Cheat Sheet - Timeline of Federal Action Stemming from the Change Healthcare Cyberattack

Download PDF for an easy-to-read timeline of federal actions following the February 2024 Change Healthcare cyberattack, complete with helpful links.

Change Healthcare Data Breach Timeline: Federal Action

February 21, 2024 | Change Healthcare, a unit of UnitedHealth Group (UHG), discovers data breach, ALPHAV/Black Cat later claims responsibility for ransomware attack.

March 5, 2024 | The Department of Health and Human Services (HHS) release a statement on Change healthcare cyberattack.

March 9, 2024 | The Centers for Medicare & Medicaid Services (CMS) announce availability of Accelerated and Advance Payment (AAP) Program funds for providers impacted by the cyberattack.

March 13, 2024 | HHS' Office for Civil Rights (OCR) issues a "Dear Colleague" letter and opens an investigation on the Change Healthcare cyberattack.

March 22, 2024 | Senator Mark Warner (D-VA) introduces legislation tying minimum cybersecurity standards to AAP Program funding.

April 15, 2024 | A bipartisan group of Energy and Commerce (E&C) leaders send a letter to Andrew Witty, CEO of UHG, seeking answers about the cyberattack.

April 16, 2024 | The House E&C Subcommittee on Health holds a hearing on the incident and CHIME'S Board Chair, Scott MacLean, testifies on behalf of CHIME's membership.

April 19, 2024 | OCR publishes a webpage responding to frequently asked questions (FAQs) concerning the Change Healthcare cyberattack.

May 1, 2024 | Andrew Witty, CEO of UHG, testifies on both the Senate Finance Committee and the House Energy & Commerce Subcommittee on Oversight and Investigations. Witty's responses to the Senate Finance Questions for the Record (QFRs) were released a few weeks after.

May 30, 2024 | Senate Finance Chairman Ron Wyden (D-OR) sends a letter to the FTC and SEC to investigate UHG's "negligent cybersecurity practices."

May 31, 2024 | OCR updates its Change Healthcare Cybersecurity Incident FAQs.

June 5, 2024 | Senate Finance Chairman Ron Wyden (D-OR) send a latter to HHS calling on the department to enforce mandatory cybersecurity measures for major healthcare entities.

June 7, 2024 | Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) send a letter to Andrew Witty on the status of breach notifications.

June 14, 2024 | HHS, Labor, and the Treasury announce 120-day extension for IDR disputes impacted by the cyberattack.

June 17, 2024 | CMS announces closure date of July 12, 2024 for payments under the AAP Program in response to the cyberattack.

July 19, 2024 | OCR posts breach on its website