Skip to main content
main content, press tab to continue
Article | FINEX Observer

Client alert: Change Healthcare cyber incident and potential customer impacts

By Robert Barberi and Dan Twersky | March 7, 2024

Understand the impacts and considerations for your organization after a significant cyber attack against Change Healthcare.
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

What happened

Change Healthcare, a company that provides technology and managed care services to the healthcare industry, announced on Thursday, February 29 that the ransomware group BlackCat, also known as AlphaV, was behind a cyber attack that continues to impact a multitude of different organizations who are reliant on Change Healthcare for their services, as well as their members, patients and customers. Since first making its appearance in 2021, BlackCat has proven themselves to be one of the most active groups specializing in ransomware as a service (RaaS), distributed denial-of-service (DDoS) and data exfiltration cyber attacks. The company’s systems have remained down while the company continues to provide customers with real time updates, including the following:

  • February 21, 2024: Disclosed some applications were unavailable and that the issue was being triaged.
  • February 22, 2024: The company was experiencing more enterprise-wide connectivity issues and a network interruption.
  • February 23, 2024: Systems were disconnected to protect partners and patients and advised that company was working on multiple approaches to bring systems back online. In a filing with the SEC, UnitedHealth stated that the unauthorized party was a “suspected nation-state associated cyber security threat actor.”
  • February 23, 2024: Change Healthcare confirmed that the threat actor represented itself as ALPHV/BlackCat and that experts were working to address the matter, working closely with Mandiant and Palo Alto Network.

Furthermore, on February 28, BlackCat claimed to have exfiltrated six terabytes of data from Change Healthcare, including a large amount of sensitive data. In early March, WTW healthcare clients, including both payors and providers advised that they are facing rising financial impacts as payment and revenue cycle management systems remain down. On March 1, Change Healthcare announced that they finished setting up a new electronic prescription service, which could help provide some relief to pharmacies that have been impacted by the attack.

UnitedHealth Group, Change Healthcare’s parent company, will also be launching a temporary funding assistance program to help providers manage their short-term cash flow needs. It appears that also on March 1, according to a publicly visible transaction on Bitcoin’s blockchain, AlphV received $22 million in bitcoin. UnitedHealthcare has not confirmed or denied the payment. WTW will continue to monitor developments but is pleased to offer some immediate guidance.

What potentially affected organizations should do

For organizations with potential exposures arising from the Change Healthcare cyber incident, it’s imperative to connect with your internal stakeholders to proactively identify possible financial impacts. Some key considerations for assessing financial impact include the following:

  1. 01

    Lost revenue considerations

    • Lost pharmacy revenue: Inability or delays in processing customer health insurance or pharmacy benefits resulting in:
      • Lost prescription revenue
      • Lost related/ancillary revenue due to customers going elsewhere to process their prescriptions, such as over the counter medications, candy, personal care items, etc.
    • Other lost revenue: Any other lost service or product revenue caused by the event, including:
      • Visits and procedures
      • Other/ancillary revenues related to visits and procedures
  2. 02

    Incremental labor/OT costs

    • Manual processes and inefficiencies/increased labor costs: Any increased labor costs associated with manually filling prescriptions or other inefficiencies caused by the event resulting in additional labor costs.
      • Increased regular or OT hours for additional staff hours incurred because of the system disruption
    • Hourly IT staff incremental compensation: Increased compensation costs for hourly IT employees assisting with the response or recovery to the event.
    • Internal labor tracking guidelines: Track name, date worked, number of hours, ST/OT and description of work performed.
  3. 03

    Other costs

    • Any costs incurred for responding to or recovering from the event, including:
      • Forensic IT consultant costs
      • IT consultants for data recovery, etc.
      • Additional servers or hardware purchases
      • Incremental cloud costs for moving applications to cloud or data backup

Insurance implications and considerations

Cyber insurance may respond to claims and losses that stem from the aforementioned cyber incident, depending on the specific terms and conditions of the applicable policy in play, including the extent of contingent business interruption coverage available. Therefore, organizations who have been impacted should strongly consider putting their cyber insurers on notice. Futher, organizations that use UnitedHealthcare, Optum or Change Healthcare, but are not yet sure they have been impacted by this incident, should consult with their broker to determine whether proactively issuing a notice of circumstance is the right course of action.

Comprised of highly qualified certified public accountants, chartered accountants, forensic accountants, charted financial analysts, certified fraud examiners and project managers, WTW’s Forensic Accounting & Complex Claims (FACC) Cyber Claim Practice specializes in quantifying economic damages resulting from cyber attacks, including ransomware attacks, data breaches and other cyber events. Our senior leaders have managed the largest and most complex cyber claims, including multiple large scale nation state attacks, high profile ransomware events, data breaches with more than 100 million exposed records and other notable cyber events.


Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).


Director, FINEX Cybersecurity and Professional Risk

FINEX NA Claims Advocate & Global Cyber Claims Leader

Contact us