On Feb. 21, Change Healthcare, a healthcare technology company owned by UnitedHealth Group (UHG), announced that it was experiencing a cybersecurity issue. It was later revealed that it was a ransomware attack. Attackers had stolen patient data, encrypted company files and demanded money to unlock them.

In response, Change Healthcare shut down most of its network to prevent further compromise. This impacted the health care providers that depend on the organization's technology, ultimately resulting in prescription backlogs, lost revenue and constraints on patient care.

For two months now, many hospitals, doctor's offices, and pharmacies across the country have had their services disrupted by the inability to verify insurance coverage or seek reimbursement requests from health care insurers. Cyber claims related to the Change Healthcare cyberattack continue to roll in for insurance providers, making it too soon to tell the ultimate financial impacts of the event. Many agents and brokers are also experiencing the effects of this attack firsthand, diligently facilitating insurance claims, advocating for their clients, and determining how else they can support them.

As we move away from the chaotic immediate aftermath of the incident, it's an opportunity to reflect and explore what happened and how agents and brokers can talk about it with their clients. 

Change Healthcare said the attack was perpetrated by ALPHV, also known as Blackcat, which is a well-known ransomware gang also responsible for the October 2023 MGM Resorts attack. This group is known for its double-extortion tactics, involving the theft of sensitive data followed by encrypting files and demanding ransom for both decryption and the non-release of the stolen data. ALPHV claimed it stole four terabytes of data, including Social Security numbers, health care records and company source code.

More recently, over a month after the original hack, attackers from a separate extortion group called RansomHub claimed to have breached the company again and posted data up for sale.

The nature of the ALPHV attack and the scope of its impact are truly distinct from previous cyber incidents. The American Hospital Association called it “the most significant cyberattack on the U.S. health care system in American history." Cybersecurity experts have estimated daily losses of $100 million, and the downstream effects may not be fully realized for years.

Change Healthcare provides critical services in the health care industry, processing transactions and facilitating communications among pharmacies, care providers and health insurers. Annually, the company reportedly processes 15 billion transactions totaling $1.5 trillion in healthcare claims.

Many businesses use Change Healthcare as a clearinghouse to electronically transmit medical claims data, such as prescription reimbursement claims, to insurance carriers. Clearinghouses also typically prescreen and clean medical claims data, searching for errors and inaccuracies, then securely transmit the claim to the specified payor.

More than 90% of U.S. pharmacies were forced to change how they process electronic health insurance claims due to the attack, UnitedHealth estimated. Without a way to process claims, many pharmacies have no cash flowing into their practices.

Further, this incident not only impacted companies, but also individuals. Change Healthcare says its systems touch the data of 1 in 3 U.S. patients, so many citizens could have had their protected health information (PHI) exposed. Unlike personally identifiable information (PII)—credit card numbers, passwords, and more—that can be changed or updated, PHI includes deeply personal, long-living data with a much longer shelf life. In short, PHI disclosure can result in identity theft, and even if the disclosure could be traced to a specific event, attackers could use it to extort again and again.

The attack on Change Healthcare underscores some key considerations when discussing cyber risk with clients. Here are three takeaways to discuss with clients:

1) Consider contingent business interruption that protects against third-party risk. Regardless of industry, every business should consider contingent business interruption coverage. However, contingent business interruption is often confused with business interruption coverage, a common coverage in many cyber insurance policies.

Under business interruption coverage, if a business directly experiences a cyberattack and cannot operate, the policy will kick in and typically cover lost profit and unrecoverable operating expenses during the downtime.

However, business interruption coverage doesn't apply to the Change Healthcare attack because it was perpetrated through a third-party vendor and not through the business directly. Contingent business interruption is a distinct but less common coverage that extends to cover losses resulting from disruptions that stem from a third-party vendor, like a software or technology provider.

Change Healthcare highlights a valuable lesson in selling cyber insurance: Contingent business interruption is an often-overlooked coverage that's becoming increasingly necessary as more and more businesses rely on third parties to host their essential infrastructures.

2) Prioritize essential business technologies and replace those that are at risk. Ask your clients which technologies are essential to their operations. A substantial dependency on other vendors' technologies may necessitate contingent business interruption coverage and deeper contingency planning in the event those technologies are offline or unavailable for an extended period.

Ensure a client's contingency plan accounts for a cyberattack and includes clear steps on what to do if one happens. This includes a process for cutting off the vital systems to protect them and contacting the cyber insurer immediately for recovery, restoration and remediation efforts.

The Change Healthcare attack also presents an opportunity for clients to review their organization's technology and evaluate which components are outdated and no longer serviceable, as well as which ones need to be updated or patched.

Coalition's “Cyber Threat Index 2024" found that over 10,000 businesses are running the end-of-life (EOL) database, Microsoft SQL Server 2000. This is an extremely significant statistic to understand because organizations that still use EOL software are three times more likely to experience a cyber claim.

3) Be mindful of potential long-term fallout. Verify that your clients understand that the impacts of a sizeable cyberattack can persist for months or even years. Even after a business is able to resume operations, recovery and restoration are still part of the long road ahead to returning to normal—both of which can be impacted by notification obligations and customer loss.

When applicable, it's essential that policyholders are aware of other funding assistance avenues when they're financially affected by an attack, either through the impacted third-party provider or through their banking institutions.

Notification obligations will also play a role in mitigating and addressing the fallout from a cyberattack. Policyholders will need to understand when they are required to contact impacted customers and ensure they have the resources to do so. And the reality is that any notification effort can lead to increased publicity and litigation.

While the scale of the Change Healthcare hack is alarming, it serves as a reminder of the ever-present cyber threats that businesses face. The compromised data and shared dependency on technology underscore the need for robust cybersecurity measures and comprehensive cyber insurance coverage.

In this ever-evolving cyber landscape, policyholders look to their trusted advisers for additional guidance and support to safeguard their businesses against cyber risks. Agents and brokers play important roles in supporting clients during the aftermath of a cyberattack. Understanding current incidents and takeaways is key to guiding clients. 

Robert Jones is head of global claims at Coalition.