A far-reaching cybersecurity breach involving a health care technology company that provides billing, payment, revenue cycle management, and other services for health plans, health providers, and pharmacies. Change Healthcare, a subsidiary of a major health insurer (UnitedHealth Group), is a business associate (BA) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (see Practice Note, HIPAA Privacy Rule: Business Associates and HIPAA Privacy, Security, and Breach Notification Toolkit).

In February 2024, Change Healthcare sustained a widescale cyberattack that disrupted the ability of hospitals, providers, and pharmacies to process claims and receive payments. Following the attack, the Departments Labor (DOL) and Health and Human Services (HHS) encouraged health insurers and other payers to make interim payments to affected providers to avoid attack-related cash flow concerns.

For more information, see Legal Update, Cyberattack Against Change Healthcare Leads to Litigation.