The recent cyber-attack on Change Healthcare, orchestrated by the notorious hacking group BlackCat, has had far-reaching consequences, particularly within the dental sector. This breach not only disrupted vital services such as electronic prescribing and claims processing but also led to a significant backlog of payments for dental professionals nationwide, regardless of whether they were direct users of Change Healthcare’s services.
The BlackCat Breach: An Unprecedented Compromise
Change Healthcare, a key player in healthcare technology and services, fell victim to the sophisticated tactics of BlackCat hackers. The breach, unveiled in early March 2024, exposed vulnerabilities within Change Healthcare’s systems, allowing unauthorized access to sensitive data, roughly 6 terabytes worth. It is unknown at the time of this publication as to what specific information was compromised, but it is a good assumption, given the data size, that patient names, addresses, birthdates and insurance information may be in that data set.
Among the services affected by the breach were electronic prescribing and claims processing. Dental professionals, reliant on these systems for efficient patient care and financial operations, found themselves at a standstill as these services became unavailable.
Disrupted Electronic Prescribing and Claims Processing
Electronic prescribing, a cornerstone of modern dental practices, enables dentists to securely send prescriptions to pharmacies, enhancing patient safety and convenience. However, with Change Healthcare’s systems compromised, dentists faced challenges accessing patient records and prescribing medications. Many practices reverted to the archaic practice of calling or faxing prescriptions to pharmacies. Since this cyber attack was so widespread, most pharmacies were able to handle this change temporarily.
Claims processing, essential for the financial health of dental practices, ground to a halt. The inability to submit insurance claims electronically led to delays in reimbursements, causing financial strain for dental professionals nationwide.
The Ripple Effect: Backlog of Payments
One of the most profound impacts of the cyber attack was the significant backlog of payments to dental professionals. This backlog, affecting practitioners regardless of their direct use of Change Healthcare’s services, highlighted the interconnectedness of the healthcare ecosystem.
As claims processing stalled and payments were delayed, dental practices have been facing mounting financial pressures. The strain on cash flow and operational efficiency further exacerbated the challenges already posed by the ongoing COVID-19 pandemic, the economic downturn, and inflation of virtually every expense a dental practice has. In addition, many practices are finding that as payments trickle in, they are not accompanied by Explanation of Benefits documentation, making it more of a burden on administrative team members.
To Notify or Not
One key question is whether or not dental professionals should notify their patients of the incident. As of April 5th, 2024, it is advised by various government agencies to wait until we have more information as to what was actually compromised. As notification is a significant cost to dental practices, let’s make sure you are doing it once with accurate information. Multiple investigations are concurrently happening with government agencies such as Office for Civil Rights, Federal Trade Commission and Federal Bureau of Investigation. As those investigations continue, that information will become available and guidance will be updated.
HIPAA Due Diligence: Vetting Vendors and Downstream Impact
In the wake of this breach, discussions surrounding HIPAA due diligence have come to the forefront. HIPAA, the Health Insurance Portability and Accountability Act, mandates strict security and privacy standards for protected health information (PHI).
Dental practices, in their duty to protect patient data, must thoroughly vet vendors and their downstream partners for HIPAA compliance. Change Healthcare, a downstream vendor for many major dental practice management vendors, serves as a HIPAA Business Associate for dental practices nationwide.
However, the cyber attack on Change Healthcare underscores the importance of ongoing due diligence. Dental practices must ensure that their vendors maintain robust cybersecurity measures and promptly address any vulnerabilities that arise. They must also ask difficult questions of their vendors to determine if downstream vendors (vendors your vendor uses) are also secure and compliant with HIPAA.
Protecting Your Dental Practice: A Call to Action
The cyber attack on Change Healthcare serves as a stark reminder of the evolving threat landscape facing the healthcare industry. Cyber attacks, fueled by the incredible value of healthcare data on the dark web, are only expected to increase in sophistication and frequency. Dental practices have quickly become a favorite of cyber criminals due to the lack of protections in place to prevent cyber attacks.
This incident with Change Healthcare should be a big wake up for dental practices to prioritize cybersecurity as a fundamental aspect of their operations. This includes:
- Regularly assessing and updating cybersecurity protocols with a thorough and accurate Risk Analysis
- Implementing multi-factor authentication for all systems
- Conducting thorough due diligence when selecting and monitoring vendors (not just a Business Associate Agreement)
- Providing ongoing staff training on cybersecurity best practices
The cyber-attack on Change Healthcare has brought the vulnerabilities of the healthcare industry into sharp focus. Dental practices, as stewards of patient data, must remain vigilant in the face of evolving cyber threats. By prioritizing cybersecurity and adopting a proactive approach to risk management, dental professionals can safeguard their practices and uphold the trust of their patients. It’s no longer a matter of “if” you will get attacked. It’s a matter of “when”. When it eventually happens to you, will you be prepared so that it’s a minor inconvenience, or will it be a major catastrophe?