Change Healthcare cyberhack fallout ripples to consumers
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
The Change Healthcare cyberattack shook U.S. health care to its core for months and exposed major cyber vulnerabilities. But the likely ripple effects on individuals are only now becoming apparent.
Why it matters: As many as 1 in 3 Americans may have had personal information compromised, some of which is purportedly being trafficked on the dark web — and is expected to enable identity theft, as well as tax, insurance and mortgage fraud.
- And experts say the people with the most at stake aren't aware they're at risk.
Driving the news: Attorneys general from states including Indiana, Massachusetts, Minnesota and Pennsylvania last week warned consumers to be on the lookout for fraud resulting from the breach and to take advantage of free credit monitoring offered after the attack.
- The AGs also said to watch for suspicious financial and health care activity, such as explanations of benefits for services that were not received.
- Change hasn't yet notified individual consumers whether their data was harvested for nefarious purposes, according to Massachusetts Attorney General Andrea Campbell.
Between the lines: The lack of details is compounding frustrations with Change's parent, UnitedHealth Group, which was harshly criticized in Congress for not having basic safeguards like multi-factor authentication in place, and is facing huge legal and financial ramifications.
- UnitedHealth recently revealed the compromised data may include medical information like diagnoses, test results, images, prescriptions, care and treatment. The notice was required under the Health Insurance Portability and Accountability Act, or HIPAA.
- "This data breach affected an estimated millions of Americans, and for the company to stay silent and minimize the widespread consumer impact is totally unacceptable," Pennsylvania Attorney General Michelle Henry said in a statement.
What they're saying: Cybersecurity experts described the amount of data that's been compromised as "bone-chilling" and "uncommonly complete."
- Screenshots on the dark web purporting to be selling complete sets of patient data from the attack appear to have a "frightening" amount of detail, said Chelsea Arnone, director of federal affairs for CHIME.
- "It could be passwords, it could be medical treatment received, billing addresses, billing information, credit card numbers. We don't know what it is that they have and who they have it on," she said.
Threat level: There's also no telling exactly how many different ways criminals will be able to use this treasure trove of data, said Boe Hartman, co-founder and chief technology officer of Nomi Health.
- It is expected to fuel a wide variety of fraud schemes and identity theft, he said. Phishing attacks will be more powerful, as will social engineering that allows attackers the ability to break into accounts.
Zoom in: In one scenario, a fraudster armed with a patient's history, including their doctor's information, could file seemingly legitimate Medicare or Medicaid claims and pocket the reimbursements.
- Affected patients may wind up months later with unexpected bills and exhausted benefits.
- "If we see a rampant increase in fraudulent claims for health care, that's going to show up on all of our bills," Jack Danahy, vice president of strategy and innovation at NuHarbor Security, told Axios.
The intrigue: While cyber criminals generally are more interested in using data in ways that are automated and scalable, it's entirely possible this could fuel a phenomenon of health care blackmail of high profile individuals, Hartman said.
- "Could you imagine being a Republican candidate in a very conservative district, and I just point out to the world that your 19-year-old daughter got an abortion or a rape kit?" Hartman said.
Friction point: Along with the AGs, cyber experts say they are frustrated that Change hasn't begun letting any patients know if they were caught up in the breach, even if they can't yet tell them everything that was stolen.
The other side: A spokesman for UnitedHealth Group said the company had no new information to share but referred to the credit monitoring and identity theft resources.
- The company has said it plans to begin mailing letters to affected individuals later this month.
- It's not entirely surprising that Change Healthcare hasn't notified individual consumers yet because recovering and piecing together huge volumes of data is extremely difficult, said Michael McLaughlin, a cyber incident response attorney at Buchanan Ingersoll & Rooney.
- Notification based on partial data isn't particularly helpful if it doesn't disclose the extent of what was compromised, he said.
What we're watching: While Congress pushes for answers, it will also likely be looking for ways for consumers to protect themselves.
- For example, free credit freezes were made available to individuals in 2018 in the wake of the massive hack of Equifax.
- Patients will need to be alerted if they have new insurance claims, and it would help if that process were easy to do and easy to understand, Hartman said.
- "The silver lining is, I think there'll be patient-facing innovations that'll make this world less complicated," he said.
