Insurance and cyberattacks

The recent cyberattack on Change Healthcare Inc., a health care technology organization owned by UnitedHealth Group, taught health care providers something they know all too well already—their entire livelihood lies in the hands of the nation’s health insurance companies.

Change Healthcare processes payments owed to health care providers from hundreds of insurance companies. It is a clearinghouse—validating and finalizing health care providers’ claims for payment to the insurance companies. It includes a network of over 6,000 hospitals and one million physicians.

Thus, when a cyberattack recently forced Change Healthcare to put the deep freeze on payments to providers, the consequences were devastating nationwide.

Four out of five physician practices lost significant revenue because of this attack, according to an analysis conducted by the American Medical Association. Some can’t afford to pay their staff, some have taken out personal loans to keep their businesses operating, and some have simply stopped seeing patients altogether. As for hospitals, an AHA survey found that 94% had suffered financial impact from the attack, with more than half reporting a "significant or serious" impact. That impact continues. An April 29 AHA letter to House Energy & Commerce leadership asserted that "hospitals, physicians and patients are continuing to experience financial and operational impacts."

In response to the attack, in March, CMS launched an emergency advance payment program for providers whose Medicare claims processing was impaired, and authorized states to make interim Medicaid payments. In addition, UnitedHealth’s Optum subsidiary, which houses Change Healthcare, announced a temporary funding assistance program. But these partial patches have only modestly relieved the financial stress on providers nationwide.

Potential insurance coverage: Contingent business interruption

What these providers may not know is that they may not be helpless. They may be able to mitigate their losses with insurance coverage they already possess within their property and cyber insurance policies. The key may be provisions within these existing policies that establish coverage for contingent business interruption (sometimes called dependent business interruption).

Contingent business interruption insurance is, in the vernacular, coverage for losses that policyholders suffer indirectly. For example, if a natural disaster or other emergency such as a hurricane, fire, or other calamity impacts a policyholder’s supplier or vendor, that may cause the policyholder to lose income even though the policyholder was not damaged directly. But, since losses are losses, the need for insurance protection is the same. That’s where contingent business interruption coverage comes into play. Generally, contingent business interruption coverage requires that the policy include coverage for the type of loss or damage that affected its suppliers or customers.

Contingent business interruption coverage may protect providers here from the losses they experienced indirectly as a result of the cyberattack on Change Healthcare.

Contingent business interruption insurance is commonly found in a business’s property insurance policies. Such provisions could provide coverage here because damage even to electronic data from cyberattacks can be covered under such policies.

The same is true for a business’s cyber insurance policies, depending upon the scope of the cyber coverage. Cyber insurance policies protect against ransomware attacks by covering expenses like data restoration, business interruption, and extortion payments, as well as the many downstream effects flowing from those cyberattacks. Cyber policies generally include some form of contingent business interruption, so providers will need to check if their policies provide coverage for indirect losses from cyberattacks on others. The nation’s largest insurance brokers are advising clients impacted by the Change Healthcare cyberattack to put their cyber insurance companies on notice.

Here is the language that one cyber insurance provider, Travelers’ subsidiary Corvus, uses to describe the scope of contingent business interruption coverage in its policies:

• Business Income Loss and Extra Expenses incurred during the Interruption Period caused directly as a result of the total, partial, or intermittent interruption or degradation in service of the Computer System of an Outsourced Service Provider caused directly by a Privacy Breach, Security Breach, or Administrative Error at that Outsourced Service Provider. (Full limits)

Some cyber policies provide such coverage only if specifically named types of service providers or even named vendors suffer a service interruption that triggers losses for the policyholder. Potential coverage would thus depend on specific language in the cyber policy in question.

The magnitude of the losses from the cyberattack on Change, including its downstream effects, cannot be overstated. Providers are considering what was once unthinkable—cutting their losses and closing shop. But insurance may provide some hope.

To be sure not to miss any protections, health care providers who were damaged by the attack on Change should notify their insurance companies immediately, and also should keep careful track of all losses attributable to this massive cyberattack.

Rhonda D. Orin and Bruce Strong are partners at Anderson Kill P.C., a law firm that has specialized for more than 50 years in representing policyholders against insurance companies. They have experience with the complex insurance issues faced by hospitals and other institutions, as well as providers and employers who sponsor health plans. They can be reached at Rorin@andersonkill.com and Bstrong@andersonkill.com.