The recent cyber attack on Change Healthcare has sent shockwaves through not just the healthcare ecosystem but the entire cyber insurance industry.

For nearly a month, a significant number of hospitals, doctor offices, and pharmacies have been unable to verify insurance coverage or seek reimbursement requests from healthcare insurers. UnitedHealth, which owns Change Healthcare, has restored its electronic pharmacy services and payments platform, but the medical claims network remains offline.

As we’ve seen, businesses are experiencing cash-flow shortages and seeking loans to maintain operations. Cyber claims are rolling in, but it’s too soon to know the ultimate financial impact of this event. All the while, experience has taught us that notification obligations and likely losses related to reputational harm loom large in the background.

Many of our brokers are experiencing the effects of this attack firsthand, diligently facilitating insurance claims, advocating for their clients, and using the attack as an example of why comprehensive cyber insurance coverage is essential.

Let’s explore what we know about the Change Healthcare attack, how Coalition is responding, and some of the most important takeaways thus far.

What happened?

Change Healthcare, a healthcare technology company owned by UnitedHealth Group, announced that it experienced a ransomware attack on February 21, 2024. Attackers stole patient data, encrypted company files, and demanded money to unlock them. 

Change Healthcare shut down most of its network to prevent further compromise and has been largely offline since the attack though some of its platforms are now coming back online. As a result, healthcare providers that depend on Change’s technology have been impacted, leading to prescription backlogs, lost revenue, and constraints on patient care.

Change Healthcare said the attack was perpetrated by ALPHV/BlackCat, a well-known ransomware gang that was also responsible for the MGM Resorts attack. This group is known for its double-extortion tactics, involving the theft of sensitive data followed by encrypting files and demanding ransom for both decryption and the non-release of the stolen data. 

ALPHV/BlackCat claimed it stole four terabytes of data, including Social Security numbers, healthcare records, and company source code. The gang has been linked to a $22 million Bitcoin transaction that many suspect was a ransom payment; however, Change Healthcare’s systems remained offline after the alleged payment amid further scandal between ALPHV/BlackCat and one of its affiliates.

Why is this a big deal?

Change Healthcare provides critical services in the healthcare industry, processing transactions and facilitating communications among pharmacies, care providers, and insurers. The company reportedly processes 15 billion transactions totaling $1.5 trillion in healthcare claims per year.

Many businesses use Change Healthcare as a clearinghouse to electronically transmit medical claims data to insurance carriers, such as prescription reimbursement claims. Clearinghouses, like Change Healthcare, typically prescreen and clean medical claims data, searching for errors and inaccuracies, then securely transmit the claim to the specified payor.

According to United Health, more than 90% of U.S. pharmacies have been forced to change how they process electronic health insurance claims as a result of the attack. Without a way to process claims, many pharmacies have no cash flowing into their practices. 

The American Hospital Association called it “the most significant cyberattack on the U.S. health care system in American history,” while cybersecurity experts have estimated losses of $100 million per day.

How is Coalition responding?

Coalition’s primary focus continues to be supporting impacted policyholders* that have been unable to process prescription orders and obtain insurer payments. Many have expressed frustration about delays in the restoration of Change Healthcare’s network and services.

“Businesses are reeling due to the significant downtime. Our team is fielding a number of questions from policyholders whose primary concerns are delays in revenue and the scope of any available business interruption coverage,” said Anne Juntunen, a manager on Coalition’s claims team. “We’re encouraging businesses to follow the communications from UnitedHealth Group, including the availability of cash flow relief from Optum or perhaps through their own banking institutions.”

Optum, a healthcare services provider also owned by United Health, has launched a Temporary Funding Assistance Program to provide short-term cash flow help to businesses that rely on payment processing from Change Healthcare. UnitedHealthcare said it will also provide solutions to medical, dental, and vision providers.

Coalition will be evaluating policies and proofs of loss as they arrive, but policyholders’ main focus has been business interruption coverage. Meanwhile, Coalition has lined up additional resources to ensure we can review business interruption claim submissions promptly. Impacted policyholders are also receiving consultation with our breach counsel partners and assistance in identifying new vendors to replace the services they were receiving from Change Healthcare. 

“Businesses are reeling due to the significant downtime. Our team is fielding a number of questions from policyholders whose primary concerns are delays in revenue and the scope of any available business interruption coverage." — Anne Juntunen, Coalition claims manager

Contingent business interruption coverage comes into play

Business interruption (BI) is a common coverage* included in many cyber insurance policies. If a business directly experiences a cyber attack and is unable to operate, BI would typically cover lost net profit and unrecoverable operating expenses during the downtime.

But what if the attack was not experienced directly, as is the case with many businesses impacted by the Change Healthcare attack?

Contingent business interruption (CBI)* is a distinct but less-common coverage that extends to cover losses that result from disruptions to certain third-party vendors. All of the claims we’ve seen among Coalition policyholders relate to the risk that a third party provider will be breached. 

Contingent business interruptionI is an often-overlooked coverage that’s becoming increasingly necessary as more and more businesses rely on third parties to host their essential infrastructure.

“Let’s face it, there are people out there right now who don't have contingent business interruption coverage,” said Mercy Komar, Cyber Risk Manager, Commercial Lines Manager for L. Calvin Jones & Co. “Maybe they have a small pharmacy and somebody wrote it on a BOP [Business Owners Policy] through one of those little data breach endorsements — those do not carry contingent coverage on them.”

Change Healthcare highlights a valuable lesson in selling cyber insurance: CBI is an often-overlooked coverage that’s becoming increasingly necessary as more and more businesses rely on third parties to host their essential infrastructure.

Data privacy and reputational harm on the horizon

Understandably, most businesses are focused on staying afloat right now. However, once Change Healthcare fully restores its systems, we anticipate a shift in focus to the data privacy aspects of this event.

“The stakes are high in healthcare. If my client can’t provide a customer with essential medicine, they need to refer them to another pharmacy that can,” said Komar. “But what happens when Change’s systems are back up and running? We know that many customers won’t come back if they know that you're involved in a cyber breach.”

Businesses that use Change Healthcare technology may have experienced data infiltration in the attack that would trigger notification obligations though it remains to be seen whether formal notification to customers or patients is necessary. If any Coalition policyholders have to undertake a notification effort, we will evaluate the opportunities to coordinate with, and seek recovery from, any liable third parties.

“The stakes are high in healthcare. If my client can’t provide a customer with essential medicine, they need to refer them to another pharmacy that can.” — Mercy Komar, Cyber Risk Manager, Commercial Lines Manager for L. Calvin Jones & Co.

3 ways to discuss Change Healthcare with clients

The attack on Change Healthcare underscores some key considerations when discussing cyber risk. Here are some important lessons learned to guide conversations with clients:

1. Emphasize contingent business interruption 

Every business, regardless of industry, should consider CBI coverage* in the wake of Change Healthcare. It’s easy to get caught up in ransomware and other headline-making attacks, but CBI coverage can be the difference between your clients recovering from a third-party cyber attack and ceasing operations entirely.

2. Prioritize essential business technology

Ask your clients which technologies are essential to their operations. A substantial dependency on other vendors’ technologies may necessitate CBI coverage and deeper contingency planning in the event those technologies are offline or unavailable for an extended period of time.

3. Be mindful of long-term fallout

Make sure your clients understand that the impacts of a sizable cyber attack can persist for months or even years. Once businesses are able to resume operations, there remains a long road ahead of recovery and restoration, both of which can be impacted by notification obligations and loss of customers.

While the scale of the Change Healthcare is alarming, it serves as a reminder of the ever-present cyber threats facing businesses. The compromised data and shared dependency on technology underscores the need for robust cybersecurity measures and comprehensive insurance coverage. During these times, we look to our brokers to help provide additional guidance and solutions to safeguard their operations against cyber risks.

This article originally appeared in the March 2024 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. 

*Exclusions and limitations apply. See disclaimers and policy as issued. 

Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc.(“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.