Health care providers nationwide have been impacted with substantial disruptions to the health care services they provide following a February 2024 data breach by Change Healthcare (https://www.changehealthcare.com/), a technology-based subsidiary of United HealthCare. Change serves as an intermediary between health insurance companies, providers and patients, and claims on its website to be “a trusted partner for organizations committed to improving the healthcare system through technology.” However, due to vulnerabilities in its network, there are reports that late last month hackers tied to this attack obtained close to six terabytes of patient data. This attack has resulted in a nationwide outage of a network designed to communicate data between healthcare providers and insurance companies.
According to social media posts, payments to providers made through Change have been delayed, and patients have reportedly not been able to fill prescriptions or obtain other benefits. According to at least one report, “Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket.”
United HealthCare has listed more than 100 Change Healthcare services that were impacted by the attack, including benefits verification, claims submission, and prior authorization. According to a filing by United HealthCare with the Securities and Exchange Commission and its website, United HealthCare claims it has taken “immediate action to disconnect Change Healthcare’s systems to prevent further impact in the interest of protecting our partners and patients.”
One of the partners of the hackers behind the cyberattack has reported that on March 1, 2024 “Sadly for Change Healthcare, their data [is] still with us.” The data they obtained may soon end up on the dark web.
Healthcare technology companies are gradually integrating technology, increasing the importance of easily accessible and shareable patient data. This makes healthcare technology companies particularly attractive to would-be cyber attackers, and vulnerabilities like this leaves hospitals exposed to the risks of cyberattacks. Unless health care technology companies like Change are held accountable for their lapses in cyber security, such attacks on health care providers are bound to increase.
If you are a health care provider that has been impacted by the Change cyberattack, please complete this form and we will investigate your potential claim.