Change Healthcare data breach officially affects 100 million people

Diving overview:

Change Healthcare's massive cyber attack may have compromised the data of 100 million people. This is the largest health data breach ever reported to federal regulators. The ransomware attack on UnitedHealth's technology company is similar to the 2015 Anthem (now Elevance Health) data breach that compromised the information of 78.8 million Americans, according to a portal run by the Department of Health's Office of Civil Rights. It is said to exceed the previous record. Questions have also been swirling for months about a potentially large-scale data breach, given Change's role as a major medical claims processing company that processes billions of claims each year. UnitedHealth CEO Andrew Whitty estimated to Congress in May that one-third of individuals in the United States could be affected by the breach.

Dive Insight:

Change was hit by a ransomware attack in February that caused weeks of disruption to the healthcare industry.

Providers are reporting challenges verifying patients' insurance coverage, submitting pre-authorization requests and receiving fees for services, and fear some practices may go under without an influx of cash. There are growing concerns about CMS and UnitedHealth have launched a financial relief program for health care providers struggling to collect reimbursements during service outages.

Responding to the cyber attack also cost UnitedHealth money. Earlier this month, the healthcare giant said the attacks had a total impact of $2.5 billion for the nine months ending September 30, including $1.7 billion in direct response costs. are.

Change began notifying customers in June when member or patient data was affected, and began sending letters to affected individuals in July.

A UnitedHealth spokesperson told Healthcare Dive that the company is in “regular communication” with HHS, OCR and other regulators regarding the notification process.

“Given the amount and complexity of the data involved, and as the investigation is still in its final stages, we will continue to regularly notify potentially affected individuals as soon as possible,” the spokesperson said in an email. said.

Change's breach report comes as data breaches in the healthcare industry impact more Americans and expose sensitive medical data. In an interview at the HLTH conference earlier this week, OCR Director Melanie Fontes Reiner said that approximately 140 million people will be affected by a major breach in 2023, up from 51 million in 2022. Ta.

“And this year, we expect that number to potentially double or even more due to both the Transmutation Violation and the Ascension Violation,” she said.