It’s being called the largest-ever breach of patients’ protected health information by a government-regulated medical company in America’s history.
Change Healthcare, owned by UnitedHealth Group, fell victim to a cyber attack eight months ago but revealed on Thursday that 100 million people had been affected.
That surpassed the previous record holder for the worst breach of US patient data: a 2015 episode Anthem Inc. that put 78.8 million individuals at risk.
The first official report from Change Healthcare, which manages revenue and payments for medical providers, estimated in July that only 500 people had been infected.
Now, the scale of the Feb. 21 ransomware attack has prompted Congress to call for lifting the cap on the fine a negligent healthcare company can face.
“The healthcare industry has some of the worst cybersecurity practices in the country,” said Senator Mark Warner, “despite its critical importance to the well-being and privacy of Americans.”
Today, existing law provides a cap of $2 million per violation for violators of the Health Insurance Portability and Accountability Act (HIPPA).
If passed, these “common sense reforms” would also include “jail sentences for CEOs who lie to the government about their cybersecurity,” Wyden added.
Eight months after Change Healthcare fell victim to a cyberattack (dramatized via stock image above), the company has finally reported what industry experts call “a more realistic estimate” of the total number of patients affected: 100,000,000 people, or one in the three American citizens
The hack, which Change Healthcare’s parent company attributed last winter, to a “foreign nation.”
Anthem was fined $16 million, the largest fine imposed for a HIPAA violation, but experts worry such a fine would hardly deter today’s healthcare giants.
Change Healthcare alerted the Department of Health and Human Services’ Office for Civil Rights (OCR) on July 19, noting that their internal investigation was ongoing.
Industry observers at the HIPAA Journal noted that the big round number of 100 million, published in this month’s Change update, suggests that “it is possible that figure will change.”
“Neither Change Healthcare nor its parent company, UnitedHealth Group (UHG), has confirmed that the file review has been completed,” the magazine said.
But these eye-popping numbers mask the countless intimate tragedies caused by Change Healthcare and UHG’s allegedly lax cybersecurity, causing millions of Americans to lose their healthcare privacy.
Linda Barbour, medical director for several major health insurers, told reporters she assumed the company would have contacted her as soon as it knew her information had been made public.
Change only managed to inform Barbour this month.
Beyond Change Healthcare, the Department of Health and Human Services reports that 394 significant data breaches have been documented in 2024, either due to hacking or IT errors. These breaches in 2024 exposed private data of more than 43 million individuals, the agency estimates
“Now that it’s getting to this point, so delayed, I can’t really do anything because so much time has passed,” Barbour said. STAT news.
OCR officials at the Department of Health and Human Services (HHS) have reportedly urged Congress to increase maximum penalties for HIPAA violations, hoping that tougher fines could encourage companies to take patient privacy seriously to take.
And Congress appears to be listening: “Mega corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering,” Wyden noted in calling for stricter federal HIPPA laws.
The new legislation would update Titles
The bills, called “The Health Infrastructure Security and Accountability Act,” will also mandate minimum cybersecurity standards across all U.S. healthcare networks.
Payment processors, private data brokers and big names in the tech sector have all reported massive data breaches this year, including a historic leak of US Social Security numbers and a hack that harvested data from 1.7 million consumer credit cards.
But healthcare companies are unique in their sensitivity and lax standards.
HHS’s Office for Civil Rights Breach Portal reports that 394 significant data breaches have been documented in 2024, either due to hacking or IT errors. These breaches in 2024 will have leaked data on more than 43 million individuals, the agency estimates.
Last year, 602 data breaches were reported as hacking IT incidents, estimated to have exposed the private healthcare data of at least 151 million people across the country.