Change Healthcare, a UnitedHealth Group technology unit that’s one of the largest healthcare technology vendors in the US, announced on February 21 that it experienced a network security incident. The Change Healthcare cyber incident has impacted several hundred healthcare providers who rely on Change Healthcare for revenue and payment cycle management that connects payers, providers and patients. Those affected include clinics, hospitals, pharmacies, medical practices and others within the US healthcare sector. According to one estimate, some providers are losing as much as $100 million per day in revenue,2 and as of this writing, there’s no timeline indicating when services will be back online.

While developments are still unfolding, it’s been reported that hacking group AlphV/BlackCat is behind the attack.

The Cyber insurance market remains laser focused on threats to critical infrastructure, including the healthcare sector. The potential for an attack or a system outage such as this one could lead to a dreaded systemic loss, having a cascading impact on multiple insureds around the globe.

Cyber insurance and other insurance policies may provide assistance to organizations that believe they may be impacted by losses related to this incident, directly or indirectly either through vendor or supply chain relationships. Many stand-alone Cyber insurance policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with Cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.

As a result, the Cyber insurance marketplace has addressed these concerns by changing —and in some cases — restricting or excluding coverage. When reviewing Cyber insurance and other policies that may provide a mechanism to transfer cyber risk for both healthcare service providers and those that rely on them, insureds should be mindful of several potential coverage pitfalls, including but not limited to:

• Critical infrastructure exclusions that may eliminate coverage for all losses related to a specified critical infrastructure target, which may include the healthcare sector
• Catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for specific cyber losses that impact a large number of organizations
• Contingent business interruption sub-limit or exclusionary language that may apply to organizations that weren’t direct targets, but suffer consequences of a critical infrastructure cyber attack
• Regulatory risks that may limit or exclude coverage for regulatory investigations, lawsuits, fines and settlements

Read the full article at: Gallagher

For further information please visit larsbrokers.com