Companies must thoroughly revisit their data privacy and security policies, to ensure that their patient and staff data are protected to the fullest extent.
As of the end of 2023, it’s reported that as many as 93 million healthcare records have been stolen or compromised, due to data breaches within the industry. A lot more needs to be done to shore up cybersecurity and reduce the number of attacks that occur. This recent LA County attack highlights the seriousness of the situation and it appears the situation isn’t getting any easier across the board.
Indeed, it was highlighted further in recent weeks when Change Healthcare had to take its technology systems offline after it was reported it had been the victim of a cyberattack. In the following weeks, healthcare providers were still trying to deal with the operational economic, and legal costs of the incident.
Change Healthcare’s Cybersecurity Scare
At the end of February 2024, healthcare company Change reported a company-wide connectivity issue, which had occurred because of a cyber attack.
Their IT systems were closed down, which essentially stopped its operations. After the event, it was discovered that it had been caused by ALPHV/Blackcat. They’re a recognized ransomware group, as and were identified as the “threat actor”, who had, in this instance, broken through to the company systems and caused the shutdown.
It took until the end of March before full network connectivity was restored – that’s early a whole month, and that caused a high cost to patients and healthcare providers.
What is the wider cost to providers?
Since this incident, healthcare providers have experienced major disruption. The AHA (American Hospital Association) wrote to Congress to make clear that the cyber attack on Change’s systems had hampered providers across the board, in their ability to verify lots of patient data, including processing claims, verifying health insurance coverage, and in certain circumstances gain access to clinical guidelines used for patient safety.
Not only did it disrupt providers, but it impacted patients too – who reported having their access to copayment assistance revoked and couldn’t access discount programs for prescription medication – or in some instances, gain authorization notes for treatment.
Digital Health Risk Assurance company First Health Advisory claims that providers lost over $100 million a day in the aftermath of the attack. This was described as “staggering” by the AHA, with some hospitals unable to not only pay clinician’s salaries but to provide medicines and supplies or pay for contract work like physical security, dietary, and environmental services.
The American Medical Association, following on from this, reported that physicians and their practice staff were still facing considerable uncertainty about when daily transactions could be resumed – and that some were faced with “unenviable decisions” regarding how they would continue to meet their obligations like caring for patients and paying staff.
The breach further affected Medicare providers and suppliers with the net result that some will face cash flow problems from the “unusual circumstances” that have impacted the way services operate. Many Medicaid providers have also been deeply affected by the attack, and in the initial aftermath were unable to provide the normal level of support that claimants would be used to.
Concerns over private patient information and security
This scenario begs the question of whether healthcare systems are safe enough and whether allowing more machine learning or AI-based technology, is a good idea. There’s absolutely no doubt that AI can bring a host of benefits to healthcare providers and patients, such as automation of tasks and managing patient data, but this must be backed up with even more robust security practices.
There are, also legal implications to consider. Millions of citizens across the USA are thought to have had their data compromised in this attack and there are already six lawsuits filed, seeking class action against Change and its partners.
These lawsuits claim Change Healthcare did not do enough to maintain reasonable cybersecurity standards to prevent data breaches resulting in identity theft, loss of patient privacy, and other harms.
What can providers do about the legal implications of data breaches?
After this cyberattack, providers are now being urged to re-assess their systems and not only determine what (if any) damage has occurred to them as a potential result of this case but to future-proof against further attacks.
Companies must thoroughly revisit their data privacy and security policies, to ensure that their patient and staff data are protected to the fullest extent to prevent further attacks and to mitigate the chances of legal ramifications from any that do arise.
Key steps that affected patients can take if they have been affected by this – or any other form of data breach of their healthcare data include collecting all relevant evidence and information pertinent to the case.
This includes information about the breach, all correspondence with the healthcare provider, and documents that pertain to the financial or emotional losses incurred. Once this has been gathered, it’s important to seek the right legal advice from a qualified legal team who will be able to assess the chances of winning a case.
Join the conversation!