Your Vendor is the Victim of a Cyberattack. Now What?

By Beau Falgout, Senior Managing Director

Almost a third of Americans were impacted by the February cyberattack on Change Healthcare – UnitedHealth Group’s clearinghouse for medical claims – and it has taken more than four months for Change to get a handle on the full extent of the massive breach. As a result, patients are just now beginning to receive notifications from Change that their data may have been compromised.

In cases like this, providers have a valuable role to play in the notification process: serving as conduits between patients and vendors (in this case, Change). Providers should take the opportunity to engage with their patients through empathetic, informed, and, in some instances, face-to-face communications, which can increase trust and bolster the provider’s reputation. This is especially important considering patient switching costs are at their lowest in history.

Below are some recommended steps for providers to consider as they determine their own strategies and tactics for engaging with patients regarding this attack and compromised patient data.

While these recommendations are directed towards providers who use Change’s platform, they can be applied to any service providers whose vendors are the victims of cyber incidents.

First, work with your vendor to gather the facts.

• Providers should establish contact with Change to understand what patient data has been compromised and what steps patients may need to take.
  

• In engaging with Change, providers should learn what is known, what is unknown, and what may change in the future. Doing so will decrease the risk that the provider will get ahead of the facts and later have to walk back or adjust guidance provided to patients.

Second, develop key messages and communications posture.

• The key messages should align with the facts and enable providers to speak with patients transparently and in a straightforward manner.

• Key messages should deliver answers to questions that may be top of mind for key stakeholders and patients in particular, including: “What happened?,” “What should I do to protect myself and my data?,” and “What’s being done to prevent this from happening again?”

• In addition to answering these fundamental questions, establishing that providers were not at fault for the vulnerabilities that enabled the cyberattack will be helpful to convey to patients. To avoid the perception that providers are blaming Change, this message can be delivered alongside a point about how Change is shoring up its cyber defenses and, if true, working collaboratively with providers to better protect patient data going forward.

•  In crafting these messages, consider whether and how they’ll be delivered proactively versus reactively.

Third, develop the materials you will use to deliver the key messages.

• For instance, providers can send an email to patients (or a healthcare portal notification) containing:

  • A brief overview of the situation.

  • How the organization is working with Change to better protect their data in the future.

  • An FAQ informed by the information from Change.

  • Details for patients to contact Change if they have additional questions.
    

• Providers also should be prepared to address the cyberattack at the point of care, which likely can be done on a reactive basis via talking points for providers’ use with patients and a printed Q&A document that can be shared with patients in exam rooms or as they depart the point of care.

Finally, assess the impact of the strategy and materials and adjust as necessary.

• As more information comes to light through Change’s and regulator’s investigations and forensic analyses – and as conversations with patients take place – practices should review their strategy, messaging, and materials to ensure patients feel reassured and equipped with the right information to take action, as necessary.