How the Change Healthcare attack may affect cyber insurance

Cyber insurance carriers say they'll need to adapt to a ransomware threat landscape that's become increasingly dangerous, as highlighted by recent attacks against UnitedHealth's Change Healthcare and CDK Global.

Vendors reported record and historic highs for ransomware activity throughout 2023, and the threat continues to not only be prevalent but also increasingly disruptive for victim organizations. The attack on Change Healthcare earlier this year is arguably the most notable example of the trend. The technology provider for healthcare billing and revenue services was unable to reimburse its customers, forcing them to delay and causing some companies to reportedly go out of business.

Last month, Illinois-based CDK Global, which serves 15,000 automotive dealerships, also experienced extended downtime and massive downstream disruptions following an attack.

Now infosec experts and cyber insurance vendors say the significant attacks will affect underwriting and policies moving forward.

The BlackCat/Alphv ransomware gang claimed responsibility for the Change attack that caused months-long disruptions to patient care, healthcare providers and pharmacies. In response to the attack, Change revealed it paid a $22 million ransom to BlackCat operators.

However, it took additional time for the company to fully restore operations, and it is unclear what Change received in return for paying the ransom. During RSA Conference 2024, the National Security Agency highlighted the attack against Change as a warning to organizations about giving into ransom demands.

Prior to the CDK Global and Change attacks, ransomware was already a challenging threat for insurers to cover due to the disruptive nature, negotiation process and payment decisions businesses faced. Now it might become even more complicated.

Peter Hedberg, vice president of cyber underwriting at Corvus Insurance, told TechTarget Editorial that the Change Healthcare attack illustrated a systemic risk for organizations that depend heavily on third-party providers. He stressed that it's an unusual situation because of how downstream attacks work.

"I say that because no one knew before we read the news stories how widespread the use of that service was. A provider has a medical biller, and that medical biller uses Change. The provider didn't make the decision to use Change; the medical biller did. And as soon as that went down, the downstream effects were significant," Hedberg said. "Those claims are still working their way through. It's giving a lot of insurers pause as to how they underwrite and view that aggregation from those different services."

While Hedberg believes the Change Healthcare attack will put an increased focus on contingent language used for downstream fallout, he said the biggest change will occur in underwriting. For example, he anticipates that underwriters will start taking deeper dives into the services that particular segments use. "When it comes to aggregation, everyone seems to be focused on the cloud. But they're not focused on these particular service applications that are out there as well. I think our homework will change," he said.

He also highlighted challenges with insuring the healthcare sector. Like lawyers, which he said are also popular targets, healthcare organizations have an established duty of confidentiality. Therefore, healthcare information is widely traded on the dark web, Hedberg said.

"There are numerous variants within the providers though. You have to put it [the data] in the electronic medical record systems too. They're very much an insurable risk, but you have to take it seriously," he said.

Sezan Seymour, vice president and head of regulatory risk and policy at Coalition, stressed that the Change Healthcare attack is a lesson in how mindful organizations need to be of third-party risks and how they affect downstream customers and clients as well. "This is another space where I think we try to council our insured. Like, what are you really paying for? What are your alternatives?" Seymour said.

Chet Wisniewski, a director and global field CTO at Sophos, told TechTarget Editorial that the Change Healthcare attack might affect supply chain coverage for insurance carriers moving forward. Based on what he's seen across the cyber insurance landscape over the last five years, Wisniewski said there will be an increased expectation that supply chain events will be covered by policies, describing the recent CDK and Change attacks as "devastating".

"If I were shopping for a policy myself, I'd be asking if I would be covered if I'm impacted by an upstream cyberincident," he said. "Insurance companies are either going to be offering that as an enhanced service or maybe explicitly writing it on their policies if they don't want to cover it. It could go the other way, where they don't cover it at all."