At any hour, your company is vulnerable to cybercriminals aiming to cripple your operations. The repercussions are vast, from productivity loss to compromising sensitive information, which erodes trust with customers and employees alike. The financial toll and reputational harm can be severe and lasting. Whether facing a widespread assault or a precise strike, these attacks are escalating in frequency, sophistication and financial impact.

On February 21, 2024, Change Healthcare, a healthcare technology company under Optum and owned by UnitedHealth Group, disclosed enterprise-wide connectivity issues and service application interruptions, attributing them to the ALPHV/Blackcat ransomware as a service (Raas) threat actor. This incident affected tools used for healthcare payment and revenue cycle management across various healthcare provider customers in the United States.

Consequences of this incident include disruptions in pharmacy and health system operations nationwide, prompting the American Hospital Association (AHA) to advise healthcare organizations potentially affected to disconnect from Change Healthcare applications until the situation resolves. To mitigate the impact, over 90% of U.S. pharmacies have implemented modified electronic claims processing methods, while the remaining have resorted to offline processing systems. This, according to UnitedHealth Group.

In the event of compromised patient data, affected organizations may face legal obligations under HIPAA and state breach notification laws, leading to regulatory scrutiny or privacy-related lawsuits. The incident is part of a broader trend, with the FBI identifying over 1,000 global victims of ALPHV Blackcat ransomware and data extortion, with healthcare being a primary target.

A report from Health-ISAC suggests potential exploitation of certain ConnectWise ScreenConnect vulnerabilities may be behind the attack, with predictions of more organizations falling victim due to the exploit's simplicity. Impacted Change Healthcare customers are advised to communicate with payors for payment workarounds, monitor official updates, follow AHA advisories and review recommendations from various entities including Health-ISAC, CISA, HFMA and HHS.

Potential Business Impacts

Additional steps for impacted companies include the following:

• Develop security-related queries for Change Healthcare to ensure security prior to reconnection to any impacted networks.
• Review all current HIPAA compliance programs including policies and any risk analysis.
• Notify insurers of potential business interruptions and security incidents, and evaluate your current cyber risk coverage.
• Now would be a good time to review and update companywide cybersecurity programs, policies and procedures including privacy policies and incident response plans.
• Review your current contracts for data or privacy provisions with contracted vendors. While vendors have their own privacy policies and practices, companies that utilize their services may be held accountable for third party breaches. Reviewing vendors’ contracts and adding key provisions that ensure the vendor is abiding by their regulatory duties helps you stay informed and could create a cause of action in the case of non-performance.
• Review business associate agreements to ensure that your vendors are responsible for any costs you may incur for their breach, like patient notification, credit monitoring and fines. 
• Review internal company policies – Companies often fail to ensure the promises and assertions made in the public facing policies posted on their website are actual practices of the company.
• Connect with Data Privacy Counsel/Advisors
  • Include data privacy counsel in business operation discussions – this helps build privacy into the daily practice of the business and can save companies thousands of dollars on litigation expenses. The goal is to be proactive when considering privacy while juggling business innovation and growth.
  • Your organization should develop a team to help you navigate through the complexities of data privacy law and provide the best course of action to avoid data breaches and regulatory fines for noncompliance.

These measures aim to navigate the aftermath of the incident and prevent similar occurrences in the future.

How Dinsmore Can Help

Every organization should prioritize cybersecurity and data privacy. There has been a noticeable increase in the enforcement of regulatory fines and penalties for mishandling data processing and we continue to see daily impacts across the nation with cyberattacks.  It is crucial to prioritize your organization's cybersecurity protocols and adhere to relevant data processing requirements. Dinsmore & Shohl's Cybersecurity and Data Privacy team offers the expertise and resources necessary to safeguard against cyber threats, secure consumer data and ensure compliance with data privacy regulations. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review and any related litigation issues regarding cybersecurity and data breaches (investigation, defense and response). Please contact us for more information and to learn how we can partner with you.