Change Healthcare, a company owned by UnitedHealth Group, handles 60% of prescription processing in the US and processes 15 billion transactions a year. On Feb. 21, 2024, Change Healthcare confirmed that the company fell victim to a ransomware attack that affected its ability to process prescription payments. Less than three weeks after the attack, we are beginning to see the first wave of related claims.

Following the ransomware attack, patients and providers are still trying to recover from the repercussions, which include:

• Backlogs in patient prescriptions,

• Threats to patient security,

• Disruptions in patient discharges at hospitals, and

• Paycheck delays for medical staff.

Patients are forced to choose between either paying significant out-of-pocket costs for their prescriptions or forgoing essential prescriptive medications, which could lead to significant health concerns.

The downstream impact of cyber attacks like these can be severe and far-reaching. To date, we are aware of at least six lawsuits seeking class-action status, four of which were filed in a Tennessee district court where Change is based and two were filed in Minnesota where the parent company United Health Group is headquartered. We expect to see more claims arise in the coming weeks and months.

The attack, which has been attributed to the ALPHV/BlackCat ransomware group, illustrates how a security failure in a single business network can lead to a widespread impact within an entire industry and beyond. Many businesses that contract with Change Healthcare have suffered significant losses, including loss of revenue, reputational harm, legal and regulatory costs, and extra expenses.

The Newfront Cyber claims team is currently assisting clients who have been impacted, with losses connected to contingent business interruption and extra expense costs.

This event highlights the need for robust cybersecurity coupled with a comprehensive breach response plan. The investment in a comprehensive cyber risk policy can provide the dependent business interruption and extra expenses associated with an attack to a dependent business, but not all cyber policies are alike. Without proper coverage, businesses may be forced to incur legal costs to pursue reimbursement against Change Healthcare for the costs related to this event, recovery of which is not guaranteed.

Please contact Newfront for a review of your cyber insurance program.