A ransomware attack on Change Healthcare, a technology company owned by UnitedHealth that touches one of every three U.S. patient records, has resulted in hospitals and pharmacies across New York facing a cash crunch.

The Feb. 21 attack not only places the health care and personal data of tens of millions of patients at risk, but it leaves hospitals and pharmacies unable to submit prior authorization requests and bills for services to some health insurance plans. Given typical lag times for submitting payment claims, the attack could threaten cash flow for the health care providers as soon as the start of March.

The attack on health care information is a perfect example of why the state of New York recently proposed more extensive cybersecurity regulations for health care providers, as well as an instance where Harris Beach’s cybersecurity and data protection services would help organizations avoid or mitigate attacks.

The attack is alleged to have come from Blackcat ransomware gang, which claims to have stolen 6TB of data and information about millions of patients. The information purports to include medical, dental and insurance records, claims information and personal information such as Social Security numbers. The group posted screenshots to show proof of the data theft, but pulled those down, presumably after contact from Change Healthcare, a Nashville, TN-based provider of health care billing and data systems that processes more than 15 billion health care transactions annually.

Blackcat is one of the internet’s most notorious ransomware gangs – cybercriminals that steal and hold hostage data in hopes of securing big payouts for its release. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services recently released a joint cybersecurity advisory noting health care has been the most victimized sector by Blackcat since December and urged health care organizations to implement security measures to reduce the likelihood of attacks and mitigate their impact.

Insurance giant UnitedHealth Group owns Change Healthcare and the healthcare provider Optum. Through Optum, Change Healthcare provides prescription services to more than 67,000 U.S. pharmacies and serves 129 million patients.

Change Healthcare’s clients include Medicare, CVS Caremark, Health Net, and Tricare, the U.S. military medical health agency. Change Healthcare has said it does not believe Optum, UnitedHealthcare, and UnitedHealth Group systems were compromised and the breach appears to be limited to Change Healthcare.

Ransomware Attack’s Impact on New York Health Care Providers

Many New York hospitals and pharmacies use Change Healthcare’s technology to submit prior authorization requests and bills for services. Any delay in reimbursement can be crippling, especially for small, independent pharmacies. The New York Health Plan Association said its insurance members are implementing manual workarounds to maintain access to prior authorization and utilization review processes.

The Greater New York Hospital Association has asked the state to direct health insurers to waive prior authorization requirements and issue advance payments to providers.

New York Wants Tighter Cybersecurity Controls in Health Care

While the state has yet to take action, Gov. Hochul has made the protection of health information a priority of her administration. She recently announced her proposed cybersecurity regulations and included $500 million in her 2024 budget for health care facilities to upgrade their technology systems and comply with the new rules.

Growing cyber threats are forcing cybersecurity to evolve, Hochul said at the time.

“Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” she said. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

Hochul wants hospitals and health facilities to proactively prevent cybersecurity incidents with security plans that assess internal and external risks, develop defensive techniques and infrastructure and implement measures that protect the systems from unauthorized access and malicious acts. Additionally, the proposed regulations require response plans for security incidents and testing to ensure patient care continues during an incident.

Many of the requirements are consistent with a well implemented security program under HIPAA, but there are some specific requirements around audit trails, testing, risk assessments, third-party service providers, multifactor authentication and training.

The new regulation would create a new section 405.46 to Title 10 (Health) of the Official Compilation of Codes, Rules and Regulations of the State of New York and will apply to all general hospitals. Under this new proposed regulation the cybersecurity plans must include written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility. Hospitals also must establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital. The proposed regulations also require the use of multi-factor authentication to access the internal networks from an external network.

Finally, there are specific requirements around audit trails, training, and governance. None of this is contrary to a well-developed security program under HIPAA, but there are some additions to what HIPAA might require. Significantly, it requires reporting to the state within two hours of a hospital determining that is has experienced a cyber related incident, which could be a burden in the early stages of addressing a cyber incident. This is significantly shorter than required under HIPAA and could involve discussions with regulators sooner than many hospitals are ready. Accordingly, it is important the New York State hospitals update both their written information security plan and their incident response plans to address this amendment should it become law.

Cybersecurity a Main Concern for the Health Care Industry

Cyberattacks are also a main concern of health care leaders. Chief Healthcare Executive recently reported more than 88 million people were affected by large breaches of personal health information in the United States in 2023. Such breaches must be reported to the U.S. Department of Health and Human Services. The agency reports data breaches climbed by 239% in the past four years, including by 60% in 2023, with 77% of those breaches stemming from cyberattacks.

According to a report last year from Bain & Company and KLAS Research, regional health systems, free-standing hospitals and mental health providers are especially focused on security and privacy investments, especially in areas such as cybersecurity, Internet of Things security and patient privacy monitoring, the author note.

With good reason. Moody’s Investors Service has about $22 trillion of global debt rated as “high,” or “very high” cyber-risk exposure, with hospitals among the sectors facing the highest risk of cyberattacks. Moody’s Cyber Heatmap looks at two factors, exposure and mitigation and scores 71 sectors. Not-for-profit hospitals ranked “very high” for cyber risk because they are highly attractive, data rich targets with average mitigation measures.

Harris Beach Offers Cybersecurity and Data Privacy Services, Technical Support

Harris Beach monitors developments on current attacks and future threats, as well as cybersecurity regulation and legislation. Our experienced legal team provides a full range of data privacy and cybersecurity services – from compliance counseling and legal risk assessments to defense in litigation and regulatory investigations, as well as advisement on following the National Institute of Standards and Technology protocols. Harris Beach even offers a rapid response team in the event of a breach.

Harris Beach also offers technical support, including compliance tools that support risk management. Caetra.io, a wholly-owned subsidiary of Harris Beach, is a first-of-its-kind solution: software that integrates the law. Not only does it incorporate industry-standard security frameworks to ensure your policies meet or exceed regulatory requirements, it distills cybersecurity regulations into detailed controls to deliver policies that fit your risk tolerance and compliance requirements. This reduces dependency on legal counsel to provide regulatory mapping and cybersecurity compliance policies.

If you’ve been impacted by the breach or are interested in implementing a HIPAA-compliant cyber security system, contact attorney Alan M. Winchester at awinchester@harrisbeach.com and (212) 313-5403; attorney Roy W. Breitenbach at rbreitenbach@harrisbeach.com and (516) 880-8378; or the Harris Beach attorney with whom you most frequently work.

This alert is not a substitute for advice of counsel on specific legal issues.

Harris Beach has offices throughout New York state, including Albany, Buffalo, Ithaca, Long Island, New York City, Rochester, Saratoga Springs, Syracuse and White Plains, as well as Washington D.C., New Haven, Connecticut and Newark, New Jersey.