You may have heard that Change Healthcare, a subsidiary of UnitedHealth Group, experienced a major ransomware attack late last month. The company, which is responsible for handling the prescription billing of more than 67,000 pharmacies across the U.S., first discovered the hack on Feb. 21, 2024, and proceeded to disconnect impacted systems immediately. It was later found that the attack was perpetrated by ALPHV/Blackcat, a group that is notorious for targeting healthcare organizations.
We are now a few weeks out from the attack, and things are just getting back to normal. For weeks, health care providers were unable to transmit prescriptions, and medical groups were struggling with billing, acquiring prior authorizations for insurers, and verifying the insurance eligibility of patients. Reportedly, some medical groups went without inbound charges and outbound payment for weeks. Furthermore, hospitals that typically rely on Change Healthcare for a number of different services had also been left in the dark with no end in sight. Not to mention the millions of patient medical records that may have been accessed and acquired as a result of the event.
The aftermath of the attack has had such a catastrophic effect on the healthcare industry’s infrastructure that Senate Majority Leader Charles Schumer (D-New York) has begun pleading with federal health officials to provide immediate assistance to New York hospitals as well as health care providers nationwide who have been entirely incapacitated by the ongoing attack.
Explore more: CLM Webinars
It goes without saying that, based on Change Healthcare’s forensic findings and any required notices, we are more than likely to see widespread litigation efforts in the form of class action lawsuits and other potential third-party claims. While the scope of potential liability is not clear at this point, it is not hard to imagine that plaintiffs and their attorneys will try to build theories around alleged harm interruptions to their medications or health care in addition to the compromise of their personal information.
Beyond the obvious legal ramifications of such an attack, the incident also highlights the need for enhanced cybersecurity solutions within the healthcare sector. It is imperative that health care organizations and the third-party vendors on whom they rely evaluate their policies, procedures, and technical safeguards. At its core, Change Healthcare is a technology platform. However, by providing health care technology services and solutions and processing and managing protected health information (PHI) on behalf of covered entities, they are classified as a business associate under HIPAA. As such, they are required to implement safeguards to protect the integrity and the security of the PHI they manage. This recent attack will undoubtedly force many health care entities relying on third-party vendors, such as Change Healthcare, to re-evaluate their agreements with these entities and ensure their compliance with HIPAA and any other required standards. Enhanced data encryption, access controls, and periodic risk assessments, for example, need to become bare-minimum protocols for organizations dealing with PHI.