Cheat Sheet - Timeline of Federal Action Stemming from the Change Healthcare Cyberattack
Date
Wed, Jul 10, 2024, 05:00 AM
Download PDF for an easy-to-read timeline of federal actions following the February 2024 Change Healthcare cyberattack, complete with helpful links.
Change Healthcare Data Breach Timeline: Federal Action
February 21, 2024 | Change Healthcare, a unit of UnitedHealth Group (UHG), discovers data breach, ALPHAV/Black Cat later claims responsibility for ransomware attack.
March 5, 2024 | The Department of Health and Human Services (HHS) release a statement on Change healthcare cyberattack.
March 9, 2024 | The Centers for Medicare & Medicaid Services (CMS) announce availability of Accelerated and Advance Payment (AAP) Program funds for providers impacted by the cyberattack.
March 13, 2024 | HHS' Office for Civil Rights (OCR) issues a "Dear Colleague" letter and opens an investigation on the Change Healthcare cyberattack.
March 22, 2024 | Senator Mark Warner (D-VA) introduces legislation tying minimum cybersecurity standards to AAP Program funding.
April 15, 2024 | A bipartisan group of Energy and Commerce (E&C) leaders send a letter to Andrew Witty, CEO of UHG, seeking answers about the cyberattack.
April 16, 2024 | The House E&C Subcommittee on Health holds a hearing on the incident and CHIME'S Board Chair, Scott MacLean, testifies on behalf of CHIME's membership.
April 19, 2024 | OCR publishes a webpage responding to frequently asked questions (FAQs) concerning the Change Healthcare cyberattack.
May 1, 2024 | Andrew Witty, CEO of UHG, testifies on both the Senate Finance Committee and the House Energy & Commerce Subcommittee on Oversight and Investigations. Witty's responses to the Senate Finance Questions for the Record (QFRs) were released a few weeks after.
May 30, 2024 | Senate Finance Chairman Ron Wyden (D-OR) sends a letter to the FTC and SEC to investigate UHG's "negligent cybersecurity practices."
May 31, 2024 | OCR updates its Change Healthcare Cybersecurity Incident FAQs.
June 5, 2024 | Senate Finance Chairman Ron Wyden (D-OR) send a latter to HHS calling on the department to enforce mandatory cybersecurity measures for major healthcare entities.
June 7, 2024 | Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) send a letter to Andrew Witty on the status of breach notifications.
June 14, 2024 | HHS, Labor, and the Treasury announce 120-day extension for IDR disputes impacted by the cyberattack.
June 17, 2024 | CMS announces closure date of July 12, 2024 for payments under the AAP Program in response to the cyberattack.
July 19, 2024 | OCR posts breach on its website
Recommended for you
post
Unveiling the Future of Healthcare with CHIME's AI Principles
Jul 30, 2024
CHIME's AI Principles serve as a beacon, promoting patient safety, administrative efficiencies, regulatory oversight, innovation, and equity.
audio
From Chaos to Clarity: Data Strategies for Scalable AI in Healthcare
Apr 08, 2025
This episode covers the evolving role of AI and data infrastructure in healthcare, the importance of building robust, scalable data foundations before implementing AI, and advanced analytics to ensure measurable outcomes.
post
CHIME Responds to RFI from E&C Privacy Working Group
Apr 07, 2025
CHIME responds to a request for information from a privacy working group led by Energy and Commerce Committee Chairman Brett Guthrie and Vice Chairman John Joyce.
post
Connecting the Dots: Infrastructure in the Age of Hyperconnected Care Delivery
Apr 04, 2025
This roundtable of experts discussed how to address some of the most pressing challenges in infrastructure development, including deciding on hosting options, addressing gaps in connectivity for remote patient care, and planning for a device-driven future in the hospital and in the community.