Pramote Lertnitivanit/istock via

How the Change Healthcare attack may affect cyber insurance

UnitedHealth's Change Healthcare attack continued to show the devastating aftermath of supply chain attacks. Experts say it could change contingent language for future policies.


Listen to this article. This audio was generated by AI.

Cyber insurance carriers say they'll need to adapt to a ransomware threat landscape that's become increasingly dangerous, as highlighted by recent attacks against UnitedHealth's Change Healthcare and CDK Global.

Vendors reported record and historic highs for ransomware activity throughout 2023, and the threat continues to not only be prevalent but also increasingly disruptive for victim organizations. The attack on Change Healthcare earlier this year is arguably the most notable example of the trend. The technology provider for healthcare billing and revenue services was unable to reimburse its customers, forcing them to delay and causing some companies to reportedly go out of business.

Last month, Illinois-based CDK Global, which serves 15,000 automotive dealerships, also experienced extended downtime and massive downstream disruptions following an attack.

Now infosec experts and cyber insurance vendors say the significant attacks will affect underwriting and policies moving forward.

The BlackCat/Alphv ransomware gang claimed responsibility for the Change attack that caused months-long disruptions to patient care, healthcare providers and pharmacies. In response to the attack, Change revealed it paid a $22 million ransom to BlackCat operators.

However, it took additional time for the company to fully restore operations, and it is unclear what Change received in return for paying the ransom. During RSA Conference 2024, the National Security Agency highlighted the attack against Change as a warning to organizations about giving into ransom demands.

Prior to the CDK Global and Change attacks, ransomware was already a challenging threat for insurers to cover due to the disruptive nature, negotiation process and payment decisions businesses faced. Now it might become even more complicated.

Peter Hedberg, vice president of cyber underwriting at Corvus Insurance, told TechTarget Editorial that the Change Healthcare attack illustrated a systemic risk for organizations that depend heavily on third-party providers. He stressed that it's an unusual situation because of how downstream attacks work.

"I say that because no one knew before we read the news stories how widespread the use of that service was. A provider has a medical biller, and that medical biller uses Change. The provider didn't make the decision to use Change; the medical biller did. And as soon as that went down, the downstream effects were significant," Hedberg said. "Those claims are still working their way through. It's giving a lot of insurers pause as to how they underwrite and view that aggregation from those different services."

While Hedberg believes the Change Healthcare attack will put an increased focus on contingent language used for downstream fallout, he said the biggest change will occur in underwriting. For example, he anticipates that underwriters will start taking deeper dives into the services that particular segments use. "When it comes to aggregation, everyone seems to be focused on the cloud. But they're not focused on these particular service applications that are out there as well. I think our homework will change," he said.

He also highlighted challenges with insuring the healthcare sector. Like lawyers, which he said are also popular targets, healthcare organizations have an established duty of confidentiality. Therefore, healthcare information is widely traded on the dark web, Hedberg said.

"There are numerous variants within the providers though. You have to put it [the data] in the electronic medical record systems too. They're very much an insurable risk, but you have to take it seriously," he said.

Sezan Seymour, vice president and head of regulatory risk and policy at Coalition, stressed that the Change Healthcare attack is a lesson in how mindful organizations need to be of third-party risks and how they affect downstream customers and clients as well. "This is another space where I think we try to council our insured. Like, what are you really paying for? What are your alternatives?" Seymour said.

Chet Wisniewski, a director and global field CTO at Sophos, told TechTarget Editorial that the Change Healthcare attack might affect supply chain coverage for insurance carriers moving forward. Based on what he's seen across the cyber insurance landscape over the last five years, Wisniewski said there will be an increased expectation that supply chain events will be covered by policies, describing the recent CDK and Change attacks as "devastating".

"If I were shopping for a policy myself, I'd be asking if I would be covered if I'm impacted by an upstream cyberincident," he said. "Insurance companies are either going to be offering that as an enhanced service or maybe explicitly writing it on their policies if they don't want to cover it. It could go the other way, where they don't cover it at all."

Change Healthcare incident response

Change Healthcare remained down with disrupted services for weeks despite paying the $22 million ransom. However, Wisniewski said insurers have made their stance on paying a ransom clear, and he doesn't believe the incident will alter anything. "At the moment, they're still defending paying the ransom," he said.

Wisniewski listed several factors that contribute to effective business continuity, including a prioritized schedule of getting certain services back up and running. He believes Change Healthcare was lacking in that department. "The fact that the event went on, I believe, for a month with at least noticeable outside impacts suggests that there wasn't any kind of rehearsed backup strategy," he said.

He stressed how Change was unable to provide any service for most of the outage and described the technical response as "chaotic," which intimated to him that Change did not have a well-executed incident response plan to work from during the attack.

On the other hand, Trent Cooksley, co-founder and COO at insurance provider Cowbell, told TechTarget Editorial that Change Healthcare was proactive in its response and handling clients. However, he stressed that since it was such a widespread event, the full fallout remains to be seen.

Cooksley also addressed the CDK attack, which he said forced many downstream customers to file 8K forms with the Securities and Exchange Commission. "It wasn't on them. They did all their things right, but their provider was impacted as a result," he said.

Cysurance CEO Kirsten Bay agreed with Cooksley that the ripple effects of the Change Healthcare attack are still unfolding. Based on premium changes, which she said have decreased by 17% across the board, she anticipates that downstream customers are submitting numerous regulatory filings to adjust those types of premiums.

"What I think will be interesting -- and this is more of a supply chain conversation as it to relates to CDK, Change and others -- is that we'll have a lot of organizations filing contingent business interruption claims, because they were downstream impacted by either the healthcare organizations who actually did have cyber insurance who recognize that they could file for the period of time that they couldn't do billing, for example," Bay said. "It's going to be rippling outward. And they may not be huge claims, but they're going to continue to percolate in."

Bay added that it's unusual for claims to continue rolling in that long after an attack. However, she thinks it's partly because insured organizations still largely misunderstand their policies. Particularly, the contingent business interruption coverage, she said.

"What we're probably going to see is that's going to be more restricted coverage as people start using it, because it's not an often-used coverage, but it will be now," Bay said.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Next Steps

Cyber insurers address ransom reimbursement policy concerns

Dig Deeper on Risk management