Change Healthcare has officially confirmed that a cyberattack on February 21, 2024, compromised the medical records of over 100 million individuals. This incident represents the largest breach of protected health information (PHI) among HIPAA-regulated entities, surpassing the record-breaking data breach of Anthem Inc. in 2015, which affected 78.8 million people.
Due to the scale of the breach, the U.S. Office for Civil Rights (OCR) initiated a separate investigation. At the time of the initial report in July, the company cited 500 affected individuals, as the analysis was ongoing. Now, Change Healthcare has provided updated figures, estimating approximately 100 million affected individuals, though the verification process remains incomplete, and the number may fluctuate.
Senator Ron Wyden criticized the company’s approach to cybersecurity, highlighting the lack of multi-factor authentication on one of the servers, which enabled attackers to gain access and inflict widespread damage. He called for reforms mandating stricter accountability for security breaches and increased penalties for HIPAA non-compliance.
UnitedHealth Group, the owner of Change Healthcare, has faced enormous financial repercussions from the incident. As of Q3 2024, cyberattack-related losses amounted to $2.87 billion. System restoration is ongoing, yet some operations and transactions have yet to return to pre-attack levels.
The cyberattack has sparked a wave of lawsuits. More than 50 suits filed by patients and healthcare institutions have been consolidated for trial in Minnesota. Plaintiffs accuse the company of inadequate data protection and seek compensation for the breach of personal information.
The incident has also raised concerns over the potential recurrence of similar attacks. A report from the American Medical Association (AMA) indicates that 60% of healthcare providers continue to struggle with verifying insurance information and submitting payment claims several months after the attack.
The Change Healthcare scandal serves as a stark warning for the industry, underscoring the need to reassess cybersecurity priorities. Agencies like the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have begun developing new standards for critical sectors, including healthcare.
Related Posts:
- Ransomware: The Latest High-Tech Crime Wave and the Industries It Affects
- Healthcare Domain a Hotcake for Hackers