The Change Healthcare Attack: Quantifying Footprint for Cyber (Re)insurers

The Change Healthcare Attack: Quantifying Footprint for Cyber (Re)insurers

Written by William Altman - Cyber Threat Intelligence Principal, Ethan Spangler, PhD - Lead Economist, and Jon Laux - VP Analytics

Healthcare entities nationwide, including pharmacies, providers, and others, have experienced disruptions following a cyber attack on Change Healthcare, a technology unit of UnitedHealth Group Inc. This incident highlights the vulnerability of the US Healthcare system to Single Point of Failure (SPoF) technology risks. 

CyberCube’s SPoF Intelligence is a tool that empowers (re)insurers to understand and manage technology dependencies within organizations and across portfolios. CyberCube customers can utilize SPoF Intelligence to identify insured entities that are dependent on Change Healthcare and thousands of other SPoF technologies. 

Key points to note

- A ransomware attack on Change Healthcare (CHC) caused an ongoing outage impacting US Healthcare entities, including pharmacies and care providers.
- On March 15, Change Healthcare restored select electronic payments and is proceeding with payer implementations. On March 7, the company restored pharmacy network services, and continues to work on remaining issues.
- The attack highlights the risk of SPoF technologies in healthcare and raises questions of SPoF risk in other industries also deemed critical infrastructure.
- Customers can use SPoF to identify insureds using CHC, and related SPoF.
- CyberCube estimates a likely range of 107,000 to 189,000 entities exposed to CHC, based on a combination of Artificial Intelligence and Data Matching (as of 3/20/2024).

To help the cyber (re)insurance industry better understand the order of magnitude for entities that could be exposed in this ongoing widespread event, we used our SPoF data to provide an exposure footprint estimate for Change Healthcare (CHC). 

Our estimate is indicative of the number of entities potentially exposed, and not necessarily the number of claims or financial losses that could be experienced from this event. There remains a high degree of uncertainty as to the total costs related to this event as CHC begins to bring services back online.

Estimated Range of Entities Exposed To Change Healthcare (as of 3/20/24)

Source: CyberCube Enterprise Intelligence Layer (EIL), US-based entities

Recognizing that the situation is dynamic, CyberCube performed multiple methods to estimate the footprint of companies exposed to CHC. We used an Artificial Intelligence/Machine Learning method and a Data Matching method. Together, these methods estimate 72,000 to 240,000 entities exposed, with the number likely falling between 107,000 to 189,000 (as of 3/20/2024).

The attack and subsequent ongoing outage of CHC laid bare the reality that a concentrated number of software providers serve as the digital backbones of the US Healthcare system. When a SPoF such as CHC does experience a failure, it can take down a large swath of the system. 

Healthcare providers are locked out of a key payments platform

CHC provides software systems for clinical services used by medical professionals and runs a membership platform for patient services, giving it access to tens of millions of patient records. The company’s website says that it completes 15 billion healthcare transactions annually, and that one-in-three U.S. patient records are touched by their solutions.

UnitedHealth is the parent company of both Optum and Change Healthcare. Optum is a health services and innovation company that provides various health-related services, including healthcare delivery, data analytics, pharmacy care services, and health financial services.

On Optum’s website it is clear that other than select pharmacy services, almost all CHC services are still down. Among the critical CHC services still down is the CHC National Payments Connector platform. This platform serves as a central hub for managing payment transactions, including claims payments between healthcare payers and providers. Healthcare providers are facing several potential challenges:

Impact on Patient Care: Financial challenges resulting from payment delays or disruptions in revenue cycle management could potentially impact the quality of patient care. Healthcare providers may need to allocate additional resources to address financial issues, which could detract from their ability to focus on patient care.

Delayed Payments: Healthcare providers rely on timely receipt of payments from insurance companies and other payers to maintain their financial stability. With the National Payments Connector down, it could result in delays in processing claims payments and remittances, leading to cash flow problems for healthcare providers.

Disrupted Revenue Cycle Management: The National Payments Connector plays a critical role in the revenue cycle management process by facilitating payment transactions between payers and providers. An outage of the platform could disrupt this process, leading to inefficiencies in billing, payment posting, and reconciliation.

Increased Administrative Burden: Without access to the National Payments Connector, healthcare providers may need to resort to manual processes for payment processing and reconciliation. This could result in increased administrative burden, as staff may need to manually track payments, reconcile accounts, and follow up with payers on outstanding issues.

Compliance Concerns: Outages or disruptions in the National Payments Connector platform could raise concerns about compliance with regulatory requirements, such as timely filing deadlines for claims and remittance processing. Healthcare providers may need to take additional steps to ensure compliance while the platform is unavailable.

What this means for (re)insurers

(Re)insurers have a duty to understand the accumulation risk presented by SPoF technologies like CHC in US Healthcare. (Re)insurers can refer to the number of potentially exposed entities generated by CyberCube’s estimation methods as a guide when establishing further estimates for the impact of the CHC event, including the scope of exposed entities, as well as input for estimating losses and ranges. 

CyberCube’s suite of cyber risk analytics can help uncover best-in-class insureds in highly targeted but insurable industries including healthcare, as well as other critical infrastructure sectors. 

Methodology for estimating the exposure footprint

CyberCube used two methods to estimate the number of entities exposed to Change Healthcare (CHC): a Machine Learning method and Data Matching method.

Lower-bound Machine Learning exposure footprint: 72,000

CyberCube’s lower bound estimate for the number of entities exposed to CHC, using machine learning, is 72,000. We trained a random forest model using the firmographic qualities of the entities with direct dependence on CHC as true-positive cases and used firmographic qualities from other entities that were determined to be not dependent on CHC, as true-negative cases. The model was trained to classify entities that have the right set of firmographics to be dependent on CHC. 

We ran the model on our overall US Healthcare system list of entities — yielding a list of 72,000 entities likely dependent on CHC. Each entity in the 72,000 was predicted to use CHC based on a threshold of 50%. A threshold of 50% means that in all cases, the model predicted a probability of dependence on CHC greater than 50%. 

Middle-bound Data Matching exposure footprint: 107,000

To derive the middle bound (107,000) we identified entities with two or more direct dependencies on a CHC SPoF, suggesting a higher degree of dependence for those entities. We looked at the Standard Industrial Classification (SIC) codes represented in that list of entities and determined that there were four unique SIC codes in that list. We then queried our data lake of over 20 million companies for all companies with those same four SIC codes to derive a list of 107,000. 

Upper-bound Machine Learning exposure footprint: 189,000

CyberCube’s upper bound estimate for the number of entities exposed to CHC, using machine learning, is 189,000. To derive this upper bound we relaxed the predictive confidence threshold in our model for classifying an entity as dependent on CHC. 

Upper-bound Data Matching exposure footprint: 240,000 

To derive the upper bound of potentially impacted companies, we isolated entities in a US Healthcare industry portfolio that had CHC-relevant SIC codes, to derive a list of 240,000 entities that could potentially depend on CHC. This estimate assumes CHC holds ~ 35% of the US Healthcare market based on our list of US Health entities.

By utilizing our unique set of data and analytics, CyberCube is able to better understand how many entities are exposed to the CHC, so (re)insurers can take necessary action to assess this ongoing event. CyberCube will share more information as we improve our understanding of the event and how we can best query our data to ascertain the most realistic view of exposure.

The next steps for cyber (re)insurers

In addition to tracking other elements of this ongoing event, (re)insurers should be following reports that a significant amount of highly-regulated personal health information (PHI) was stolen in the attack. CHC is said to touch one in three US patient health records. The US Government’s Office for Civil Rights (OCR), which enforces HIPAA, announced it will probe CHC on whether health information was breached.

While the data breach element of this event plays out, (re)insurers can look to CyberCube’s Portfolio Manager solution to proactively assess potential losses for a catastrophic breach of a major electronic health records (EHR) vendor. 

This event emphasizes the importance of timely access to accurate data and analytics for cyber (re)insurers to understand the impact of ongoing widespread cyber events. CyberCube is committed to providing just-in-time analytics and actionable threat intelligence to help customers make sense of fast-paced and dynamic cyber events.

Download Resource