The United States is facing the largest medical data leak in history.
Change Healthcare has officially confirmed that more than 100 million medical personnel were compromised in a cyberattack that occurred on February 21, 2024. The event was the largest leak of protected health information (PHI) among HIPAA-regulated entities, surpassing Anthem Inc.'s record-breaking data breach in 2015 that affected 78.8 million people.
Due to the scale of the leak, the US Civil Rights Office (OCR) initiated a separate investigation. At the time of filing the report in July, the company reported 500 victims, as the analysis of the leak was still ongoing. Now, Change Healthcare has updated the figures, giving an estimated 100 million people affected, but the verification process has not yet been completed and the figure is subject to change.
Senator Ron Wyden criticized the company's approach to cybersecurity, noting the lack of multi-factor authentication on one of the servers, which allowed attackers to gain access and cause widespread damage. He called for reforms that would require tougher penalties for security breaches and higher penalties for non-compliance with HIPAA.
UnitedHealth Group, the owner of Change Healthcare, faced colossal costs due to the incident. At the end of the third quarter of 2024, losses from a cyberattack amounted to $2.87 billion. System recovery continues, but some operations and transactions have not yet reached pre-attack levels.
The cyberattack sparked a wave of lawsuits. More than 50 lawsuits from patients and medical facilities have been consolidated for consideration in a Minnesota court. The victims accuse the company of an insufficient level of data protection and demand compensation for the leakage of personal information.
The situation has also provoked fears of a possible repetition of such attacks. A report by the American Medical Association (AMA) indicates that 60% of healthcare providers continue to experience difficulties in verifying insurance data and applying for services several months after the attack.
The Change Healthcare scandal has been a wake-up call for the industry, pointing to the need to reprioritize cybersecurity. Agencies such as the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have begun developing new standards for critical organizations, including the medical sector.
Source
Change Healthcare has officially confirmed that more than 100 million medical personnel were compromised in a cyberattack that occurred on February 21, 2024. The event was the largest leak of protected health information (PHI) among HIPAA-regulated entities, surpassing Anthem Inc.'s record-breaking data breach in 2015 that affected 78.8 million people.
Due to the scale of the leak, the US Civil Rights Office (OCR) initiated a separate investigation. At the time of filing the report in July, the company reported 500 victims, as the analysis of the leak was still ongoing. Now, Change Healthcare has updated the figures, giving an estimated 100 million people affected, but the verification process has not yet been completed and the figure is subject to change.
Senator Ron Wyden criticized the company's approach to cybersecurity, noting the lack of multi-factor authentication on one of the servers, which allowed attackers to gain access and cause widespread damage. He called for reforms that would require tougher penalties for security breaches and higher penalties for non-compliance with HIPAA.
UnitedHealth Group, the owner of Change Healthcare, faced colossal costs due to the incident. At the end of the third quarter of 2024, losses from a cyberattack amounted to $2.87 billion. System recovery continues, but some operations and transactions have not yet reached pre-attack levels.
The cyberattack sparked a wave of lawsuits. More than 50 lawsuits from patients and medical facilities have been consolidated for consideration in a Minnesota court. The victims accuse the company of an insufficient level of data protection and demand compensation for the leakage of personal information.
The situation has also provoked fears of a possible repetition of such attacks. A report by the American Medical Association (AMA) indicates that 60% of healthcare providers continue to experience difficulties in verifying insurance data and applying for services several months after the attack.
The Change Healthcare scandal has been a wake-up call for the industry, pointing to the need to reprioritize cybersecurity. Agencies such as the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have begun developing new standards for critical organizations, including the medical sector.
Source
