Legal.io
May 09, 2024

State Attorneys General Demand Enhanced Data Privacy Measures After Healthcare Cyberattack

Change Healthcare suffered a devastating ransomware attack earlier this year, forcing it to shut down its systems, leading UnitedHealth Group to pay a $22M ransom.

State Attorneys General Demand Enhanced Data Privacy Measures After Healthcare Cyberattack

On February 21, 2024, Change Healthcare, the largest healthcare payment system in the United States, announced that it had been targeted in a ransomware attack. This attack resulted in its systems shutting down. The American Hospital Association (AHA) characterized it as “the most significant and consequential cyberattack on the U.S. healthcare system in American history,” with an AHA survey showing more than 90% of hospitals reporting some financial impact.

The attack has crippled Change Healthcare, a company that provides a widely used program for healthcare providers to manage customer payments and insurance claims. The company has taken most of its systems offline to prevent the attack from spreading. The outage has been devastating for small and midsize healthcare providers.

$22M Ransom Paid in Response

In response to the attack, UnitedHealth Group, the parent company of Change Healthcare, paid a suspected ransom of $22M via Bitcoin to a digital-asset wallet associated with Russian “cybersecurity threat actor ALPHV/Blackcat.” UnitedHealth Group CEO Andrew Witty called it “one of the hardest decisions I’ve ever had to make.”

The recovery process is underway. Starting on March 7, 2024, UnitedHealth has publicly announced and updated timelines to restore key Change Healthcare systems. Most recently, on April 22, 2024, the company stated that while UnitedHealth had identified some Protected Health Information (PHI) and Personally Identifiable Information (PII) among the data accessed in the attack, it had not seen any evidence of extraction of certain especially-sensitive materials.

22 Attorneys General Call for Further Action

On April 25, 2024, the attorneys general of 22 states issued a letter encouraging UnitedHealth Group and its subsidiary, Change Healthcare, to take additional steps to respond to the massively disruptive cyberattack. The broad, bipartisan group of signatories reflects both the scale of the attack’s impact and its implications for the priorities of state attorneys general—from healthcare regulation to data privacy.

The attorney general coalition, led by Minnesota Attorney General Keith Ellison, deemed the UnitedHealth and Change Healthcare response to the attack as “inadequate.” The bipartisan group of attorneys general—including those from California, New York, Massachusetts, Nebraska, South Dakota, and Utah—requested several specific actions, including developing a dedicated complaint resolution mechanism for state agency complaints and a helpline for affected providers and pharmacies to resolve questions or affected claims.

The letter also urged UnitedHealth Group and Change Healthcare to engage in further engagement with those entities most likely to be impacted by the changes and a “comprehensive impact analysis” before making a final decision on the scope of each specific change and the best means of implementing it.

The Implications of the Cyberattack on the Healthcare Industry

The cyberattack on Change Healthcare has brought to light several key implications for the healthcare industry and beyond.

Firstly, it has exposed the vulnerability of the healthcare system to cybercrime. The attack has shown how a single cyberattack can disrupt the operations of healthcare providers, affecting their ability to provide care to patients. This has underscored the need for robust cybersecurity measures within the healthcare industry.

Secondly, the attack has highlighted the importance of data privacy. With the breach of Change Healthcare’s systems, sensitive patient data was potentially exposed. This has sparked discussions about the need for stronger data privacy protections and regulations.

The attack has raised questions about third-party risk management. Change Healthcare, as an intermediary between healthcare providers, patients, and payers, plays a crucial role in the healthcare payment system. The disruption of its services due to the cyberattack has shown the risks associated with relying on third parties for essential services.

The call to action from the 22 state attorneys general has underscored the role of regulatory bodies in ensuring the security and privacy of data. It has shown that regulatory bodies are prepared to step in and demand action when companies fail to adequately protect their systems and data.

GovernmentPrivacy

Customer Stories

See how leading enterprise in-house teams have scaled smarter with Legal.io's high-caliber flex talent.

Plaid
How Plaid used Legal.io for Flexible, Cost Effective Legal Talent

FINANCE / ENTERPRISE

Medallia
How Medallia Managed Legal Overflow and Accelerated Deals with Legal.io

SAAS / ENTERPRISE

Verily
How Verily Addressed High-Volume Commercial Counsel Needs with Legal.io

HEALTHCARE / ENTERPRISE

Zoom
How Zoom Streamlined Legal Operations with Flexible Staffing

TECHNOLOGY / ENTERPRISE

More from Legal.io

Starting a Business - Licenses & Permits
Starting a Business - Licenses & Permits

If your business is involved in activities that are supervised or regulated by a federal agency (ex: selling alcohol, firearms, tobacco, commercial fishing, etc.), then it may be necessary to obtain a federal license or permit.

Business and Corporate
May 18, 2015
Read More
Community Perspectives: Would you consider job hopping a good way to advance your career or a big resume negative?
Community Perspectives: Would you consider job hopping a good way to advance your career or a big resume negative?

In-house legal professionals talk about job hopping and what it says about a person on a resume.

In-House CounselCompensation
Apr 21, 2022
Read More
Community Perspectives: How do you gauge work/life balance during the interview stage?
Community Perspectives: How do you gauge work/life balance during the interview stage?

In-house legal professionals discuss how they are able to determine if a new position at a new company will have their desired work/life balance.

In-House CounselCompensation
Jun 03, 2022
Read More
Predictions for Legal Tech in 2024
Predictions for Legal Tech in 2024

AI boom, cost cuts, and consolidation on the horizon.

Career
Jan 19, 2024
Read More
Community Perspectives: Is disinterest during a panel interview a sign the company has already found their preferred candidate?
Community Perspectives: Is disinterest during a panel interview a sign the company has already found their preferred candidate?

Our in-house professional community discuss their impressions during in-house panel interviews.

In-House CounselCareer
Jun 11, 2021
Read More
Ready to hire?

Schedule a free consultation to discuss your hiring needs.

Schedule Call
Free 15-min consultation
Legal.io Platform
5 star reviews
Hiring made smarter

Easy-to-use platform for hiring legal talent, managing spend, and optimizing your panel — plus an average savings of 50%.

Need Immediate Help?

Submit a hiring request and let our experts handle the entire process for you.

Submit Hiring Request