Between February 17 and February 20, 2024, Change Healthcare (“CHC”), a subsidiary of United Healthcare, experienced a ransomware attack described to U.S. Lawmakers in April 2024 as one of “the most devastating to ever hit the healthcare industry.” The attack affected an estimated one-third of Americans whose sensitive data were included in the leak. Patient care and medical claims were interrupted as CHC’s systems were shut down to protect from further exposure. 

On learning of the attack, CHC has sent letters to patients affected by the leak, promising to make their computer system “even stronger than before,” and providing free credit monitoring for 2 years. This comes as patients are informed about the data that was involved: names, addresses, dates of birth, phone numbers, email addresses, and one or more of the following: 

• Health insurance data, including plans and member ID numbers including Medicare and/or Medicaid ID numbers. 

• Health data including medical record numbers, providers, diagnoses, medications, test results, images, and care received.

• Billing data including claims, payment data, claim numbers, account numbers, billing codes, credit cards, bank information and balances.

• Personal data including Social Security numbers, driver’s license and state IDs, and other ID numbers.

To say it bluntly, the attackers have it all. 

The Achilles’ heel of healthcare data security is the centralization of data storage. It only takes one successful penetration to expose millions of sensitive data records. In addition, the Federal Government and private sector reportedly responded slowly to the attack, demonstrating a second key weakness in the system. 

In the case of this attack, the words, “Change Healthcare” describe both the data target, and the implicit demand to fix the problem. In the first place, patient data needs to be protected, but also need to be a part of a complete system that is capable of processing orders and claims for patient care and payments.