While cyberattacks are a common occurrence for businesses of any size, the Change Healthcare incident is a deviation from the norm, mainly because of the company’s interconnectedness with various key players in the healthcare industry, such as hospitals and pharmacies.
“What makes this particular cyberattack interesting and different than other similar instances is that the threat actors went after a true linchpin in the overall US healthcare ecosystem,” said Stephanie Snyder Frenier (pictured), SVP of cyber & professional solutions at CAC Specialty.
“Change Healthcare processes claims payments and pharmacy prescriptions as a clearing house and taking them out of the equation has just caused a lot of downstream effects at this point for other healthcare providers that are utilizing this platform.”
What has resulted is a cashflow issue for customers of Change Healthcare — a subsidiary of UnitedHealth Group — due to claims payments being delayed.
“This is causing a lot of healthcare providers pain, as there’s not a lot of wiggle room that providers have in terms of their overall cash flow because we’re only in March and they’ve only started accepting claims payments for this year in January,” Snyder Frenier said.
The question is whether organizations, especially smaller healthcare providers, are going to have to shut down or not, to be able to pay people which could potentially impact healthcare services for patients.
“It’s very concerning,” the SVP said.
In an interview with Insurance Business, Snyder Frenier spoke about what possible effect the Change Healthcare attack will have on the cyber insurance market and what the industry can learn from this high-profile loss event.
There is still a lot to be learned about this cyberattack since some of the outcomes related to the event are still purported or alleged at this point.
“Change Healthcare has filed an 8-K in compliance with the SEC’s new cybersecurity disclosure rules. However, it didn’t reveal a lot,” Snyder Frenier said.
There has been speculation on what this loss event entailed, mainly through online chat boards, where it has been alleged that six terabytes of information were pillaged during this attack.
UnitedHealth Group revealed that Russian cybercriminal group BlackCat was behind the attack.
BlackCat also accepted a $22 million Bitcoin payment back on March 1, but it is still unknown if that large sum was paid in association with the cyberattack.
If true, this leads to the possibility of a major privacy breach of healthcare information, which is highly regulated at the federal level through HIPAA, alongside the 13 states that have state privacy laws, in addition to the 50 states that have data breach notification laws.
“Right now, we don’t know what is in those six terabytes of data that were allegedly taken and if any of that information would violate HIPAA laws,” Snyder Frenier said.
Large tech errors and omissions liability claims are also a possibility due to several associated businesses being affected by this data breach.
“Related parties could argue that Change Healthcare’s technology product did not work as intended because they had a security breach, so there’s also a security privacy aspect to it from a liability standpoint,” Snyder Frenier said.
“The tech E&O and the security privacy liability certainly overlap.”
Lastly, for the companies and organizations using Change Healthcare as a clearinghouse, business interruption can be very cumbersome.
“They may not have a contract in place with another such clearinghouse, which can result in these businesses incurring expenses to figure out how to get these claims paid,” Snyder Frenier said.
“Depending on how long this goes on, we will need to see if there is true net income impact, how large the extra expenses will be and whether or not they breach the retention on cyber insurance policies.”
The SVP believes that this attack is akin to the Colonel Pipeline ransomware event from 2021, where the oil and gas lynchpin was the subject of an IT breach that affected the company’s ability to deliver gas in certain regions of the United States.
“Colonial Pipeline could still run their business, but they didn’t know what they were pumping and distributing,” she said.
“Because that was on their IT system, they were put in a very difficult position of having to determine if they were going to pay a ransomware demand so that they could get access back to their systems.”
On March 8, UnitedHealth Group revealed that Change Healthcare’s platform will be up and running on March 15, while its medical claims network will be back online March 18.
According to Snyder Frenier, cyber insurance professionals and the clients they serve can learn a lot from this attack.
“Cyber resiliency is not just about having better firewalls or more MFA, it must include a true third-party risk management plan, understanding the cybersecurity of the third parties that you’re contracting with and then creating redundancies,” she said.
In the case of businesses solely relying on the capabilities of Change Healthcare, it is wise that they also look to alternative means of collecting payments and not putting all their eggs in one basket.
It is important to have incident response, business continuity and disaster recovery plans in place alongside tabletop exercises to practice those plans.
Furthermore, Snyder Frenier thinks that cyber underwriters could benefit from understanding cyber risk from an alternative angle.
“We don’t typically see underwriters asking a lot of questions around single points of failure within an industry. There’s a lot of focus on systemic risk in cyber insurance that focuses on what happens if there’s an outage of a cloud service provider or what happens if there’s an outage or a critical vulnerability that’s exploited in an operating system,” she said.
“But are they pulling back and looking across the entire industry to identify the single points of failure since there’s only so many companies that service particular needs of the healthcare ecosystem like Change Healthcare?”
However, Snyder Frenier is optimistic that the Change Healthcare breach will enable positive changes on understanding and underwriting cyber risk.
“There will certainly be a lot of lessons learned,” she said.
