Client Advisory: Change Healthcare Cyber Attack Downstream Impacts

This past February, Change Healthcare, a subsidiary of United Healthcare, suffered a ransomware attack that caused Change Healthcare to take its systems offline. As Change Healthcare provides revenue and payment management software that connects payers, providers, and patients to over 50% of the healthcare industry, many pharmacies, hospitals, and other healthcare organizations suffered interruptions to their business, resulting in the inability to serve their customers and causing them to suffer revenue and income shortages.

Change Healthcare was offline for weeks and the downstream impacts are still ongoing, so much so that the CEO of Change Healthcare has been called to testify before Congress. To assist some of its customers with funding challenges, Change Healthcare has set up a Temporary Funding Assistance Program, but this may not be enough, and not all customers may receive assistance. In such instances, we recommend those impacted look to your Cyber insurance.

Who is affected by the Change Healthcare attack and how?

Impact to Change Healthcare’s medical providers

  • This cyber incident has primarily affected insureds in the healthcare sector (e.g., hospitals, medical providers, pharmacies, etc.) that utilize Change Healthcare’s platform for prescription authorization and medical claims processing.
    • This has prevented pharmacies from getting authorization for prescriptions and created cash flow issues for medical providers that can’t get their medical claims processed or properly reconciled for payment.
  • Many healthcare organizations suffered interruptions to their business, resulting in the inability to serve their customers and causing them to suffer revenue and income shortages.
  • Due to the inability to process medical claims, many are experiencing cash flow issues, with some having to find alternative financing sources to continue operations.

Impact to non-healthcare businesses

  • Though this incident has overwhelmingly hit the healthcare space, there have been some non-healthcare-related businesses affected by this incident as well. This is because Change Healthcare’s underlying technology provides revenue and claims management services, which is used for other business purposes outside of the healthcare space.
    • For example, many businesses utilized Change Healthcare in connection with their accounts payable vendors to issue payments and in turn, experienced delays or were unable to issue vendor payments.

Next steps for those affected

Financial assistance

To assist some of its customers with funding challenges, Change Healthcare has set up a Temporary Funding Assistance Program, designed to help providers bridge the gap in meeting their short-term cash flow needs due to the disruption of its services.

  • However, due to the widespread nature of this event, it’s anticipated this program may not be enough, and not all customers may receive sufficient assistance.
    • There may also be additional expenses incurred (such as interest/fees on loans to keep businesses afloat, overtime expenses incurred due to the incident, etc.)

Insurance coverages

As noted above, for those whose loss amounts are not adequately addressed by the Temporary Funding Assistance Program, we recommend looking to insurance policies (primarily Cyber, but also D&O, Professional Liability, and Property policies) for potential coverage.

Cyber insurance coverage implications

The first and often, most critical step, is a broker-led review of the Cyber policy to ensure that notice of a claim/loss is properly provided to the insurer(s).

  • Not all Cyber policies are the same and there are many misconceptions regarding what constitutes proper Notice to the insurer, timelines that must be reviewed and closely adhered to in order to preserve an Insured’s rights, and management/engagement of vendors.
  • An experienced Cyber broker/claims advocate is critical to maximizing and understanding coverage under the policy.

Contingent Business Interruption Loss claim process

An organization’s Cyber insurance– specifically, the Contingent (aka Dependent) Business Interruption Loss coverage – may be critical to help address the direct financial impact to business income loss.

  • Step 1 – Provide notice to the Cyber insurer – work with your Cyber broker to ensure proper notice is provided and to work through the process of engaging approved vendors (e.g., forensic accountants, technology experts, etc.) and proper information/approvals to complete a Proof of Loss.
  • Step 2 – Work with your approved forensic accountant and broker/insurer to complete the Proof of Loss submission with supporting documentation to maximize loss coverage.
    • Some tips for documenting/maximizing your Contingent Business Income and Extra Expense Loss include carefully documenting/tracking the following items:
      • Any additional labor expenses incurred for employees or vendors (e.g., overtime, bonuses, etc.)
      • Interest/fees/expenses incurred for financing secured to maintain operations
      • Loss of interest from investments may constitute an Income Loss
      • Costs for software upgrade or switch to another claim processing vendor
      • List and detail all “other costs” incurred in connection with this incident – the more closely an expense can be shown/documented incurred as a result of the incident, the stronger your loss submission.
  • Step 3 – Submit Proof of Loss to Cyber insurer and address follow-up questions/requests as needed.
    • Often, the insurer may engage their own forensic accountant in this step, and depending on the complexity of the claim, there may be a number of follow-up inquiries. Working closely with your cyber broker to advocate on your behalf can help manage this stage of the process efficiently.
  • Step 4 – Insurer provides coverage determination and loss payment.

3. Breach response and privacy liability coverage

  • Cyber policies may cover the costs of breach counsel, data forensics, public relations expenses, and notification expenses incurred due to disclosure of Personally Identifiable Information (“PII”) or Protected Health Information (“PHI”).

4. Regulatory exposure

  • Various state, federal, and international regulations require notifications within set timelines and provision of credit monitoring services to affected individuals. Most cyber policies’ breach response coverage can assist insureds with adhering to these requirements. It’s important to review the insured’s specific Cyber and D&O policies to determine whether and to what extent such coverage is available.

D&O insurance coverage implications

  • While D&O policies may not yet appear to be triggered by the cyber event (generally, D&O policies include Cyber Event exclusions), there may be potential coverage under D&O policies in the future.
  • Specifically, claims or investigations may be initiated by regulators for compliance issues (e.g., lack of adherence to applicable SEC Rules), or actions may be brought against individual “Insureds”, (e.g., Chief Information Officer, board of directors or other officers) and/or the company for malfeasance, alleged securities violations, improper implementation of controls, etc.). Many of these types of claims could fall under the purview of D&O coverage.

Property insurance coverage considerations

  • Review the specific set of facts regarding Business Interruption (BI) loss as a result of this event.
  • Review the applicable property insurance policy for specific Cyber Event coverage extensions and exclusions.
  • If the policy does include a specific Cyber coverage extension, confirm deductibles and applicable waiting periods and place the property insurer(s) on notice immediately.
  • If the policy does not contain a specific exclusion for Cyber events, place the property insurer(s) on notice immediately.
  • Document and track any BI loss as well as any additional costs (Extra Expense) attributable to this event.
  • If the property policy includes Professional Fees coverage and coverage has been triggered, retain a forensic accountant to assist with quantifying the insured loss and presenting the claim to insurers.

Contact Information

Allen Blount
National Cyber & Technology Product Leader
212-338-4321
ablount@risk-strategies.com

Sara Wice
Head of Management Liability & Cyber Risk Claims
212-596-3452
swice@risk-strategies.com