At any hour, your company is vulnerable to cybercriminals aiming to cripple your operations. The repercussions are vast, from productivity loss to compromising sensitive information, which erodes trust with customers and employees alike. The financial toll and reputational harm can be severe and lasting. Whether facing a widespread assault or a precise strike, these attacks are escalating in frequency, sophistication and financial impact.
On February 21, 2024, Change Healthcare, a healthcare technology company under Optum and owned by UnitedHealth Group, disclosed enterprise-wide connectivity issues and service application interruptions, attributing them to the ALPHV/Blackcat ransomware as a service (Raas) threat actor. This incident affected tools used for healthcare payment and revenue cycle management across various healthcare provider customers in the United States.
Consequences of this incident include disruptions in pharmacy and health system operations nationwide, prompting the American Hospital Association (AHA) to advise healthcare organizations potentially affected to disconnect from Change Healthcare applications until the situation resolves. To mitigate the impact, over 90% of U.S. pharmacies have implemented modified electronic claims processing methods, while the remaining have resorted to offline processing systems. This, according to UnitedHealth Group.
In the event of compromised patient data, affected organizations may face legal obligations under HIPAA and state breach notification laws, leading to regulatory scrutiny or privacy-related lawsuits. The incident is part of a broader trend, with the FBI identifying over 1,000 global victims of ALPHV Blackcat ransomware and data extortion, with healthcare being a primary target.
A report from Health-ISAC suggests potential exploitation of certain ConnectWise ScreenConnect vulnerabilities may be behind the attack, with predictions of more organizations falling victim due to the exploit's simplicity. Impacted Change Healthcare customers are advised to communicate with payors for payment workarounds, monitor official updates, follow AHA advisories and review recommendations from various entities including Health-ISAC, CISA, HFMA and HHS.
Potential Business Impacts
Additional steps for impacted companies include the following:
- Develop security-related queries for Change Healthcare to ensure security prior to reconnection to any impacted networks.
- Review all current HIPAA compliance programs including policies and any risk analysis.
- Notify insurers of potential business interruptions and security incidents, and evaluate your current cyber risk coverage.
- Now would be a good time to review and update companywide cybersecurity programs, policies and procedures including privacy policies and incident response plans.
- Review your current contracts for data or privacy provisions with contracted vendors. While vendors have their own privacy policies and practices, companies that utilize their services may be held accountable for third party breaches. Reviewing vendors’ contracts and adding key provisions that ensure the vendor is abiding by their regulatory duties helps you stay informed and could create a cause of action in the case of non-performance.
- Review business associate agreements to ensure that your vendors are responsible for any costs you may incur for their breach, like patient notification, credit monitoring and fines.
- Review internal company policies - Companies often fail to ensure the promises and assertions made in the public facing policies posted on their website are actual practices of the company.
- Connect with Data Privacy Counsel/Advisors
- Include data privacy counsel in business operation discussions – this helps build privacy into the daily practice of the business and can save companies thousands of dollars on litigation expenses. The goal is to be proactive when considering privacy while juggling business innovation and growth.
- Your organization should develop a team to help you navigate through the complexities of data privacy law and provide the best course of action to avoid data breaches and regulatory fines for noncompliance.
These measures aim to navigate the aftermath of the incident and prevent similar occurrences in the future.
© 2025 Dinsmore & Shohl LLP. All rights reserved.