On February 21, 2024, Change Healthcare, the largest healthcare payment system in the United States, announced that it had been targeted in a ransomware attack. This attack resulted in its systems shutting down. The American Hospital Association (AHA) characterized it as “the most significant and consequential cyberattack on the U.S. healthcare system in American history,” with an AHA survey showing more than 90% of hospitals reporting some financial impact.

The attack has crippled Change Healthcare, a company that provides a widely used program for healthcare providers to manage customer payments and insurance claims. The company has taken most of its systems offline to prevent the attack from spreading. The outage has been devastating for small and midsize healthcare providers.

$22M Ransom Paid in Response

In response to the attack, UnitedHealth Group, the parent company of Change Healthcare, paid a suspected ransom of $22M via Bitcoin to a digital-asset wallet associated with Russian “cybersecurity threat actor ALPHV/Blackcat.” UnitedHealth Group CEO Andrew Witty called it “one of the hardest decisions I’ve ever had to make.”

The recovery process is underway. Starting on March 7, 2024, UnitedHealth has publicly announced and updated timelines to restore key Change Healthcare systems. Most recently, on April 22, 2024, the company stated that while UnitedHealth had identified some Protected Health Information (PHI) and Personally Identifiable Information (PII) among the data accessed in the attack, it had not seen any evidence of extraction of certain especially-sensitive materials.

22 Attorneys General Call for Further Action

On April 25, 2024, the attorneys general of 22 states issued a letter encouraging UnitedHealth Group and its subsidiary, Change Healthcare, to take additional steps to respond to the massively disruptive cyberattack. The broad, bipartisan group of signatories reflects both the scale of the attack’s impact and its implications for the priorities of state attorneys general—from healthcare regulation to data privacy.

The attorney general coalition, led by Minnesota Attorney General Keith Ellison, deemed the UnitedHealth and Change Healthcare response to the attack as “inadequate.” The bipartisan group of attorneys general—including those from California, New York, Massachusetts, Nebraska, South Dakota, and Utah—requested several specific actions, including developing a dedicated complaint resolution mechanism for state agency complaints and a helpline for affected providers and pharmacies to resolve questions or affected claims.

The letter also urged UnitedHealth Group and Change Healthcare to engage in further engagement with those entities most likely to be impacted by the changes and a “comprehensive impact analysis” before making a final decision on the scope of each specific change and the best means of implementing it.

The Implications of the Cyberattack on the Healthcare Industry

The cyberattack on Change Healthcare has brought to light several key implications for the healthcare industry and beyond.

Firstly, it has exposed the vulnerability of the healthcare system to cybercrime. The attack has shown how a single cyberattack can disrupt the operations of healthcare providers, affecting their ability to provide care to patients. This has underscored the need for robust cybersecurity measures within the healthcare industry.

Secondly, the attack has highlighted the importance of data privacy. With the breach of Change Healthcare’s systems, sensitive patient data was potentially exposed. This has sparked discussions about the need for stronger data privacy protections and regulations.

The attack has raised questions about third-party risk management. Change Healthcare, as an intermediary between healthcare providers, patients, and payers, plays a crucial role in the healthcare payment system. The disruption of its services due to the cyberattack has shown the risks associated with relying on third parties for essential services.

The call to action from the 22 state attorneys general has underscored the role of regulatory bodies in ensuring the security and privacy of data. It has shown that regulatory bodies are prepared to step in and demand action when companies fail to adequately protect their systems and data.