Mar 21, 2024 - Health

UnitedHealth hack reveals gaps in doctors' cyberattack insurance

Illustration of cursors cracking a shield.

Illustration: Shoshana Gordon/Axios

Many health care providers struggling to get paid after the hack of a UnitedHealth Group subsidiary are still trying to figure out if their cyberattack insurance will help cover their losses.

Why it matters: Providers ranging from large health systems to small independent practices are racking up big bills and say efforts to advance payments while Change Healthcare restores medical claims systems are falling short.

  • Insurance that health care providers bought for a cyberattack on their own organizations might not provide much protection when they're affected by an attack elsewhere, experts told Axios.

The big picture: While many cyber insurance plans cover business disruption, the value of such coverage varies greatly, and experts warn many may be underinsured for an unprecedented attack of this magnitude.

  • It's also possible some providers affected by the Change Healthcare outage wouldn't have thought to ask for coverage of an attack on a vendor or didn't want to pay the additional cost, said Josephine Wolff, a cybersecurity policy expert at Tufts University.
  • Many other providers have been unable to afford any coverage due to soaring cyber insurance rates amid surging attacks on the industry.
  • Other providers cut back coverage during an especially tough market for cyber insurance between 2020 and 2022 and didn't restore it when conditions softened, said Stephanie Snyder Frenier of brokerage CAC Specialty.

Between the lines: Though it's hard to nail down just how protected organizations are against cyberattacks, surveys show just about 15% of companies have standalone insurance plans, said Nir Perry, CEO of Cyberwrite, a company that uses AI to measure cyber risk for companies.

  • In the initial aftermath of the Change Healthcare attack, some large health systems estimated they were losing over $100 million per day.
  • Many cyber insurance carriers limit coverage to no more than $5 million for larger systems, Perry said.
  • "You have to build a tower of carriers to get the amount of coverage needed for your organization," Perry said.

For smaller providers like doctors' offices, add-on coverage is likely far less comprehensive than they realize.

  • "The problem with those add-ons is that they may cover you up to $25,000 or $50,000 of damage. In many cases, the actual damage is much, much higher," Perry said.

Zoom in: Bay Area Therapy Group Marriage and Family Counseling, a lead plaintiff on one of the class-action lawsuits providers have filed against UnitedHealth, has cybersecurity coverage — but attacks against a vendor are "pretty clearly excluded" from its policy, said co-owner Katy Ross.

  • The business has at least $350,000 in damages so far, including costs from an emergency business loan with a 50% interest rate and from prematurely pulling investments from retirement accounts to make payroll, said co-owner John Bieda.
  • Evan Goldfischer, president of the LUGPA, said he and other practice owners he's spoken with have concerns about their coverage.
  • "We got through COVID — we'll figure this out. But it's going to hurt," Goldfischer said.

What's next: Providers are calling for a federal emergency response to help minimize the fallout.

  • So far, those calls have been met with accelerated payments, some increased flexibilities, as well as pressure on private insurers to do more.
  • More providers will also likely recoup costs through the courts.

Note: This story has been updated to reflect Stephanie Snyder Frenier is an cyber solutions expert from CAC Specialty, not CAC Specialty Insurance Solutions.

Go deeper