Change Healthcare Cyberattack Highlights Data Security Issues Amidst Virtual Care Expansion

Change Healthcare Cyberattack Highlights Data Security Issues Amidst Virtual Care Expansion

Months after a significant cyberattack targeted Change Healthcare, officials and experts in the industry are advocating for stronger measures to protect patients’ data.

Change Healthcare, a healthcare technology company that manages large volumes of medical and patient data, experienced a breach on Feb. 21, leading to unauthorized access to millions of Americans’ data and causing disruptions in the healthcare industry.

The incident occurred during a period of substantial growth for virtual care companies and other digital healthcare providers.

[signup]

Rise of Digital Health Services and Associated Risks

With virtual care companies and digital health services expanding, more consumers than ever before have access to healthcare.

According to CDC statistics, social distancing and lockdown protocols during the COVID-19 pandemic directly or indirectly led to 37% of American adults using digital or telemedicine services in 2021. 

Similarly, in Canada, the MAP Center for Urban Health Solutions found that 1 in 5 Canadians – especially those without a primary care doctor – turned to digital healthcare services since the pandemic.

However, due to the increase in online health services in recent years, there is consequently a greater risk of personal medical data being accessed by unauthorized individuals than ever before.

Healthcare Data Breach Statistics

According to data submitted to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), there were 725 data breaches in 2023, with around 130 million private records disclosed to unauthorized individuals.¹

Health Insurance Portability and Accountability Act (HIPAA), which publishes monthly summaries and statistics regarding data breaches affecting electronic records in the industry, reported that cyber-attacks targeting the healthcare industry have increased year over year since the organization began monitoring in 2009.

To illustrate the scope of the problem, from Jan. 1, 2018 to September 30, 2023, the OCR reported a 239% increase in hacking-related data breaches, and a 278% rise in ransomware attacks. 

Hacking was the most common cause of security breaches, responsible for 79.7% of all data breaches in 2023.

The situation is worsening not just in terms of the number of breaches, but also their severity. 

The year 2021 saw 45.9 million records compromised, while 2022 surpassed that with 51.9 million records breached. 

However, 2023 shattered all previous records with a staggering 133 million records exposed, stolen, or improperly disclosed. This total includes 26 data breaches each involving over 1 million records and four breaches each affecting more than 8 million records. 

The largest breach of the year impacted 11,270,000 individuals, marking it as the second-largest healthcare data breach in history.

Victims of such attacks, as mentioned in the HIPAA report, include major insurance providers like Kaiser Health, Ascension, Anthem Inc., Premera Blue Cross, Excellus, as well as healthcare software provider Welltok, among other major companies.

Experts believe the attack on Change Healthcare could be a significant turning point.

Fran Rosch, CEO of digital ID company Imprivata, referred to the attack as a “catalyst for change” in the industry.

“There is a collective responsibility shared by healthcare organizations and governing entities to ensure patient safety. In this instance, we saw failures and oversight at all levels. Providers are still dealing with the fallout that resulted,” Rosch wrote in an article to Forbes.

“Patients deserve better, and if anything comes from attacks like this, it should be the change and innovation that healthcare organizations urgently need.” ²

What Was the Change Healthcare Cyberattack?

Change Healthcare, owned by parent company United Health, handles billions of healthcare transactions each year, and is responsible for the management of a significant amount of patient data and health records.

In February, the company was targeted with a ransomware attack – where unauthorized individuals gain control of an organization's servers and hold them for ransom.

Hundreds of thousands of healthcare providers, patients, insurance companies, and pharmacies that relied on the company for billing and other services could no longer handle monetary transactions or authorizations for procedures, which significantly hampered the healthcare industry.³

The company later confirmed that they had paid a ransom of $22 million in Bitcoin to the suspected Russia-based cybercrime organization Blackcat/ALPHV.⁴

The scope of the breach was so significant, United Health CEO Andrew Witty later told a congressional committee that possibly a third of Americans’ data could have been affected, exposing their names, addresses, medical codes, and insurance numbers.

In the U.S. Senate hearing on May 1, Witty attributed the breach to a lack of multifactorial authentication on their servers, which is a basic means of cyber protection.⁵

In the aftermath, the American Hospital Association called the attack one of "the most significant and consequential incident of its kind against the U.S. health care system in history." 

Interestingly, prior to the breach, United Health was the subject of an anti-trust lawsuit filed by the Department of Justice (DOJ), which sought to block the group from acquiring Change Healthcare, as its merger with United Health’s subsidiary Optum, officials argued, would create an unfair advantage for the company and give them access to “about half of Americans’ health insurance claims pass each year.”

The DOJ's concerns proved to be well-founded, as centralizing such a vast amount of data made the company an attractive target for cybercriminals.

Unfortunately, the fallout of the incident is still ongoing.

Months after the attack, on June 12, the Department of Health, and Human Services (HHS) recommended that healthcare providers affected by the breach ask United Health to notify individuals whose data had been compromised.⁶

Cyber Threats and Their Consequences

The Change Healthcare incident has broader implications for the healthcare industry going forward.

As digital healthcare companies and service providers handle more medical data, there is an increasing awareness of cybersecurity issues.

Data breaches and data misuse present a significant danger with consequences that extend beyond financial damage, experts say. 

Cleveland Clinic Physician Dr. Anthony James Cartwright detailed some of these consequences in a paper published in 2023 in the Journal of Clinical Monitoring and Computing. They include but are not limited to:

Medical Identity Fraud: Unauthorized individuals use stolen identities to access medical services, leaving the actual patients with massive debt and compromised future medical care. In addition, unauthorized individuals can use personal medical information to forge documents for financial gain (personal medical data sells for up to $1000 on the dark web).

Discrimination Risks: Leaked medical conditions or genetic information can lead to bias, negatively impacting job prospects and insurance coverage.

Loss of Trust: Security breaches deeply erode patient confidence in healthcare institutions.

Phishing Attacks: An overworked doctor clicks on what appears to be a legitimate email about updating patient billing systems, unknowingly releasing malware that gives unauthorized individuals access to a treasure trove of sensitive information.

Insecure Servers: An improperly configured server, left vulnerable, becomes an easy target for unauthorized individuals, exposing patient names, diagnoses, and prescriptions to malicious entities.

Internal Threats: Sometimes the threat comes from within the organization. A disgruntled employee, motivated by revenge or financial gain, misuses their access rights, revealing patients' most personal data.

Ethical Concerns: Data Misuse by Virtual Care Companies

Personal medical data is not just valuable for unauthorized individuals, but for profit-seeking companies as well.

There is evidence that many virtual care companies sell personal data for a profit to pharmaceutical companies, which in turn use such information to promote drugs or vaccines.

In a recent study published in BMJ, Canadian researchers interviewed 18 industry insiders from Oct. 2021 to Jan. 2022 to assess how data was being used by virtual care companies.

The researchers concluded that many companies viewed patient data as a “revenue stream.”

According to the study, virtual care companies either used patient data for marketing purposes, or were even funded by pharmaceutical companies to collect and analyze data for them.

“In some cases, virtual care companies were funded by pharmaceutical companies to analyze data collected when patients interacted with a healthcare provider and adjust care pathways with the goal of increasing uptake of a drug or vaccine,” researchers wrote.

In response to the study, experts noted that the monetization of private patient data could lead to conflicts of interest and a “commercialization” of the healthcare system, serving to benefit shareholders rather than patients.

It is important for companies to be transparent with patients regarding their use of patients’ data, and to always obtain prior consent.

Companies should also be up front about their efforts to safeguard patients’ privacy and security, and to allow consumers the choice to “opt-out” of commercial uses of data.

Conclusion

In addition to complying with HIPAA regulations, which set the standards for protection and use of patient data in the medical industry, companies ultimately must develop more robust cybersecurity practices.

To ensure a secure healthcare system, cybersecurity experts recommend that all data should be encrypted and regularly backed up, protecting against misuse, and maintaining care standards during outages. 

Institutions must also prioritize staff training on cybersecurity, including annual courses on phishing, the risks of public networks, and security best practices. 

Regular simulated phishing tests, email alerts for external communications, and strict password protocols are essential. Given that staff are the primary cybersecurity risk, these measures are critical. 

[signup]

Key Takeaways:

• The cyberattack on Change Healthcare exposed millions of Americans' data and disrupted the healthcare industry significantly.
• Increased use of digital and telemedicine services during the COVID-19 pandemic has heightened data exposure risks.
• In 2023, there were 725 data breaches in the healthcare sector, exposing around 130 million private records.
• Data breaches are increasing not only in number but also in severity, with 133 million records compromised in 2023 alone.
• Hacking is the primary cause of data breaches, responsible for 79.7% of all breaches in 2023.
• Major companies, including insurance providers and healthcare software companies, have been targets of cyberattacks.
• There are growing concerns about virtual care companies selling patient data for profit to pharmaceutical companies or using data to promote affiliated products and services.
• Stolen medical identities are used for accessing services or accessing victims’ finances.
• To secure healthcare systems, it is essential to implement strong cybersecurity measures, including data encryption, regular backups, and comprehensive staff training.
• Compliance with HIPAA and other regulations is critical for protecting patient data and mitigating cybersecurity risks.