Massive cyber attack sounds alarm bells over health care data security

A hack of payment processor Change Healthcare by Russian cybercriminals has severely crippled payment processing for doctors and hospitals. A federal investigation is underway.

By Shelly BrisbinMarch 25, 2024 11:03 am,

A major cyberattack continues to cripple segments of the health care industry. The attack’s direct victims were not patients, but the systems that make it possible for hospitals, doctors and insurance companies to exchange payments. 

The hack of Change Healthcare in February has created significant cash flow issues for these providers, and it’s now getting the attention of federal officials, who are investigating the specific incident and exploring the wider implications of attacks on health care infrastructure.

John Sakellariadis covers cybersecurity at Politico. He says Change Healthcare is responsible for some 15 billion medical financial transactions each year. Listen to the interview above or read the transcript below.

This transcript has been edited lightly for clarity:

Texas Standard: Tell us about the company at the center of this attack. What does Change Healthcare do?  

John Sakellariadis: Change Healthcare is a medical clearinghouse. They connect health care providers ­– everything from larger hospital systems to small private practices, to insurance companies. They verify eligibility on insurance. They help connect reimbursements for big medical claims, verify eligibility for major procedures.

So this really critical connective tissue between the folks on the front line actually providing services, and then the big insurance companies that provide the funding to the health care providers on the front line. 

Well, the attack’s impacts have rippled across the health care industry, from patient portals to hospitals to insurance companies. Can you give us an idea of what’s happened? 

So the attack began on Feb. 21, or that’s when it was reported to the [Securities and Exchange Commission] SEC by Change, which, by the way, is owned by insurance giant United Healthcare. And at that time, Change responded by taking pretty much all of their systems offline as they kind of dealt with and triaged the incident.

So as a result, they basically choked off the ability for health care providers across the country to provide certain services to their patients, but also to collect revenue. So we’ve had this huge backlog. 

United actually said this weekend, as they’re bringing some of these services back online, they’re hoping to fill what is right now a $14 billion backlog. So you had this enormous financial impact on providers across the country, some who have been forced to miss payroll.

There are a few reports beginning to trickle out of some providers that maybe have been forced to shutter. We’re still learning a little bit more about this point. So there’s huge financial impact as a result of the outage at Change. 

Now you’ve written this attack is drawing the attention of Washington. What’s happening there and who’s involved? 

You’ve got a couple things going on within the executive branch. The Department of Health and Human Services has announced a regulatory investigation into the incident, and they are seeing whether UnitedHealth and Change were compliant with the federal health data privacy law known as HIPAA.

But there’s a whole bunch of other things going on in the federal government. The Biden administration’s kind of alarmed at the fallout from this one company. They are big. They were bought for $15 billion two years ago by United, but nobody had ever heard of them. And they brought down the U.S. health care sector.

So the Biden administration, one thing they’re thinking about is “hey, how many other companies are there out there that, if they are brought down like a house of cards, the rest of the U.S. health care sector kind of comes down with them?”

At this point, what should consumers know? They heard you mentioned HIPAA, and that might have raised hackles. It’s like, wait a minute, is personal data or privacy at risk or is it yet to be seen? 

I should probably mention at this point that the group behind the behind the attack is a likely Russian ransomware group – a cybercriminal gang that has this history of breaking into companies, stealing their data or deleting it, and then threatening the company to make that data public or delete it permanently unless they get a multimillion dollar payment in cryptocurrency.

Again, we haven’t fully verified this. United won’t speak publicly on this yet – they have an investigation that’s ongoing. But the group behind this attack has claimed that they stole six terabytes, which is an enormous trove of really sensitive personal health data on U.S. citizens, active duty service members, pretty much everybody you can think of. Change, again as a reminder of how big they are, they have said they processed like 15 billion transactions or something per year.

So yes, definitely be on the lookout for kind of another shoe to drop in terms of us learning more about exactly what data was stolen and United having some obligation to the folks who were victimized by this – the patient data that was stolen – to alert them and probably provide some type of compensation. So that’s another big part of this story. 

If you found the reporting above valuable, please consider making a donation to support it here. Your gift helps pay for everything you find on texasstandard.org and KUT.org. Thanks for donating today.