Healthcare , Industry Specific , Legislation & Litigation
Change Healthcare Attack: Recovery Woes; Lawsuits Pile Up
Company Makes Progress Restoring IT Services, But Disruption LingersAs recovery from its Feb. 21 cyberattack continues, Change Healthcare and its parent company UnitedHealth Group are facing a growing pile of lawsuits, while health sector entities affected by the IT services disruption are dealing with a mounting stack of bills and other paperwork to catch up on.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
As of Friday, UnitedHealth Group and Change Healthcare are named defendants in about two dozen proposed federal class action lawsuits stemming from the attack.
Those include at least 11 lawsuits filed by individuals alleging they face the prospect of identity theft and fraud due to their personal information being compromised by the incident - even though the company is still investigating the extent of a potential data breach (see: UnitedHealth Admits Patient Data Was 'Taken' in Mega Attack).
An affiliate of ransomware group BlackCat - aka Alphv - last month claimed to have exfiltrated 6 terabytes of "highly selective data" relating to "all" Change Healthcare clients, which include Tricare, Medicare, CVS Caremark, MetLife, Loomis, Davis Vision, Health Net, Teachers Health Trusts "and tens of insurance and other companies (see: BlackCat Pounces on Health Sector After Federal Takedown).
Other lawsuits filed by healthcare providers allege their financial viability was severely injured by being unable to electronically file claims, receive payments and conduct other vital business functions during the outage that affected more than 100 Change Healthcare IT products and services.
Change Healthcare in a response to the litigation this week requested that the lawsuits be consolidated, transferred and handled by the U.S. District Court for the Middle District of Tennessee, the district in which Nashville-based Change Healthcare is located. So far, more than half of the lawsuits have been filed in that Tennessee federal court.
Change Healthcare, which is part of UnitedHealth Group's Optum division, also claims in court documents that the lawsuits' allegations are faulty.
"Despite the slight differences in allegations depending on whether a case was filed by a provider or consumer, all the actions are based on the incorrect and unfounded theory that, because a cyberattack occurred, Change's security must have been deficient and plaintiffs must have been have harmed," Change Healthcare said in court papers.
UnitedHealth Group on its website said that to date, it has advanced nearly $4.7 billion in temporary financial assistance to providers in need during the recovery. The company also said it continues to make progress restoring IT services that were taken offline during the response to the attack, including many of its claims processing and other vital functions.
Other services are expected to be restored over the next several weeks, according to Change Healthcare's last status update dated March 27.
While many systems are back online, the disruption is still being felt by many organizations that depend upon the company's services.
"While IT services are being restored, the reality is healthcare billing is way behind," said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.
"I just had a medical appointment this morning and learned their insurance filings are still being held up. They're shifting to paper-based filings and dreading the day they have to reconcile everything," he told Information Security Media Group on Friday.
"Just talk to your friends and family and no doubt you'll hear people are still having problems getting prescriptions filled and procedures scheduled."
Steve Cagle, CEO of security and privacy consultancy Clearwater, said the outage continues to affect providers.
"Medical claims have begun to flow through Change Healthcare's network. Assurance was back online the week of March 18 and Relay Exchange, the largest clearinghouse, was back online the weekend of March 23," he said.
"When the clearinghouse came back online, they began taking steps with both commercial payers and government payers to reconnect the claims network. That work is ongoing," he said. "However, many of its other systems are still not up and running. As claims begin to flow to payers, the actual cash flow timing is dependent on individual payers reconnecting."
One of the critical lessons coming out of the incident is that all organizations in the sector need to be resilient, Cagle said.
"This means understanding the impact to your business or operations should particular systems become unavailable. The organization must be able to quickly patch vulnerabilities and be able to detect, respond, contain and recover from an attack," he said.
"Additionally, I think more people are accepting the fact that cybersecurity is a business imperative. Your cybersecurity and risk management program can be either a liability or a competitive advantage."
Complex Interdependencies
The Change Healthcare incident has shown the need to take a comprehensive look at the complexities and interdependencies of the U.S. healthcare ecosystem to ensure healthcare remains resilient from cyberattacks and continues to provide safe, secure and timely patient care, Weiss said.
"Health-ISAC is encouraging the creation of a public/private task force to complete a systemic risk analysis across the healthcare and public health sector, funded by the Department of Health and Human Services - similar to what was done in the financial services sector over a decade ago," he said.
"The healthcare and public health sector needs to take a holistic look at how to bolster resilience in the face of sustained and increasing cybersecurity risk," Weiss said.
"The Department of Homeland Security, in coordination with CISA and other government agencies, should convene a public/private task force to identify and analyze systemic risks across the sector and recommend near- and long-term actions to ensure the sector is resilient."
The U.S. Treasury Department conducted a similar study of systemic risk in the financial services sector around 2010, Weiss said. "The information gleaned from these reports proved instrumental in ensuring that the expenditure of resources, regulatory action and best practices are aligned to mitigate the most significant risks."
In the meantime, the Change Healthcare attack and resulting IT outage has been a wake-up call for many in the C-suites of U.S. healthcare sector organizations, Cagle said.
"The Change Healthcare incident has been eye-opening for many executives or boards who may have previously considered cybersecurity an IT issue that they did not concern themselves with daily as they felt that their CIO or security team was handling it, and it did not deserve their time," he said.
"All of that has changed."