Blog

Health Information Technology, Health Law News

Print PDF

Change Healthcare Cybersecurity Incident – Legal and Operational Considerations for Affected Organizations

Posted on March 18, 2024 in Health Information Technology, Health Law News

Published by: Hall Render

The cybersecurity incident recently experienced by Change Healthcare has materially disrupted the health care delivery system and created significant financial, operational and legal challenges for many health care organizations. Organizations impacted by this incident should be careful to react thoughtfully and deliberately when addressing these challenges to ensure that any steps taken do not exacerbate or create additional financial, operational, compliance or legal issues.

Incident Overview

Change Healthcare is a prominent health care technology and services provider that is owned by Optum and part of the UnitedHealth Group. Change Healthcare is the largest health administrative network in the United States, providing a variety of services such as claims processing, billing, pharmacy requests, and clearinghouse functions to health care providers and health plans. It has been estimated that Change Healthcare alone processes half of the medical claims in the United States and handles more than 15 billion transactions annually.

On February 21, 2024, Change Healthcare experienced a significant cyberattack that resulted in them shutting down all of their computer systems, most of which still remain shut down over two weeks later. Some Optum and UnitedHealth Group systems also were initially shut down as a precaution but were brought back up within several days. While this incident certainly raises serious concerns about the privacy and security of sensitive patient information, its primary impacts have been operational and financial. The immediate effects of the incident have included delays in filling prescriptions at pharmacies, interruptions in processing and paying health claims, stalled precertification processes and disruptions in cash flow that in some cases could threaten an organization’s ability to deliver the full continuum of care, make payroll or even remain in operation. Optum, UnitedHealth Group and the federal government have established programs to offer temporary financial relief to affected organizations.

Key Considerations

As a result of this impactful and rapidly developing situation, organizations are under intense pressure to find solutions and alternatives that will allow them to continue functioning as close to normal as possible. Many of those alternatives present risks and challenges that must be carefully considered. The following are key considerations for some of the common issues we are seeing:

  • Contractual Rights and Remedies. Given the extreme and unprecedented financial and operational impacts, many health care organizations are considering their options for obtaining services elsewhere, including identifying alternate vendors and evaluating contractual rights and remedies, including termination. While Change Healthcare is the largest provider of revenue cycle management services in the country, some other providers and platforms can also provide such services, many of which have stepped up to offer such services to organizations impacted by the unavailability of Change Healthcare services. Any organization that is considering moving to another vendor for these services should take the following practical steps:
    • Carefully review all current contracts with Change Healthcare to determine what rights and limitations may exist in the present circumstance.
    • Pay close attention to grounds for determining whether Change Healthcare has materially breached its contract(s) by ceasing to provide services and/or not meeting performance standards.
    • Identify termination notice requirements, early termination penalties, exclusivity clauses and other similar limitations that may exist.
    • Carefully review any force majeure clauses or specific exceptions addressing cyberattacks, but also terrorism or other unforeseen events, in Change Healthcare contracts.
    • Perform a comprehensive search to ensure that you are reviewing the current version of the operative agreement, as some of the contracts may date back several years, involve multiple amendments and work orders, and may involve predecessor entities to Change Healthcare such as RelayHealth and McKesson.
    • Be mindful of the operational impact of switching vendors and ensure that any alternative vendor can timely meet the organization’s needs.
  • Reimbursement Compliance. In addition to staunched cash flows, medical claims are now substantially backed up for a large segment of the health care industry. This is affecting payment processing by both commercial and governmental payors. CMS has indicated that they are working on guidance that could help provide needed flexibilities for federal program providers and suppliers, but there is a myriad of other potential ramifications from a reimbursement compliance perspective, including deadlines for submitting timely claims and meeting utilization management requirements. Health care organizations may want to proactively address these issues by taking the following practical steps:
    • Consider initiating outreach to payors to confirm claims submission deadlines or make arrangements to extend such deadlines.
    • Document any inability to comply with any payment prerequisites, such as obtaining prior authorizations, and any alternate standards on which decisions were based, in order to aid in future utilization management reviews.
    • Consider the feasibility of submitting paper claims or requesting accelerated payments to be reconciled once normal claims processing activities resume.
  • Financial Assistance. One development that has occurred as a means of reducing the financial impact on affected organizations is the offer of financial assistance or the establishment of financial assistance programs by other organizations in the industry. Optum itself has established such a program and the federal government is considering ways that it can provide much-needed cash infusions to affected organizations. We have also heard of offers from unaffected health care organizations to help support affected providers in their communities. While these efforts are laudable, they should be carefully reviewed to ensure they don’t create other challenges and compliance issues. Health care organizations that are considering obtaining such assistance should take the following practical steps:
    • Be sure to carefully vet any organizations that are offering to provide financial assistance to avoid becoming the victim of a scam.
    • Carefully review the terms and conditions of participation to ensure that they are reasonable and fair and do not require the organization to waive material rights.
    • Evaluate whether the receipt of such assistance can be structured in a manner that complies with fraud and abuse and anti-referral laws.
    • Consider any tax consequences that the receipt of such assistance could cause.
  • Privacy. The attack on Change Healthcare was a ransomware attack by a threat actor that claims to have exfiltrated six terabytes of data, and it has been reported that Change Healthcare paid a ransom. Forensic examination likely is still underway, but this information and the extended downtime increases the likelihood that the incident involved unauthorized access to sensitive information, including protected health information (“PHI”) and personally identifiable information (“PII”). Once the forensic examination is complete, we expect Change Healthcare to send a communication to its customers that explains any potential unauthorized access to PHI or PII. On March 13, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a letter to the health care industry indicating that they are aware of the incident and have opened an investigation into Change Healthcare and UnitedHealth Group that will focus on whether a breach of PHI occurred. Significantly, OCR indicated that its interest in HIPAA-regulated entities that partnered with Change Healthcare and UnitedHealth Group will be secondary. Nonetheless, Change Healthcare customers impacted by this incident should take the following practical steps:
    • Remain alert for any communications from Change Healthcare regarding any potential compromise to sensitive information and evaluate those communications to determine what legal obligations may exist under state and federal law, including notification to individuals and regulators.
    • Assess how any such obligations will be met and coordinate any required activities with your legal counsel and Change Healthcare, to the extent possible.
    • Ensure that you have a Business Associate Agreement with Change Healthcare and review it to determine relevant timelines and obligations.
  • Security. To date, there is no indication that the threat actor was able to leverage its presence on the Change Healthcare network to move collaterally to the computer networks of Optum, UnitedHealth Group and other related entities or customers. After some initial questions regarding the risk of reconnecting to the Optum and UnitedHealth Group networks, those connections appear to have been re-established securely. According to published reports, Change Healthcare has restored many of its pharmacy systems and will be testing some of its other systems beginning the week of March 18. As additional systems are restored, impacted organizations will want to take the following practical steps:
    • Carefully assess and evaluate potential security risks that reconnection may present.
    • Work with your IT staff to determine what assurances they will require before agreeing to reconnect to Change Healthcare systems.
    • Prepare to closely monitor any re-established connections to Change Healthcare.
    • Consider notifying your cyber liability insurance carrier of a possible claim arising from a vendor security incident. This can wait until more information is provided by Change Healthcare regarding what data was accessed, but it does not hurt to place the insurer on notice of the possibility.
  • Other Considerations. There are a variety of other practical steps that affected health care organizations should consider taking, including:
    • Consider notifying your insurance carrier if you plan to file an insurance claim for financial losses arising from this incident, which could be available to organizations that have coverage for contingent business interruption caused by a third party.
    • Anticipate the possibility that Change Healthcare will go through bankruptcy, lawsuits from providers and lawsuits from patients as a result of this breach. Identify alternatives, either to act immediately or as contingency planning.

Our firm is actively monitoring the situation and our attorneys and advisors are prepared to provide support and guidance on these issues and any others that may arise.

If you have any questions or would like more information on this topic, please contact:

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.