Healthcare mergers may face more questions about cybersecurity

When UnitedHealth Group initially moved to acquire Change Healthcare, some critics raised questions about the risks of having so much private health information under one entity.

Healthcare leaders suggest the federal government should take a close look at health mergers to ensure there are sufficient cybersecurity protections.

In the wake of the Change Healthcare ransomware attack, which many have called the largest ever in the health industry, some say increased consolidation poses greater risks of even more damaging breaches. Most hospitals and physician practices have seen some financial impact, since Change Healthcare handles so many billing and processing tasks across the industry. Change Healthcare handles 1 in 3 patient records.

Now, some experts are saying they expect federal regulators could take a closer look at cybersecurity protections in proposed healthcare mergers and acquisitions. Federal regulators may want more information on the protection of private health information.

Greg Garcia, executive director of cybersecurity for the Health Sector Coordination Council, testified at a House subcommittee hearing on the Change Healthcare attack Tuesday, and he suggested healthcare deals should get more scrutiny related to data privacy.

“The government should assess future consolidation proposals for mergers and acquisitions against their potential for increased cyber incidents and impact risk,” Garcia said.

• Read more: Health leaders ask Congress for help with cybersecurity

Garcia told lawmakers that regulators should be asking about cybersecurity as healthcare organizations look to come together. Just as regulators look at market concentration and competition in weighing healthcare mergers, they should pose questions about the potential of a breach leading to a catastrophic cyberattack, he says.

“If that finding is positive, then that should be very seriously taken into consideration as to whether to approve a merger or some kind of consolidation that could increase cyber risk,” Garcia said.

Sean Zabaneh, a partner at the Duane Morris law firm, talked about the impact of the Change Healthcare cyberattack during the Hospital + Healthcare Association of Pennsylvania Leadership Summit earlier this month.

“I think cybersecurity is something that state and federal viewers are going to be looking at when it comes to consolidation,” Zabaneh said.

For health systems looking to acquire another hospital, he says, “You're going to want to know about their cybersecurity, especially during that interim period of the deal. So there could be situations where you need to really understand, are we being exposed here? What are the requirements in place? Are they being careful? So, I think, on the merger front that's another legal trend.”

• Read more: Change Healthcare cyberattack: Lawsuits emerge, and more are coming

‘Heightened risk’ of consolidation

During the hearing, lawmakers expressed alarm at the scope of the healthcare attack, and they also talked about their discomfort with the rising consolidation across the health industry.

Rep. Frank Pallone, D-N.J., the ranking Democrat on the House Energy & Commerce Committee said the cyberattack “raises a lot of questions about the heightened risk posed by consolidation of health technology services within a single company.”

Rep. Larry Bucshon, an Indiana Republican who is also a physician, said the Federal Trade Commission is going to need to look more closely at healthcare mergers.

“I think the FTC is going to need to look at health care sector consolidation,” Bucshon said at the hearing.

Republicans and Democratic lawmakers have expressed growing unease with consolidation in healthcare, which surfaced during the hearing.

U.S. Rep. Kim Schrier, a Democrat from Washington state, noted that the U.S. Justice Department tried, albeit unsuccessfully, to block the UnitedHealth Group acquisition of Change Healthcare over concerns that too many records would be controlled by one entity.

“This attack suggests those concerns were valid,” Schrier said at the hearing.

She then asked healthcare experts at the hearing if they had opposed UnitedHealth Group’s acquisition of Change Healthcare.

John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association, told lawmakers that the association had opposed the UnitedHealth-Change Healthcare deal. Riggi said the AHA opposed the deal “because of the sector-wide risk that we understood this would pose.”

Garcia said the Health Sector Coordinating Council didn’t take a position on that deal, but said future mergers should be evaluated for the potential of breaches and cyberattacks.

Fear of other attacks

Rep. John Joyce, a Pennsylvania Republican and a dermatologist, said the Change Healthcare attack shows how cyberattacks can have far-reaching consequences as more health organizations are connected.

“Because of this consolidation, an attack on one entity has caused a massive disruption for the rest of the healthcare system,” Joyce said. “As we see increased consolidation in healthcare, I worry that incidents like this will only become increasingly more common.”

Adam Bruggeman, MD, an orthopedic surgeon with the Texas Spine Center, testified about the impact of the attack. “The Change outage was disruptive to the business and my practice, but most importantly, it was disruptive to my patients,” he said.

Given the impact of the attack, Bruggeman urged lawmakers to look closely at healthcare mergers and acquisitions.

“Congress should seize this opportunity presented by the recent cybersecurity incident to thoroughly examine whether the growing consolidation within the U.S. healthcare market truly serves the best interests of patient care,” Bruggeman said.

The FTC has taken a closer look at healthcare mergers in recent years, and federal regulators have opposed some deals, particularly involving organizations in similar markets. FTC opposition has led to some health systems from dropping planned mergers.

The FTC released new guidelines on merger applications last year, which suggest reviews of proposed deals could be more time-consuming.

More hospital mergers have been taking place over the last year, and analysts expect to see more hospitals and health systems pursuing deals, particularly as many hospitals are struggling financially.