It is considered the largest breach of patient protected health information by a government-regulated medical company in U.S. history.
Change Healthcare, owned by UnitedHealth Group, was the victim of a cyberattack eight months ago, but revealed on Thursday that 100 million people had been affected.
This surpassed the previous record for the worst US patient data breach: a 2015 episode in Anthem Inc. which compromised 78.8 million people.
The first official report from Change Healthcare, which manages revenue and payments for medical providers, estimated in July that only 500 people had been compromised.
Now, the scope of the Feb. 21 ransomware attack has prompted Congress to call for lifting the cap on the fine that can be imposed on a negligent healthcare company.
“The healthcare industry has some of the worst cybersecurity practices in the country,” said Senator Mark Warner, “despite its critical importance to the well-being and privacy of Americans.”
Today, existing law caps violators of the Health Insurance Portability and Accountability Act (HIPPA) at $2 million per violation.
If passed, these “common sense reforms” would also include “jail sentences for CEOs who lie to the government about their cybersecurity,” Wyden added.
Eight months after Change Healthcare fell victim to a cyberattack (dramatized via the file image above), the company has finally reported what industry experts call “a more realistic estimate” of the total number of patients affected: 100,000,000 people or one in every three American citizens.
The attack, which Change Healthcare’s parent company attributed to a “foreign nation” last winter.
Anthem was fined $16 million, the largest penalty ever imposed for a HIPAA violation, but experts worry that fine would do little to deter today’s healthcare giants.
Change Healthcare alerted the Department of Health and Human Services’ Office for Civil Rights (OCR) on July 19, noting that its internal investigation was ongoing.
Industry observers in HIPAA Magazine noted that the big round figure of 100 million, published in this month’s Change update, suggests that “it’s possible that number could change.”
“Neither Change Healthcare nor its parent company, UnitedHealth Group (UHG), have confirmed that the file review has been completed,” the magazine noted.
But these staggering numbers mask the myriad intimate tragedies created by Change Healthcare and UHG’s allegedly lax cybersecurity, leading to millions of Americans losing their healthcare privacy.
Linda Barbour, career medical director for several large health insurance companies, told reporters that she had assumed the company would have contacted her the moment it learned that her data had been exposed.
Change failed to inform Barbour until this month.
Beyond the shift in healthcare, the Department of Health and Human Services reports that 394 major data breaches were documented in 2024, whether due to hacking or IT errors. Those 2024 breaches leaked private data of more than 43 million people, the bureau estimates.
“Right now, with this delay, there’s really nothing I can do because it’s been so long,” Barbour said. statistical news.
OCR officials at the Department of Health and Human Services (HHS) have reportedly been urging Congress to increase maximum penalties for HIPAA violations, hoping that more severe fines could encourage companies to take action. seriously about patient privacy.
And Congress seems to be listening: “Megacorporations like UnitedHealth are failing Cybersecurity 101, and American families are suffering as a result,” Wyden noted in his call for stronger federal HIPPA laws.
The new legislation would update Titles XI and XVIII of the Social Security Law, expanding penalties for oversight and noncompliance for companies that fail to meet security standards that protect health information.
The bills, called the ‘Healthcare Infrastructure Security and Accountability Act,’ will also require minimum cybersecurity standards across all US healthcare networks.
Payment processors, private data brokers and the biggest names in technology have reported massive data breaches this year, including a historic leak of US Social Security numbers and a hack that extracted data from 1 .7 million consumer credit cards.
But health care companies have been unique in their sensitivity and lax standards.
The HHS Office of Civil Rights Violations portal reports that 394 major data breaches were documented in 2024, whether due to hacking or IT errors. Those 2024 breaches leaked data on more than 43 million people, the bureau estimates.
Last year, 602 data breaches were reported as hacking incidents, which are estimated to have exposed the private healthcare records of at least 151 million people nationwide.
