Client alert: Change Healthcare cyber incident and potential customer impacts

List of website locations and languages available in Americas
Location	Languages Available
Argentina	Spanish
Bermuda	English
Brazil	Portuguese
Canada	English French
Chile	Spanish
Colombia	Spanish
Costa Rica	Spanish
El Salvador	Spanish
Guatemala	Spanish
Honduras	Spanish
Mexico	Spanish
Nicaragua	Spanish
Panama	Spanish
Peru	Spanish
United States	English
Venezuela	Spanish

List of website locations and languages available in Asia-Pacific
Location	Languages Available
Australia	English
China	Simplified Chinese
Hong Kong (China, SAR)	English
India	English
Indonesia	English
Japan	Japanese
Korea	Korean
Malaysia	English
New Zealand	English
Philippines	English
Singapore	English
Taiwan	Traditional Chinese
Thailand	English Thai
Vietnam	English Vietnamese

List of website locations and languages available in Europe
Location	Languages Available
Austria	German
Belgium	English French Flemish
Croatia	English Croatian
Czech Republic	English Czech
Denmark	Danish
Finland	Finnish
France	French
Germany	German
Greece	Greek
Hungary	Hungarian
Ireland	English
Italy	Italian
Kazakhstan	Kazakh Russian
Luxembourg	French
Netherlands	Dutch English
Norway	Norwegian
Poland	Polish
Portugal	Portuguese
Romania	Romanian
Serbia	Serbian
Slovakia	Slovak
Spain	Spanish
Sweden	English Swedish
Switzerland	English French German
Turkey	Turkish
Ukraine	Ukrainian
United Kingdom	English

List of website locations and languages available in Middle East and Africa
Location	Languages Available
Cameroon	English French
Congo	French
Egypt	English
Ghana	English
Ivory Coast	French
Israel	English
Jordan	English
Kenya	English
Kuwait	English
Mauritius	English
Nigeria	English
Saudi Arabia	English
Senegal	French
South Africa	English
UAE	English
Uganda	English

What happened

Change Healthcare, a company that provides technology and managed care services to the healthcare industry, announced on Thursday, February 29 that the ransomware group BlackCat, also known as AlphaV, was behind a cyber attack that continues to impact a multitude of different organizations who are reliant on Change Healthcare for their services, as well as their members, patients and customers. Since first making its appearance in 2021, BlackCat has proven themselves to be one of the most active groups specializing in ransomware as a service (RaaS), distributed denial-of-service (DDoS) and data exfiltration cyber attacks. The company’s systems have remained down while the company continues to provide customers with real time updates, including the following:

February 21, 2024: Disclosed some applications were unavailable and that the issue was being triaged.
February 22, 2024: The company was experiencing more enterprise-wide connectivity issues and a network interruption.
February 23, 2024: Systems were disconnected to protect partners and patients and advised that company was working on multiple approaches to bring systems back online. In a filing with the SEC, UnitedHealth stated that the unauthorized party was a “suspected nation-state associated cyber security threat actor.”
February 23, 2024: Change Healthcare confirmed that the threat actor represented itself as ALPHV/BlackCat and that experts were working to address the matter, working closely with Mandiant and Palo Alto Network.

Furthermore, on February 28, BlackCat claimed to have exfiltrated six terabytes of data from Change Healthcare, including a large amount of sensitive data. In early March, WTW healthcare clients, including both payors and providers advised that they are facing rising financial impacts as payment and revenue cycle management systems remain down. On March 1, Change Healthcare announced that they finished setting up a new electronic prescription service, which could help provide some relief to pharmacies that have been impacted by the attack.

UnitedHealth Group, Change Healthcare’s parent company, will also be launching a temporary funding assistance program to help providers manage their short-term cash flow needs. It appears that also on March 1, according to a publicly visible transaction on Bitcoin’s blockchain, AlphV received $22 million in bitcoin. UnitedHealthcare has not confirmed or denied the payment. WTW will continue to monitor developments but is pleased to offer some immediate guidance.

What potentially affected organizations should do

For organizations with potential exposures arising from the Change Healthcare cyber incident, it’s imperative to connect with your internal stakeholders to proactively identify possible financial impacts. Some key considerations for assessing financial impact include the following:

01
Lost revenue considerations
- Lost pharmacy revenue: Inability or delays in processing customer health insurance or pharmacy benefits resulting in:
  - Lost prescription revenue
  - Lost related/ancillary revenue due to customers going elsewhere to process their prescriptions, such as over the counter medications, candy, personal care items, etc.
- Other lost revenue: Any other lost service or product revenue caused by the event, including:
  - Visits and procedures
  - Other/ancillary revenues related to visits and procedures
02
Incremental labor/OT costs
- Manual processes and inefficiencies/increased labor costs: Any increased labor costs associated with manually filling prescriptions or other inefficiencies caused by the event resulting in additional labor costs.
  - Increased regular or OT hours for additional staff hours incurred because of the system disruption
- Hourly IT staff incremental compensation: Increased compensation costs for hourly IT employees assisting with the response or recovery to the event.
- Internal labor tracking guidelines: Track name, date worked, number of hours, ST/OT and description of work performed.
03
Other costs
- Any costs incurred for responding to or recovering from the event, including:
  - Forensic IT consultant costs
  - IT consultants for data recovery, etc.
  - Additional servers or hardware purchases
  - Incremental cloud costs for moving applications to cloud or data backup

Insurance implications and considerations

Cyber insurance may respond to claims and losses that stem from the aforementioned cyber incident, depending on the specific terms and conditions of the applicable policy in play, including the extent of contingent business interruption coverage available. Therefore, organizations who have been impacted should strongly consider putting their cyber insurers on notice. Futher, organizations that use UnitedHealthcare, Optum or Change Healthcare, but are not yet sure they have been impacted by this incident, should consult with their broker to determine whether proactively issuing a notice of circumstance is the right course of action.

Comprised of highly qualified certified public accountants, chartered accountants, forensic accountants, charted financial analysts, certified fraud examiners and project managers, WTW’s Forensic Accounting & Complex Claims (FACC) Cyber Claim Practice specializes in quantifying economic damages resulting from cyber attacks, including ransomware attacks, data breaches and other cyber events. Our senior leaders have managed the largest and most complex cyber claims, including multiple large scale nation state attacks, high profile ransomware events, data breaches with more than 100 million exposed records and other notable cyber events.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).