I don’t need to restate more than the basics of the Change Healthcare debacle: On February 21, 2024, Change Healthcare, the giant HIPAA clearinghouse unit of insurance giant UnitedHealthcare, flatlined, the victim of a cyberattack. “Experts” are attempting to resuscitate it.
The financial impact was immediate and momentous: Neither new nor existing claims, nor payment for them, could be processed. As a result, medical practices from solo docs to medical groups of thousands of physicians, as well as hospitals and other healthcare delivery facilities were cast into a sea of cashflow uncertainty.
While the popular press carries stories about the purported $22 million in bitcoin demanded by, and perhaps paid, to the cyber terrorists, and the pittance of financial help being offered by Change Healthcare’s parent organization, UnitedHealthcare, to its customer physician practices and facilities (a Florida primary care group with revenue of hundreds of thousands of dollars a month, states that it was offered a $540.00 per week loan), I suggest that there are two major lessons for medical group and facility leaders, one a structural observation and the other practical and immediately actionable.
The Structural Observation
HIPAA, which brought us clearinghouses, was predicated on the notion of electronic personal health information what would follow patients and be accessible by their various unrelated healthcare providers. As anyone who moves from internist #1 to internist #2, let alone from #2 to a specialist or, God forbid, from a car crash to an ER, knows, that premise was mostly wishful thinking, perhaps sponsored by political contributions from the guys selling trillions in IT infrastructure and “consulting”.
Whether BS or best-thing-since-sliced-bread, what resulted was an infrastructure built upon behemoths like Change Healthcare. But bigger is not only not always better, it is often far worse in that it is fragile: a defect within it reverberates, impacting thousands of providers and millions of patients.
I have no idea what defect within Change Healthcare the cyber criminals exploited, but the point is that it doesn’t matter. It’s not Change Healthcare itself that’s particularly the problem, it’s the size and complexity of both its own system and of its role in the larger claims system that’s the problem. As long as both remain large, large failures, and large cyberattacks, will continue.
The Practical Lesson
Spoiler alert: The right cyber liability policy.
Medical group leaders often think that cyber liability coverage is limited to claims related to events impacting their own entity’s computer system. It’s not. A properly negotiated and structured policy can provide coverage for losses as a result of cyber events, from hacks to system failures, at the vendor level.
In other words, cyber liability coverage can make sense even if your medical group doesn’t own a single computer.
Although policies are purchased via insurance brokers, don’t rely on your broker alone to analyze and negotiate the best possible coverage. The specific language of the policy and negotiated endorsements is what coverage, or lack thereof, is all about. “Cost” is generally not the deciding factor, value is. Cost-based shopping leads an Obamacare equivalent: “coverage” that provides little “care” in the event of a loss.
If you have existing cyber liability coverage and are impacted by the Change Healthcare debacle, act quickly to analyze your policy’s coverage and then act pursuant to its reporting requirements. If you don’t have cyber coverage, let Change Healthcare serve as a clarion call for you to change. Contact me to discuss either scenario.
