Change Healthcare breach affected 100,000,000 patients

The Change Healthcare data breach that was first reported in February is officially the largest on record reported to the federal government, with an estimated 100,000,000 patients impacted, according to the U.S. Department of Health and Human Services.

Change Healthcare’s parent UnitedHealth Group reported the security breach in a February 21 filing with the Securities and Exchange Commission in which it said it had “identified a suspected nation-state associated cyber security threat actor” had accessed some of its information technology systems. Change Healthcare took its systems offline that day.

UnitedHealth, the nation’s largest private health insurance company, owns Optum Health, the biggest employer of doctors. Optum merged with Change Healthcare, a provider of payment and revenue cycle management technology, in 2022. According to its website Optum’s physicians provide care to more than 100 million patients in the U.S.

The American Hospital Association issued a cybersecurity advisory later that week urging its members to disconnect from Optum. The association said it has been in communication with the FBI, the U.S. Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency regarding the incident.

The breach caused a great deal of financial stress to physicians. More than a third of physician practices (36%) have seen the suspension of claim payments, according to a survey by the American Medical Association. Four out of five (80%) said they lost revenue from unpaid claims, and more than half (55%) used personal funds to cover expenses, the AMA said.

In addition, 32% have said they can’t submit claims, and 22% said they can’t verify if patients are eligible for benefits. The AMA conducted the informal survey between March 26 through April 3, with more than 1,400 respondents.

Nearly all hospitals (94%) said they have suffered a financial impact from the Change Healthcare attack, according to a survey by the American Hospital Association. Nearly 60% of the hospitals said the impact on their revenue has been $1 million per day or greater.

In response, UnitedHealth Group has made about $4.7 billion in payments to providers.

UnitedHealth Group has said the attack was launched by the “Blackcat” ransomware gang, which has targeted healthcare organizations in the past, federal authorities say.

Andrew Witty, CEO of Change Healthcare’s corporate parent, apologized to those affected by the massive cyberattack against the company that has hobbled the U.S. health care system for months.

“To all those impacted, let me be very clear: I’m deeply, deeply sorry,” said Witty, CEO of UnitedHealth Group, based in Minnetonka, Minnesota.

Witty spoke May 1 to the Senate Finance Committee in the hearing “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next.”

The lawmakers spent more than two hours pressing Witty on issues ranging from cybersecurity to UnitedHealth Group’s size and business practices, to the financial effects on doctors, hospitals and pharmacists, to the theft, potential revelation and misuse of huge amounts of patient information.

Witty said he made the decision to pay a $22 million ransom to recover stolen data, and it was one of the hardest decisions he ever had to make. So far, the company has not seen evidence that materials such as doctor’s charts or full medical histories were exfiltrated from its records. Witty said the cyberattack happened when hackers compromised a Change Healthcare server not protected by multifactor authentication, the technology that requires users to enter a password and an additional piece of information, such as a number, password, confirmation code sent via text, or fingerprint or facial scan, to log into a computer network.