Change Healthcare, a company that provides technology and managed care services to the healthcare industry, announced on Thursday, February 29 that the ransomware group BlackCat, also known as AlphaV, was behind a cyber attack that continues to impact a multitude of different organizations who are reliant on Change Healthcare for their services, as well as their members, patients and customers. Since first making its appearance in 2021, BlackCat has proven themselves to be one of the most active groups specializing in ransomware as a service (RaaS), distributed denial-of-service (DDoS) and data exfiltration cyber attacks. The company’s systems have remained down while the company continues to provide customers with real time updates, including the following:
Furthermore, on February 28, BlackCat claimed to have exfiltrated six terabytes of data from Change Healthcare, including a large amount of sensitive data. In early March, WTW healthcare clients, including both payors and providers advised that they are facing rising financial impacts as payment and revenue cycle management systems remain down. On March 1, Change Healthcare announced that they finished setting up a new electronic prescription service, which could help provide some relief to pharmacies that have been impacted by the attack.
UnitedHealth Group, Change Healthcare’s parent company, will also be launching a temporary funding assistance program to help providers manage their short-term cash flow needs. It appears that also on March 1, according to a publicly visible transaction on Bitcoin’s blockchain, AlphV received $22 million in bitcoin. UnitedHealthcare has not confirmed or denied the payment. WTW will continue to monitor developments but is pleased to offer some immediate guidance.
For organizations with potential exposures arising from the Change Healthcare cyber incident, it’s imperative to connect with your internal stakeholders to proactively identify possible financial impacts. Some key considerations for assessing financial impact include the following:
01
02
03
Cyber insurance may respond to claims and losses that stem from the aforementioned cyber incident, depending on the specific terms and conditions of the applicable policy in play, including the extent of contingent business interruption coverage available. Therefore, organizations who have been impacted should strongly consider putting their cyber insurers on notice. Futher, organizations that use UnitedHealthcare, Optum or Change Healthcare, but are not yet sure they have been impacted by this incident, should consult with their broker to determine whether proactively issuing a notice of circumstance is the right course of action.
Comprised of highly qualified certified public accountants, chartered accountants, forensic accountants, charted financial analysts, certified fraud examiners and project managers, WTW’s Forensic Accounting & Complex Claims (FACC) Cyber Claim Practice specializes in quantifying economic damages resulting from cyber attacks, including ransomware attacks, data breaches and other cyber events. Our senior leaders have managed the largest and most complex cyber claims, including multiple large scale nation state attacks, high profile ransomware events, data breaches with more than 100 million exposed records and other notable cyber events.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
