Change Healthcare Cybersecurity Incident: Financial Impact And Resulting Litigation
June 25, 2024 at 03:42 pm IST
Share
Highlights
The U.S. Department of Health and Human Services Office for Civil Rights - the agency division responsible for administering and enforcing regulations under the Health Insurance Portability and Accountability Act (HIPAA) - is conducting an ongoing investigation into a February 2024 cyberattack targeted at Change Healthcare.
Forty-nine consolidated lawsuits are now pending before U.S. District Court Judge Donovan Frank (District of Minnesota), a member of the Judicial Panel on Multidistrict Litigation (JPML).
Informal surveys show sustained, costly impacts threatening the viability of some physician practices and laboratories throughout the country.
On Feb. 21, 2024, the ransomware hacker group ALPHV, otherwise known as "BlackCat," disabled Change Healthcare's nationwide healthcare billing and information systems and demanded a ransom to unlock them.
Change Healthcare is a subsidiary of UnitedHealth Group (UHG) and processes about half of all medical claims in the United States for approximately 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.
Following the cyberattack, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched a federal investigation into the attack. Out of concern for both healthcare providers and patients, OCR sought to discover whether a breach of protected health information (PHI) occurred and examine Change Healthcare's and UHG's compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules. UHG CEO Andrew Witty admitted in congressional testimony that $22 million in bitcoin was paid as ransom to BlackCat.1
Aftermath and Impact
The financial disruption resulting from the cyberattack continues to place significant strain on healthcare providers and patients alike. The American Medical Association (AMA) surveyed providers across the country to understand the impact of the ransomware incident.
Its informal surveys show sustained, costly impacts threatening the viability of some physician practices and laboratories throughout the country:
Survey 1 (April 10, 2024). AMA's first survey noted drastic service disturbances resulting from the cyberattack: 80 percent of physician practices lost revenue from unpaid claims, 85 percent have committed additional staff time and resources to finish revenue cycle tasks, and 78 percent have lost revenue from claims that they have been unable to submit. Further, 36 percent of respondents reported delays in claim repayment, 32 percent reported inability to submit claims, and 22 percent reported being unable to check eligibility for benefits. Small practices (10 or fewer physicians) were hit particularly hard.
Survey 2 (April 29, 2024). AMA's second survey 19 days later noted ongoing issues. Sixty percent of operations continue to face challenges in verifying patient eligibility, 75 percent continue to face barriers with claim submission, 79 percent still cannot receive electronic remittance advice, and 85 percent still experience disruptions in claims payments.
In short, the surveys indicate that some physician practices will almost certainly be forced to shut down because of this incident, and many patients will lose access to their physicians or other vital healthcare services.
To support affected providers financially in the wake of the cyberattack, UHG has committed $2 billion so far through multiple action plans. However, providers have reported that this fund is already exhausted and no additional advanced payments are currently available, further threatening the financial viability of some healthcare providers.
To learn more about potential financial assistance, providers should register for the program or call 877.702.3253.
Resulting Litigation
On June 7, 2024, the federal JPML centralized the 49 lawsuits filed against Change Healthcare in federal court in Minnesota where UHG is headquartered. These lawsuits accuse its payment processing unit of failing to protect personal data from the February cyberattack.
Of the total lawsuits, 19 were brought by individual consumers whose data was allegedly compromised. Thirty cases were brought by healthcare providers, alleging they were unable to get paid for their services resulting from Change Healthcare's system lockdown following the attack. Some providers are continuing to experience difficulty - or an outright inability - to get paid for claims processed by Change Healthcare as a result of this cyberattack.
The lawsuits accuse Change Healthcare of negligence and are seeking damages to compensate providers for losses and consumers for the costs associated with credit monitoring and potential identity theft.
The case name is In Re Change Healthcare Inc Customer Data Security Breach Litigation, U.S. District Court for the District of Minnesota, No. 24-md-03108. View the JPML transfer order.
Recommendations for Affected Providers
Providers who feel that they have been harmed by an inability to submit claims and/or receive payments should seek appropriate counsel to evaluate their legal options.
Given the JPML's disposition, it is likely that any such case would be transferred to the District of Minnesota and consolidated with the dozens of currently pending cases.
Entities partnered with Change Healthcare and UHG should use this incident as a reminder to comply with applicable regulatory obligations and responsibilities, "including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs," as required by HIPAA.
For additional information regarding next steps, please see Holland & Knight's previous alert, "HIPAA Breach Notice Can Be Delegated to Change Healthcare," June 4, 2024.
Additional Resources
The following informational resources on cybersecurity, ransomware, HIPAA and other topics are available from HHS and OCR:
OCR HIPAA Security Rule Guidance Material
OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks
OCR Webinar on HIPAA Security Rule Risk Analysis Requirement
HHS Security Risk Assessment Tool
Fact Sheet: Ransomware and HIPAA
Healthcare and Public Health (HPH) Cybersecurity Performance Goals
Footnote
1. "UnitedHealth CEO faces grilling from Congress over Change Healthcare hack, " The Washington Post, May 1, 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
John Kern
Holland & Knight
50 California Street
Suite 2800
San Francisco
CA 94111
UNITED STATES
Tel: 6175232700
Fax: 6175236850
E-mail: webcontent@hklaw.com
URL: www.hklaw.com
UnitedHealth Group Inc. is one of the leading American suppliers of healthcare products and services. Income breaks down by activity as follows:
- health insurance (57.4%; UnitedHealthcare);
- prescription insurance plan management services (39.3%; Optum Health and Optum Rx): administrative management (reimbursement management, patient claim processing, etc.), drug distribution, decision-making information, sales of medical information management services, etc.;
- provision of computer services (3.3%; Optum Insight): consulting, development, and integration of solutions for transaction management, healthcare plan management, data processing, etc.
UNITEDHEALTH GROUP INC. 
