AHA provides update to Senate, House committee leaders ahead of hearings on fallout from Change Healthcare cyberattack

The AHA April 29 provided the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations an update regarding outstanding issues continuing to impact patients and hospitals following the Change Healthcare cyberattack, as well as additional actions for Congress and the Administration to consider related to the cybersecurity of the health care sector.

The AHA's letters were sent to committee leaders ahead of May 1 hearings during which the CEO of UnitedHealth Group, which owns Change Healthcare, is expected to testify.

Although much of Change Healthcare's claims and payment system functionality has been restored, it remains unclear as to how long it will take for all operations to return to normal. The AHA said patients and providers are continuing to experience financial and operational impacts following the Feb. 22 cyberattack as providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks.

"It is unclear what other impacts may emerge over the coming weeks and months, and we urge Congress and the Administration to continue oversight of the aftermath of the attack," AHA wrote.

The AHA also said that Congress should hold UnitedHealth Group to public comments it made about the company making notifications and undertaking related administrative requirements on behalf of any provider or customer at the appropriate time regarding the breach of protected health information or personally identifiable information.

Meanwhile, to make meaningful progress in the war on cybercrime, the AHA urged Congress and the Administration to focus on the entire health care sector and not just hospitals. The AHA supports the voluntary consensus-based cybersecurity practices, such as those announced in January by the Department of Health and Human Services, but opposes penalties being levied against hospitals.

"It is well-documented that the vast majority of the cybersecurity risk in the health care sector is from vulnerabilities in third-party technology, not hospitals' primary systems," AHA said. "Enforcing hospital adoption of these practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date. Instead, Congress and other policymakers should focus their efforts on ensuring all health care stakeholders adopt appropriate cyber hygiene practices with a particular priority on third-party technologies."