Earlier this year, Change Healthcare, a subsidiary of UnitedHealth Group (UHG) and key player in the U.S. healthcare sector, suffered a catastrophic ransomware attack attributed to the Russian-speaking group ALPHV/BlackCat. We already knew this breach stood as one of the largest in history.
Now an update by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has confirmed via its data breach portal that at least 100 million individuals had their personal health information compromised.
Stolen data includes personal details such as names, addresses, dates of birth, Social Security numbers, and critical health information like diagnoses, medications, and treatment plans.
As Change Healthcare works to recover from the attack, the incident underscores the urgent need for comprehensive reforms to protect sensitive health information in an increasingly digital landscape.
When will I know if my health information was compromised?
In July, the company began sending written notices to those affected by the breach, saying it has committed to notifying impacted individuals as quickly as possible on a “rolling basis” due to the extensive volume and complexity of the compromised data. (Fast Company has reached out to UHG for a firmer timeline and will update this post if we hear back.)
UHG initially provided placeholder estimates regarding the breach’s impact, but later estimated it affected nearly one-third of the U.S. population.
What have the consequences been for UnitedHealth?
OCR is investigating Change Healthcare’s compliance with HIPAA regulations. Despite the scale of the breach, potential financial penalties for UHG remain relatively low. During congressional hearings, UnitedHealth’s CEO, Andrew Witty, disclosed a significant security lapse: a critical system lacked multifactor authentication (MFA), an industry-standard security measure, as CBS News reported.
This revelation has sparked discussions among lawmakers about improving cybersecurity standards in healthcare. Proposed measures include increasing financial penalties for Health Insurance Portability and Accountability Act (HIPAA) violations—laws designed to protect people’s medical information—and enforcing stricter accountability for executives regarding their cybersecurity practices.
Currently, the largest financial penalty for a HIPAA violation is the $16 million fine imposed on Anthem Inc.—a sum that would be negligible for a corporation as large as UnitedHealth Group.
In response, the OCR is urging Congress to increase maximum penalties for HIPAA violations. Democratic senators Ron Wyden of Oregon and Mark Warner of Virginia introduced an initiative advocating for the removal of the penalty cap while establishing minimum fines and enhancing accountability through significant reforms.
“Mega corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden noted, emphasizing that the healthcare sector often lacks robust cybersecurity measures.
The application deadline for Fast Company’s World Changing Ideas Awards is Friday, December 6, at 11:59 p.m. PT. Apply today.