Change Healthcare Cyber Attack: Guidance and Insurance Implications

Author: John Farley

Change Healthcare, a UnitedHealth Group technology unit that's one of the largest healthcare technology vendors in the US, announced on February 21 that it experienced a network security incident.¹ The Change Healthcare cyber incident has impacted several hundred healthcare providers who rely on Change Healthcare for revenue and payment cycle management that connects payers, providers and patients. Those affected include clinics, hospitals, pharmacies, medical practices and others within the US healthcare sector. According to one estimate, some providers are losing as much as $100 million per day in revenue,² and as of this writing, there's no timeline indicating when services will be back online.

While developments are still unfolding, it's been reported that hacking group AlphV/BlackCat is behind the attack.

Guidance from the FBI and CISA

A joint statement from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) provides advice and recommendations for organizations the Change Healthcare incident might have affected.³ Specifically, they recommend the following actions:

• Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
• Prioritize remediation of known exploited vulnerabilities.
• Enable and enforce multifactor authentication with strong passwords.
• Close unused ports and remove applications not deemed necessary for day-to-day operations.

Health and Human Services response to the Change Healthcare cyber attack

On March 5, 2024, the US Department of Health and Human Services (HHS) announced it would relax certain requirements around Medicare prescriptions and consider advance payments for impacted healthcare facilities.⁴

Cyber insurance: Steps to take now

Cyber insurance and other insurance policies may provide assistance to organizations that believe they may be impacted by losses related to this incident, directly or indirectly either through vendor or supply chain relationships. Many stand-alone Cyber insurance policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with Cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.

Specifically, business interruption and extra expense costs may be significant for those affected. Therefore, we recommend the following:

• Quantify the financial impact of the business interruption the cyber attack caused, which may include lost revenue, increased expenses, recovery costs and any other direct or indirect costs associated with the incident.
• Maintain proper documentation. Keep detailed records of all evidence collected, investigation findings and financial impact calculations. This documentation will be crucial when presenting the evidence to insurers, legal authorities or other relevant parties.
• Consult with insurance providers. If you have Cyber insurance coverage, notify your insurance provider as soon as possible and work closely with them throughout the process. They can provide guidance on the evidence required and assist in the claims process. Some insurance coverage may provide reimbursement for costs associated with hiring external forensic accounting experts.

From a compliance perspective, organizations that may have had personal and other sensitive information accessed by unauthorized parties could be subject to mandated notice requirements to affected individuals, regulators and other third parties.

Implications for Cyber insurance coverage

The Cyber insurance market remains laser focused on threats to critical infrastructure, including the healthcare sector. The potential for an attack or a system outage such as this one could lead to a dreaded systemic loss, having a cascading impact on multiple insureds around the globe.

As a result, the Cyber insurance marketplace has addressed these concerns by changing —and in some cases — restricting or excluding coverage. When reviewing Cyber insurance and other policies that may provide a mechanism to transfer cyber risk for both healthcare service providers and those that rely on them, insureds should be mindful of several potential coverage pitfalls, including but not limited to:

• Critical infrastructure exclusions that may eliminate coverage for all losses related to a specified critical infrastructure target, which may include the healthcare sector
• Catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for specific cyber losses that impact a large number of organizations
• Contingent business interruption sub-limit or exclusionary language that may apply to organizations that weren't direct targets, but suffer consequences of a critical infrastructure cyber attack
• Regulatory risks that may limit or exclude coverage for regulatory investigations, lawsuits, fines and settlements

Additional resources

• Find resources and alerts at CISA's Stop Ransomware page, including a link to the CISA Stop Ransomware Guide for information on ransomware preparedness.
• For the latest cyber threat information and alerts, visit cisa.gov.
• To contact local FBI offices to report suspicious cyber activity, visit fbi.gov or the Internet Crime Complaint Center.
• For a cyber emergency such as a ransomware attack in progress, call the FBI's Cyber Watch (CyWatch) at (855) 292-3937. You can also contact CISA online at www.cisa.gov/cisa-central or by calling CISA Central at (888) 282-0870. All are available 24/7.