The Change Healthcare data breach in February of this year was the largest healthcare data breach to date. The fallout continues.
Change Healthcare acts as a medical claim clearinghouse for approximately 15 billion medical and prescription claims each year. Change Healthcare is a subsidiary of UnitedHealth Group. The CEO of UnitedHealth Group, CEO Andrew Witty, estimated in May that roughly one-third of Americans were affected by the data breach.
Victims of the data breach include patients whose personal health information (PHI) was exfiltrated by hackers, healthcare providers who were unable to process claims, and the respective involved corporate interests. In November, nine months following the data breach, Change Healthcare announced its services were again fully operational.
Individual information exfiltrated by hackers was broad enough to steal the identity of victims of the Change data breach. Types of data stolen include:
- Patient medical record numbers, imaging, test and lab results, treatment records, diagnoses, and treatment records
- Health plan data including member and group identification numbers, Medicaid, and Medicare beneficiary numbers, and government payment numbers
- Names, addresses, driver license numbers, social security numbers, banking, and billing records
By some accounts, the Change Healthcare hack was an ugly data breach waiting to happen. In testimony before Congress, Mr. Witty described the hack as an attack on legacy software so outdated that it did not require multi-factor authentication (MFA)—a commonly accepted protocol to deter cybertheft and business disruption. Mr. Witty also disclosed he had directed payment of $22 million in bitcoin to the hackers in return for the data—which was not returned.
The initial hacking group, after having a disagreement with the group that provided them access to the Change Healthcare network, took the money and ran. A second hacking group, RansomHub acquired the data and demanded their own payment. When a ransom was not forthcoming, the group posted the data. In the “too little too late” category, Mr. Witty noted to lawmakers that all external facing servers now sport MFA.
Approximately 49 lawsuits brought by individuals whose data was stolen, along with suits filed by providers who were not able to be paid, were consolidated in Minnesota in June. Additional lawsuits have been filed in Minnesota which is home base to UnitedHealth.
In these civil actions, Change is accused of failing to protect the personal information of the victims of the data breach, among other charges. Change has stated in court documents that the allegations are “based on the incorrect and unfounded theory that, because a cyberattack occurred, Change’s security must have been deficient, and plaintiffs must have been harmed. Given Mr. Witty’s statements to Congress, it may be difficult to prove cybersecurity was sufficient in this case. In a tragic turn, the company recently lost Brian Thompson, the CEO of UnitedHealthcare, who was gunned down in New York City.
There are reasons for the confidentiality of healthcare data. The data exposed in the Change breach will almost surely be used to support multiple instances of fraud and identity theft in coming years.
Respected personal injury law firm helps you after serious harm caused by medical error
With offices in Baltimore, Maryland and Washington, DC, the legal team at Schochor, Staton, Goldberg and Cardea, P.A. is a trusted resource for individuals and families injured by medical malpractice and error. Call us at 410-234-1000 to set up a free consultation to discuss your case.