The Times They Are A-changing: The need to re-evaluate business associate agreements in the wake of cyber attacks on the healthcare industry


ransomware attack; data

By: Julia N. Bover

You may have heard that Change Healthcare, a subsidiary of UnitedHealth Group, experienced a major ransomware attack late last month. The company, which is responsible for handling the prescription billing of more than 67,000 pharmacies across the U.S., first discovered the hack on February 21, 2024, and proceeded to disconnect impacted systems immediately. It was later found that the attack was perpetrated by ALPHV/Blackcat, a group that is notorious for targeting healthcare organizations. 

We are now a few weeks out from the attack, and things are just getting back to normal. For weeks, healthcare providers were unable to transmit prescriptions, and medical groups were struggling with billing, acquiring prior authorizations for insurers, and verifying the insurance eligibility of patients. Reportedly, some medical groups went without inbound charges and outbound payment for weeks. Furthermore, hospitals that typically rely on Change Healthcare for a number of different services had also been left in the dark with no end in sight. Not to mention the millions of patient medical records that may have been accessed and acquired as a result of the event. 

The aftermath of the attack has had such a catastrophic effect on the healthcare industry’s infrastructure that Senate Majority Leader Charles Schumer has begun pleading with federal health officials to provide immediate assistance to New York hospitals as well as healthcare providers nationwide who have been entirely incapacitated by the ongoing attack.  

It goes without saying that based on Change Healthcare’s forensic findings and any required notices, we are more than likely to see widespread litigation efforts in the form of class action lawsuits and other potential third-party claims. While the scope of potential liability is not clear at this point, it is not hard to imagine that plaintiffs and their attorneys will try to build theories around alleged harm interruptions to their medications or healthcare in addition to the compromise of their personal information.  

Beyond the obvious legal ramifications of such an attack, the incident also highlights the need for enhanced cybersecurity solutions within the healthcare sector. It is imperative that healthcare organizations and the third-party vendors on whom they rely evaluate their policies, procedures, and technical safeguards. At its core, Change Healthcare is a technology platform. However, by providing healthcare technology services and solutions and processing and managing protected health information (PHI) on behalf of covered entities, they are classified as a business associate under HIPAA. As such, they are required to implement safeguards to protect the integrity and the security of the PHI they manage. This recent attack will undoubtedly force many healthcare entities relying on third-party vendors, such as Change Healthcare, to re-evaluate their agreements with these entities and ensure their compliance with HIPAA and any other required standards. Enhanced data encryption, access controls, and periodic risk assessments, for example, need to become bare-minimum protocols for organizations dealing with PHI. FMG’s Data Privacy and Cybersecurity Practice Section is well versed in the preparation of BAA agreements and can help evaluate any required changes to existing BAA agreements. 

For more information contact Julia Bover at, or your local FMG attorney.