It’s been two-and-a-half months since Change Healthcare’s systems went dark due to a cyberattack, and questions remain unanswered about when its customers will know the full extent of the damage.
Meanwhile, providers are wondering what regulatory or legal consequences they could face — and whether they will bear costs associated with lawsuits and patient notifications for a breach that occurred outside their own systems.
Related: Why Change Healthcare's restoration process has taken so long
UnitedHealth Group-owned Change Healthcare, a claims processor, was forced to disconnect its systems from providers, insurers and vendors due to a Feb. 21 cyberattack. The incident brought much of the back-office healthcare industry to a halt as the company worked to restore services, a process that is ongoing.
Lawyers say some providers could face legal or regulatory action, but for the most part, the focus is on Change.
Here's what providers need to know as fallout from the Change cyberattack continues.
What’s the latest on Change’s restoration process?
Change is working to fully restore its systems. As of May 10, nine of the 28 platforms listed on a Change website are marked uninterrupted or fully restored, including a reimbursement manager platform for claims pricing and picture archiving and communications systems. Seventeen platforms are partially available, one has restoration underway and one is marked as pending.
What are the regulatory risks?
Providers are required under the Health Insurance Portability and Accountability Act to have business associate agreements with vendors that outline each party’s responsibilities regarding protected health information.
HIPAA also requires providers to notify patients about data breaches if appropriate. In this case, UnitedHealth has said it will handle breach notifications for its customers, and provider groups are urging the insurer to make its intentions official with lawmakers and regulators.
Health and Human Services’ Office for Civil Rights, one of the main agencies that investigates data breaches, has said looking at whether Change’s partners and other entities complied with regulation is not a top priority.
“It would be difficult for any organization to investigate everyone involved,” said Kurt Sanger, counsel at Buchanan, Ingersoll & Rooney. “To go into that secondary layer, I think, would be a pretty daunting investigative challenge.”
Providers could be subject to investigations by state attorneys general.
Could providers face legal ramifications?
Class-action lawsuits are a possibility, but it's unlikely that providers would end up being liable, said Lynn Sessions, partner at BakerHostetler.
Ryan Higgins, a partner at McDermott, Will & Emery, agreed. “The theory of negligence by those healthcare providers or payers seems strange. This was really a Change Healthcare incident,” he said. “It’s possible that … affected providers or payers, particularly maybe some of the larger ones, are added as defendants, but I would guess that those organizations could probably fairly efficiently dispatch or get those claims dismissed.”
Providers would be responsible for any legal costs associated with defending their case.
Change is facing dozens of potential class-action lawsuits brought by providers struggling with payment delays and patients worried about identity theft.
What's the status on breach notifications?
Change has not issued a formal breach notification to HHS and said it may take months to learn the full extent of the cyberattack and notify those affected.
Providers are waiting for that formal notification. Doing so would help prevent confusion from patients receiving multiple notices about the same breach. Without more information from Change, providers also don't know for sure who was affected or what information was compromised.
What should providers be doing?
Providers should take this incident as an opportunity to review cybersecurity protocols and see how they can be improved, Buchanan's Sanger said.
Providers also need to be on top of communications and be prepared for the notification from Change, experts said.
They can direct patients toward UnitedHealth's free credit monitoring and support services.