Provide a dedicated help line for providers, facilities, pharmacies, and state Attorneys General.
  • Proactively inform providers, facilities, pharmacies, and industry groups associated with each, of the steps they can take to preserve claims and receive prompt reimbursement.
  • Expeditiously resolve the claims backlog and ensure prompt reimbursement of claims.
  • Ensure providers, facilities, pharmacies, regulators, affected patients, and the public are informed of what data was compromised and what steps, if any, are needed for providers and patients to mitigate future identity theft or systems risks.

UnitedHealth Group reported $22 billion in profits in 2023. Even with the February cyberattack in its first quarter, UnitedHealth Group reported revenue of $99.8 billion, up $7.9 billion from same period the previous year.

In contrast, many hospitals and clinics are operating under tremendous financial strain, relying upon critical infrastructure such as Change Healthcare or adjacent vendors to maintain the operations that support their patient care. The two months of near collapse of the nation’s biggest claims management system since the cyberattack on Change Healthcare has pushed many entities — particularly small independent medical providers and pharmacies — to make difficult choices, such as seeking financial assistance with disadvantageous terms or delaying payroll.

Joining AG Nessel in sending the letter to UnitedHealth Group are Minnesota Attorney General Keith Ellison, who leads the letter, and a bipartisan group of attorneys general from Arizona, California, Connecticut, the District of Columbia, Hawaii, Maine, Massachusetts, Minnesota, Mississippi, Nebraska, Nevada, New Hampshire, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, South Dakota, Utah, Vermont, and Washington.

A copy of the letter can be accessed here (PDF).


Media Contact: