Affidavit: Healthcare and the Law - Change Healthcare and Cyber Security: Takeaways from the Most Significant Cyberattack on the U.S. Healthcare System in History

Contributors: Sean Zabaneh and Samantha Dalmass
To learn more about Sean and Samantha, click here.

 

On February 21, 2024, Change Healthcare (“Change”), a subsidiary of UnitedHealth Group (“UHG”), was hit with a cyberattack carried out by the ransomware operator AlphaV/BlackCat. While Change is not an insurance company and does not provide healthcare services directly, it is one of the largest clearinghouses for medical payments in the U.S., touching at least one in three patient records according to estimates from the American Hospital Association (“AHA”).¹

These transactions include a range of services that directly affect patient care and provider reimbursement, including eligibility verifications and pharmacy operations, as well as claims transmittals and payments. Upon learning of the attack, Change stopped performing many of its essential functions, which resulted in immediate and considerable chaos industry-wide. It has been reported that most Change services and functions were restored weeks after the attack, but organizations across the healthcare industry experienced, and in some cases continue to experience, profound business operation interruption and severe financial consequences. Every organization in the healthcare space should be following developments regarding the attack. This article summarizes some important considerations and offers key takeaways.

First, the attack presents substantial risks to patient care. The New York Times has identified several studies highlighting some of the critical patient care concerns associated with cyberattacks.² One such study from 2023 linking a database of hospital ransomware attacks to Medicare administrative claims data has found that ransomware attacks not only cause short-term and immediate decreases in hospital volume, but such attacks also increase in-hospital mortality rates for hospital patients already admitted at the time of an attack.³

Cyberattacks on healthcare providers and other companies in the industry often impact access to electronic health records (EHRs), imaging systems, telemedicine capabilities, and other essential workflows, all of which present serious patient care concerns. Though literature focusing on ransomware patient outcomes is still fairly limited, the negative impacts of ransomware attacks on hospitals and other healthcare companies has been a topic of interest in recent years as attacks on companies within the healthcare industry have increased in frequency and sophistication.⁴ According to a survey conducted by the AHA less than one month after the Change attack, 74% of the nearly 1,000 hospitals surveyed reported direct care impacts, and nearly 40% of responding hospitals reported patients having difficulty accessing care because of delays in processing of health plan utilization requirements (e.g., prior authorization).⁵

Second, the data privacy implications of the attack are significant. UHG has confirmed that personally identifiable health information, claims information, and health information has been compromised, including information from at least 22 screenshots containing protected health information (“PHI”) and personally identifiable information (“PII”) from allegedly exfiltrated Change files that were posted on the dark web for about a week.⁶ On April 22, 2024, UHG issued a press release stating that its initial targeted data sampling revealed files containing PHI and PII that “could cover a substantial portion of people in America.”⁷

Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities have 60 days from the discovery of a breach affecting 500 or more people to report the breach to the HHS Office of Civil Rights (“OCR”). However, notwithstanding UHG’s April 22 press release, neither UHG nor Change had provided a formal breach notification to the U.S. Department of Health and Human Services (“HHS”) as of May 1, 2024.⁸ So while the investigation remained ongoing, individual providers and other healthcare companies who might have been impacted by the attack continued to lack clarity regarding exactly how they had been affected and what steps they might need to take as a result of any protected data that might have been accessed.

Third, healthcare businesses have endured extreme and sometimes catastrophic financial consequences. The attack significantly delayed reimbursement and, in many cases, made reimbursement requests impossible. Healthcare businesses dependent on reimbursement were unable to obtain insurance authorization to provide treatment. These issues caused substantial business interruptions across the industry.

KEY TAKEAWAYS FOR HEALTHCARE BUSINESSES

As the aftermath of the attack unfolds, it should serve as a wake-up call to all industries, but particularly the healthcare industry, that now is the time to scrutinize and update policies to ensure future preparedness. The healthcare industry is especially vulnerable to cyberattacks because healthcare is deemed “critical infrastructure,” and thus the security of the healthcare systems is an issue of national security.⁹ Here are a few takeaways for businesses in the healthcare industry to consider.

• Review and update internal cybersecurity policies. U.S. and international privacy laws are changing rapidly, and it is thus critical that your organization regularly review and update privacy policies to maintain compliance.
• Review and update Business Associate Agreements. If your business deals with HIPAA-protected data, it is important to review your Business Associate Agreements (BAAs) to understand your potential rights and obligations. In particular, businesses should understand their indemnification rights when breaches are caused by third parties. Similar scrutiny should be applied to your vendors’ subcontractors.
• Review cyber insurance and business interruption insurance policies. Be sure to understand notice requirements and the scope of coverage on applicable insurance policies. If you do not have cyber insurance, premiums are only increasing, so you should analyze the need for coverage sooner rather than later. Business interruption insurance is an additional coverage that could apply in situations involving a cyberattack that did not happen directly to your organization.

 

Contact Sean at: [email protected]
Contact Samantha at: [email protected]

 

Disclaimer: This article has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice.

 

References

1. https://www.aha.org/2024-03-15-aha-survey-change-healthcare-cyberattack-significantly-disrupts-patient-care-hospitals-finances
2. https://www.nytimes.com/2024/03/29/health/cyber-attack-unitedhealth-hospital-patients.html
3. McGlave, Claire and Neprash, Hannah and Nikpay, Sayeh, Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients (October 4, 2023). Available at SSRN: https://ssrn.com/abstract=4579292 or http://dx.doi.org/10.2139/ssrn.4579292
4. Dameff C, Tully J, Chan TC, et. al. Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMA Network Open. 2023. Available at https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2804585?resultClick=1#related-tab
5. https://www.aha.org/2024-03-15-aha-survey-change-healthcare-cyberattack-significantly-disrupts-patient-care-hospitals-finances.
6. https://www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-updates-on-change-healthcare-cyberattack.html
7. https://www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-updates-on-change-healthcare-cyberattack.html
8. https://www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-updates-on-change-healthcare-cyberattack.html
9. The term “critical infrastructure” is defined under 42 U.S.C. § 5195c(e) to mean systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters. Federal policy has identified 16 critical infrastructure sectors, including healthcare and public health. See Presidential Policy Directive (PPD) 21: Critical Infrastructure Security and Resilience (Feb. 12, 2013), Retrieved from: https://www.cisa.gov/sites/default/files/2023-01/ppd-21-critical-infrastructure-and-resilience-508_0.pdf. See also Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices, GAO-23-105327 (Dec. 01, 2022), Retrieved from: https://www.gao.gov/assets/820/813605.pdf.