Change Healthcare cyberattack affected 100 million Americans

Nearly one-third of all Americans have been affected by the Change Healthcare cyberattack.

The company said 100 million individuals were impacted by the ransomware attack, according to data published recently by the U.S. Department of Health & Human Services. The department’s office of civil rights tracks all health data breaches that affect more than 500 people.

Change Healthcare, which is owned by UnitedHealth Group, suffered a ransomware attack in February. Healthcare cybersecurity leaders have told Congress that it’s the most disruptive cyberattack ever seen in the U.S. healthcare industry.

Nearly all U.S. hospitals and medical groups experienced financial losses from the attack, because Change Healthcare offers so many services to the industry, including billing and pharmacy services.

To give some perspective on the scope of the Change Healthcare cyberattack, more than 130 million Americans were affected by all of the health data breaches covering all organizations nationwide in 2023, according to the health department. The Change Healthcare attack alone is within striking distance of that figure.

Federal lawmakers have criticized United Healthcare for taking too long to notify Americans who may have been affected.

At a Senate Finance Committee hearing in May, Sen. Maggie Hassan, D-New Hampshire, urged UnitedHealth Group CEO Andrew Witty to expedite notices to individuals who may have been affected by the breach.

“Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals,” Hassan said in May.

Some notices were sent to customers in September.

UnitedHealth has paid billions of dollars in loans and advance payments to providers who were disrupted by the attack. Witty also told Congress earlier this year that the company paid a ransom of $22 million. A Russian ransomware group known as Blackcat claimed responsibility for the attack, and federal officials said the group has targeted healthcare organizations.

In its third quarter earnings report released Oct. 15, UnitedHealth estimated that the impact of the Change Healthcare account is 75 cents per share. The company reported revenues of $100.8 billion, an increase of $8.5 billion year over year.

Driven in part by the attack, U.S. Sen. Ron Wyden, D-Oregon, called on the Health Department to ensure healthcare organizations meet some basic standards in cybersecurity. Wyden, the chairman of the Senate Finance Committee, said the federal government’s approach to cybersecurity is “woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.”

Earlier this month, Wyden sent a letter to UnitedHealth asking for more information about the company’s cybersecurity. During the May hearing, Wyden faulted the company for insufficient protections that led to the breach.

In the letter, Wyden asked Witty to explain what steps UnitedHealth has undertaken to prevent other breaches, and for copies of independent cybersecurity audits five years before the February attack. He also pointed to what he described as UnitedHealth’s “lax cybersecurity practices.”

“Congress has a responsibility to conduct rigorous oversight to determine what legislative actions might be necessary in the wake of the most significant cyberattack against the U.S. health care sector to date,” Wyden wrote.

It appears that the number of Americans affected by cyberattacks this year is certain to be higher than last year’s figure.

Through the first six months of 2024, more than 31 million Americans were affected by the 10 biggest health data breaches reported to the government, according to a Chief Healthcare Executive® review of federal data. And that figure didn’t include the Change Healthcare attack, or those impacted by scores of other breaches.

There were more than 300 breaches of health data reported to the health department in the first half of the year.

Coming Monday: Chief Healthcare Executive® presents a discussion from top cybersecurity experts in healthcare.