3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management

The Widespread Effect of the Change Healthcare Mega Hack

Attorney Sara Goldstein on What Firms Affected by the Breach Need to Consider
The Widespread Effect of the Change Healthcare Mega Hack
Sara Goldstein, attorney, BakerHostetler

The Change Healthcare mega hack has taken nearly 120 of the company's IT products and services offline since Feb. 21, and that cyber disruption is having serious, widespread impact on the entire healthcare industry including major players, said attorney Sara Goldstein of the law firm BakerHostetler.

Change Healthcare, a unit of Optum, which is a subsidiary of UnitedHealth Group, provides a wide range of critical IT applications to healthcare sector organizations - from claims processing and pharmacy benefits to eligibility checks and prior authorization.

The company says its technology is used to process 15 billion healthcare transactions annually, and its clinical connectivity solutions "touch" 1 in 3 patient records in the U.S. (see: BlackCat Pounces on Health Sector After Federal Takedown.)

"So the amount, the volume of information that's transferred to them and that's transferred out, as well the role that they have in healthcare is tremendous. The impact of this has been substantial," Goldstein said.

"Many healthcare providers cannot process claims, payments, do patient billing. Without these services and being able to generate revenue, it's really going to create a precarious financial situation for many healthcare systems and healthcare providers."

On Wednesday, the Medical Group Management Association, which represents 15,000 group medical practices and 350,000 physicians, urged the U.S. Department of Health and Human Services to "utilize all the tools at its disposal to mitigate these impacts, so medical groups do not have to take drastic actions to remain in operation."

The MGMA told HHS that "guidance, financial resources, enforcement discretion, and more are needed to avoid escalating an already serious situation."

On Thursday, Optum confirmed in a statement that the attack on Change Healthcare was perpetrated by cybercriminals claiming to be BlackCat/Alphv. Optum in an update on Friday about the incident said it has "multiple workarounds to ensure people have access to the medications and the care they need."

Optum also said on Friday that a "new instance" of Change Healthcare's Rx ePrescribing service was now available for those affected customers.

Based on the company's ongoing investigation, so far there is no indication that Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this incident, Optum said.

But even organizations that do not have a contractual relationship with Change Healthcare are being affected by it, Goldstein said.

"They may have vendors that have relationships with Change, or they work with plans that have a relationship with Change. And so they are also impacted by this. And it's challenging to develop workarounds for services that are so prolific and where there's maybe one or two main providers of those services," she said.

"One thing that is being flagged is about the downside of consolidation of these types of vendors in healthcare. So, that has been a challenge. This is pretty catastrophic."

If the investigation into the Change Healthcare incident determines personal identifiable information and protected health information was accessed or acquired by the attackers, "this has the potential to be a large breach notification event."

In this interview with Information Security Media Group (see audio link below photo), Goldstein also discussed:

  • HIPAA breach reporting and other regulatory issues that Change Healthcare's clients will need to sort through if the attack on the IT services firm compromised patients' protected health information;
  • Business interruption, cost considerations and cyber insurance issues for companies affected by the Change Healthcare incident;
  • Other vendor and business associate risk management issues emerging from the Change Healthcare attack so far;
  • Tips for healthcare sector entities to avoid falling victim to social engineering and phishing attacks, including scams involving purported "IT help" personnel.

Goldstein is a leader in law firm BakerHostetler's data security incident response practice. She works directly with clients and creates processes and protocols for the attorney team to follow. Prior to joining BakerHostetler, Goldstein was the vice president and general counsel of the nation's second-largest provider of release of information and disclosure management services. She has written a variety of articles on privacy and data security and served as an adjunct professor of law at Drexel University.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.