Even if you are a nonaffected bystander, it’s hard not to be drawn into the evolving and increasingly drama-filled story surrounding the Change Healthcare cyberattack.

The damage control seemed rather routine at the outset. Just for fun, here’s an abbreviated play-by-play:

First, news surfaces in late February about a cyberattack affecting Change, a unit of UnitedHealth Group that provides revenue and payment cycle management and connects payers, providers and patients within the United State healthcare system. The attack by the Blackcat ransomware group sent the provider’s platform offline and hurt many providers’ ability to submit claims and receive payments. As providers begin to feel the financial fallout from the downed system, UHG offers a Temporary Assistance Funding Program for affected providers. The Department of Health and Human Services soon steps in with a message acknowledging the situation and outlines steps to support providers in receiving timely payments. A couple of days later, UHG issues a statement spelling out a timeline to restore systems.

Twists and turns

Then the plot begins to thicken. Last Sunday, the heads of two federal agencies, HHS and Labor, issue a letter to healthcare leaders, essentially urging them to do more to  help providers compromised by cash flow challenges.

“Specifically, we call on UHG, other insurance companies, clearinghouses, and healthcare entities to take additional actions to mitigate the harms this attack places on patients and providers, particularly our safety net providers,” the letter said.

In a press call about the HHS budget on Monday, Xavier Bacerra, secretary of HHS, clearly sounds frustrated with the actions (or lack thereof) UHG had been taking.

“The private sector has to step up,” he said, adding that it can’t just throw up its hands and ask to be bailed out. “We are asking all those stakeholders … to step up and we’ll continue to ask them to step just as we the federal government have stepped up.”

He also talks in a question-and-answer period about how at some point providers will have costs to pay for not implementing the proper technologies for preventing and alleviating cyberattacks.

The summons

Given Becerra’s tone, it was not surprising that just a day later, on Tuesday, the White House summoned UHG CEO Andrew Witty and others in the industry to discuss the hack.

Finally, the coup de grace occurred Wednesday, when HHS’ Office for Civil Rights revealed it was conducting an investigation into the cyberattack — specifically to assess whether protected health information was exposed and whether Change followed laws protecting patient privacy.

What began as the discovery of a major breach of a private company’s defenses has morphed into an examination of possible wrongdoing by the nation’s largest health insurer.

How the screw turns. Given how common cyberattacks are, UHG’s situation almost sounds like a cautionary tale for the rest of the healthcare system. Through its actions, HHS is showing it does not have much tolerance for a breach, especially as it affects providers and patients. The clear message for insurance companies and others is unmistakable: You better start investing in the proper cybersecurity technology or face the music — especially if you are raking in billions in revenues.

Liza Berger is editor of McKnight’s Home Care. Email her at [email protected].