SolutionsHire top legal talent for any scope of workGet Started Contact us to find the best fit for any in-house or law firm role Testimonials Trusted by the world's leading legal departments FAQ Frequently asked questions about working with Legal.ioEmployer Resources Tools and guides for hiring managers Change Healthcare suffered a devastating ransomware attack earlier this year, forcing it to shut down its systems, leading UnitedHealth Group to pay a $22M ransom.
On February 21, 2024, Change Healthcare, the largest healthcare payment system in the United States, announced that it had been targeted in a ransomware attack. This attack resulted in its systems shutting down. The American Hospital Association (AHA) characterized it as “the most significant and consequential cyberattack on the U.S. healthcare system in American history,” with an AHA survey showing more than 90% of hospitals reporting some financial impact.
The attack has crippled Change Healthcare, a company that provides a widely used program for healthcare providers to manage customer payments and insurance claims. The company has taken most of its systems offline to prevent the attack from spreading. The outage has been devastating for small and midsize healthcare providers.
$22M Ransom Paid in Response
In response to the attack, UnitedHealth Group, the parent company of Change Healthcare, paid a suspected ransom of $22M via Bitcoin to a digital-asset wallet associated with Russian “cybersecurity threat actor ALPHV/Blackcat.” UnitedHealth Group CEO Andrew Witty called it “one of the hardest decisions I’ve ever had to make.”
The recovery process is underway. Starting on March 7, 2024, UnitedHealth has publicly announced and updated timelines to restore key Change Healthcare systems. Most recently, on April 22, 2024, the company stated that while UnitedHealth had identified some Protected Health Information (PHI) and Personally Identifiable Information (PII) among the data accessed in the attack, it had not seen any evidence of extraction of certain especially-sensitive materials.
22 Attorneys General Call for Further Action
On April 25, 2024, the attorneys general of 22 states issued a letter encouraging UnitedHealth Group and its subsidiary, Change Healthcare, to take additional steps to respond to the massively disruptive cyberattack. The broad, bipartisan group of signatories reflects both the scale of the attack’s impact and its implications for the priorities of state attorneys general—from healthcare regulation to data privacy.
The attorney general coalition, led by Minnesota Attorney General Keith Ellison, deemed the UnitedHealth and Change Healthcare response to the attack as “inadequate.” The bipartisan group of attorneys general—including those from California, New York, Massachusetts, Nebraska, South Dakota, and Utah—requested several specific actions, including developing a dedicated complaint resolution mechanism for state agency complaints and a helpline for affected providers and pharmacies to resolve questions or affected claims.
The letter also urged UnitedHealth Group and Change Healthcare to engage in further engagement with those entities most likely to be impacted by the changes and a “comprehensive impact analysis” before making a final decision on the scope of each specific change and the best means of implementing it.
The Implications of the Cyberattack on the Healthcare Industry
The cyberattack on Change Healthcare has brought to light several key implications for the healthcare industry and beyond.
Firstly, it has exposed the vulnerability of the healthcare system to cybercrime. The attack has shown how a single cyberattack can disrupt the operations of healthcare providers, affecting their ability to provide care to patients. This has underscored the need for robust cybersecurity measures within the healthcare industry.
Secondly, the attack has highlighted the importance of data privacy. With the breach of Change Healthcare’s systems, sensitive patient data was potentially exposed. This has sparked discussions about the need for stronger data privacy protections and regulations.
The attack has raised questions about third-party risk management. Change Healthcare, as an intermediary between healthcare providers, patients, and payers, plays a crucial role in the healthcare payment system. The disruption of its services due to the cyberattack has shown the risks associated with relying on third parties for essential services.
The call to action from the 22 state attorneys general has underscored the role of regulatory bodies in ensuring the security and privacy of data. It has shown that regulatory bodies are prepared to step in and demand action when companies fail to adequately protect their systems and data.
This new examination represents a shift from the traditional bar exam by emphasizing skills-based knowledge over content memorization.
Latham & Watkins is rolling out an "AI Academy," one of the first structured AI training programs in Big Law. The firm will initially focus on training first through fourth-year associates, but as the program expands, more attorneys, including partners, will participate.
The last step when applying for a green card for applicants already in the United States on a non-immigrant temporary visa is the process of adjusting one’s status from the temporary nonimmigrant visa to a permanent immigrant visa.
Generals Counsel talk about how to prepare for AI decisions in business with the changing regulatory landscape.
Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.
Hamon discusses the role of generative AI in legal operations.
Thomson Reuters acquires AI legal tech firm Casetext for $650 million, marking a significant milestone in the legal industry. The deal underscores the growing importance of AI in legal services and the strategic moves companies are making to stay ahead in this rapidly evolving field.
With modern society comes modern audiences - learn how to stay ahead!
Health is a hot topic in the legal industry. More and more Biglaw firms are paying attention (and company resources) to help inspire their attorneys to live healthier lifestyles. Although health is a broad concept in the modern workplace, in this article we will go over some ideas of how to be a healthy legal professional. (This article does not include medical advice. It’s always best to consult your doctor for any recommendations.)
