Weeks after a cyberattack on UnitedHeath Group’s Change Healthcare unit crippled the processing of medical claims and prescriptions nationwide — and potentially exposed patient data — some lessons have emerged.

First, the federal government and industry executives have known for years that the U.S. healthcare system was vulnerable to hacking, according to The Washington Post, but failed to make improvements that could stop attacks. Ransomware gangs like “Blackcat” (also known as ALPHV) that purportedly carried out the Change Healthcare attack see the industry as an easy target that is willing to pay ransom demands to restore operations — but only after the monetary expense, and loss of private data.

According to Reuters, Change Healthcare processes about 50% of medical claims in the U.S. for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories. The ransom attack, called the largest ever in the U.S. healthcare industry, cut off reimbursements to pharmacies, hospitals, and other providers, costing them an estimated $100 million a day. UnitedHealth said it provided up to $2 billion in advances to cover providers who couldn’t receive reimbursements while the system was down. But UnitedHealth didn’t deny reports it held out two weeks before paying the $22 million ransom, according to the Post, and a return to normal operations for providers took a month.

But whistleblowers can play an important role in ending this cycle, reporting malware and breaches so that vulnerabilities can be patched before hackers can send out a ransom demand. While not all ransomware attacks are the result of fraud, failure to report a breach in a timely matter or failing to follow cybersecurity guidelines can be violations of the law. The U.S. Department of Justice introduced the Civil Cyber-Fraud Initiative to incentivize whistleblowers to help the government pursue cybersecurity-related fraud committed by government contractors and grant recipients.

In 2022, the Justice Department announced its first resolution under the Civil Cyber-Fraud Initiative, Comprehensive Health Services LLC agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by falsely representing that it complied with contract requirements relating to the provision of medical services. Under one of the contracts, CHS submitted claims for the cost of a secure electronic medical record (EMR) system to store all patients’ medical records but allegedly failed to disclose that it had not consistently stored records on that system. 

When the initiative was introduced, then-Acting Assistant Attorney General Brian M. Boynton said three common cybersecurity failures would be prime candidates for False Claims Act enforcement under the new initiative:

• The knowing failure to comply with cybersecurity standards
• The knowing misrepresentation of security controls and practices
• The knowing failure to timely report suspected breaches

Boynton said the new initiative helps hold contractors and grantees to their commitments to protect government information and infrastructure and lead to the timely identification, creation and publication of patches for vulnerabilities. 

“As they have in many other aspects of False Claims Act enforcement, we expect whistleblowers to play a significant role in bringing to light knowing failures and misconduct in the cyber arena,” he said. “False Claims Act enforcement and whistleblower reporting will help spur compliance by contractors and grantees.”   

The Department of Health and Human Services is investigating the UnitedHealth hack, seeking to determine whether protected health data was breached and if the law requiring patent notification in the event of a breach was followed. While the hackers allegedly claimed they had stolen 8 terabytes of data, including records from Medicare, Tricare, and CVS Heath, UnitedHeath has not disclosed information about what patient data may have been exposed.

Whistleblowers can play a critical role in reporting to the government when companies fail to properly report breaches and the loss of private patient data. For those who want to report such wrongdoing, it’s critical to engage a whistleblower attorney early in the process. With more than 30 years of combined experience litigating fraud and employment cases — and billions in recoveries for its clients — Keller Grover is uniquely positioned to represent whistleblowers. 

If you want to report cybersecurity fraud in your organization, we are here to help. For advice about how to handle suspected fraud, contact Keller Grover for a free and confidential consultation.