The cyberattack on Change Healthcare in 2024 was a watershed moment for the United States healthcare system, revealing vulnerabilities and catalyzing a reevaluation of cybersecurity practices within the sector. This incident has not only disrupted the immediate operations of healthcare providers, but also highlighted the long-term emerging risks that need to be addressed to safeguard patient care and data integrity. Below, we explore the fallout from this cyberattack and the new risks that are emerging in its wake.

Unprecedented impact of healthcare cyberattack on US system

The cyberattack on Change Healthcare has been described as the most significant and consequential incident of its kind against the US healthcare system in history. Rick Pollack, president and CEO of the American Hospital Association, emphasized the attack’s severe impact on hospitals’ ability to provide patient care, fill prescriptions, and submit necessary documentation.

Restoration efforts post-cyberattack reveal vulnerabilities

In response to the cyberattack, Change Healthcare has made significant strides in restoring services impacted by the event, prioritizing the restoration of services that impact patient access to care or medication. Pharmacy services have returned to near-normal levels, with 99% of pre-incident pharmacies able to process claims. This rapid restoration effort, while commendable, also raises questions about the potential vulnerabilities that may be exploited in the future as systems come back online.

The critical role of cybersecurity in healthcare 

The cyberattack on Change Healthcare, one of the largest healthcare technology companies in the US, underscores the critical importance of cybersecurity within the healthcare sector. As healthcare increasingly relies on technology for delivering care and managing operations, the sector must prioritize robust cybersecurity measures to protect against such incidents in the future.  We recommend CEOs increase investment in cybersecurity and create business resiliency plans to combat the growing threat of cyberattacks.

Emerging cybersecurity risks in healthcare 

Oliver Wyman Actuarial is monitoring the impact the cyberattack has had on the healthcare industry. Many care management and utilization management programs were significantly disrupted during the Change Healthcare system outage. As the large claim backlog that built up during the system outage is being processed, the risk of fraud and abuse has increased.

There has also been a large effect on financial reporting. The claim reporting and payment cycle was interrupted. Payers and providers engaged in valued based risk arrangements have more uncertainty around how those contracts will inevitably settle due to these delays in claims processing. An opportunity may arise to look at alternative methods for forecasting future claims, such as artificial intelligence (AI), to minimize the impact on financial projections from future disruptions stemming from cyberattacks.

Finally, the financial success for the group behind the Change Healthcare cyberattack, with reports UnitedHealth Group paid a $22 million ransom to the hackers, is likely to encourage more attacks in the future. In early May, Ascension, one of the largest hospital systems in the US, became the latest victim of cyberattacks against the healthcare industry. Many of the computerized systems used to help doctors and nurses deliver care became unavailable. In June, a cyber-attack on a lab and pathology company led to delays in care for several large hospitals in London, England.  Among other issues, the hospitals were unable to verify patient’s blood types leading to the cancellation of surgeries and cancer treatments.

The 2024 Change Healthcare cyberattack has brought to the forefront the critical vulnerabilities within the healthcare sector’s reliance on technology. The fallout from this incident has not only disrupted healthcare operations but also highlighted the emerging risks associated with cybersecurity in healthcare. As the sector moves forward, it will be imperative to address these vulnerabilities and strengthen cybersecurity measures to protect patient care and data integrity.