What ERISA Health Plan Fiduciaries Need to Know in the Wake of the Change Healthcare Cyberattack

Change Healthcare, the leading healthcare claims processing provider in the United States, discovered that cyber criminals accessed its IT systems on February 21, 2024. The criminals encrypted vital IT data and claimed to have stolen six terabytes of sensitive information, including personally identifiable information and medical records.

In response to the attack, Change Healthcare disconnected its IT systems, paralyzing hospital and pharmacy systems, claims approvals, and billing and payment systems across the country, making this arguably the most significant cybersecurity disruption to healthcare in U.S. history.?

The Costs of the Cyberattack

UnitedHealth Group, Change Healthcare’s parent, paid a $22 million ransom to the cyber criminals to reduce the risk of the stolen medical data being publicly disclosed while reimbursing $3.3 billion to affected providers.?

These losses don’t include the forensic, incident, and legal costs needed to respond to the attack. In its 2024 first-quarter report, UHC reported a loss of $872 million in “unfavorable cyberattack effects.”

Change Healthcare faced yet a second cyberattack, with another four terabytes of data being held for ransom, but the validity of the subsequent attack remains unclear.?

HHS’ Investigation into the Cyberattack

On March 13, 2024, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced its investigation into the cybersecurity incident. OCR oversees and enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules that apply to healthcare providers, clearinghouses, health plans, and their business associates.

OCR mentioned that although entities doing business with Change Healthcare or UnitedHealth Group are not under investigation, it is reminding them of their “regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

HIPAA and ERISA Group Health Plans

Group health plans subject to HIPAA’s requirements are also typically subject to the responsibilities under the Employee Retirement Income Security Act of 1974, as amended (ERISA). Under ERISA, an individual who exercises any discretionary authority or control under the plan is an ERISA fiduciary.?

Under HIPAA, covered entities, such as health plans, must designate a privacy and a security officer to develop and enforce the plan’s HIPAA compliance. No current guidance states explicitly that a HIPAA privacy or security officer is an ERISA fiduciary.

However, if the HIPAA privacy or security officer is granted sufficient discretion as to the ERISA plan, then they may rise to the level of a fiduciary. ERISA requires fiduciaries to administer the group health plan prudently while acting solely in the best interests of the plan participants and beneficiaries.?

Under the Department of Labor’s 2021 cybersecurity best practices, ERISA fiduciaries must take appropriate precautions to mitigate any cybersecurity risks. Therefore, if HIPAA privacy and security officers are indeed fiduciaries, then they have a legal responsibility to notify plan participants and their beneficiaries of the cybersecurity breach while mitigating any potential harm as soon as they become aware of the attack.

DOL Best Practices for Cybersecurity Incidents

In 2021, the Department of Labor (DOL) issued best practices for cybersecurity incidents. Although not law, it’s recommended that employers with ERISA plans follow this guidance.

Initially geared towards ERISA-governed retirement plans, the DOL has subsequently stated that its 2021 cybersecurity best practices also apply to ERISA-governed group health plans.?

The DOL issued its cybersecurity guidance through the following resources:

• Cybersecurity Program Best Practices (for employers, other plan fiduciaries, and 401k plan service providers)
• Online Security Tips (for participants and beneficiaries)
• Tips for Hiring a Service Provider with Strong Cybersecurity Practices?(for employers and other plan fiduciaries)

Specifically, the DOL lists 12 best practices to help ERISA plan fiduciaries to mitigate cybersecurity risks:

1. Have a formal, well documented cybersecurity program.?
2. Conduct prudent annual risk assessments.?
3. Have a reliable annual third-party audit of security controls.?
4. Clearly define and assign information security roles and responsibilities.?
5. Have strong access control procedures.?
6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.?
7. Conduct periodic cybersecurity awareness training.?
8. Implement and manage a secure system development life cycle (SDLC) program.?
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.?
10. Encrypt sensitive data, stored and in transit.?
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.

Although not yet required by statute or regulation, employers are encouraged to consider adopting these best practices to help withstand any DOL scrutiny related to cybersecurity.