In February 2024, the healthcare industry was rattled by a significant cyberattack targeting Change Healthcare (“Change”), a subsidiary of UnitedHealth Group, one of the largest health insurance companies in the world. The breach sent shockwaves throughout the healthcare ecosystem, raising concerns about patient data security, operational integrity, and the vulnerability of critical infrastructure. As the dust settles, the impact of this breach reverberates across healthcare providers, entities, and most critically, their patients.
The February 2024 attack against Change has affected a significant portion of the U.S. healthcare industry from small medical offices to large hospital systems to billing companies. This is not surprising considering Change processes $2 trillion in healthcare claims each year, handling 15 billion transactions annually. Though there have been many victims of all sizes, among the hardest hit are smaller practices as they rely on timely payments from Change to operate their businesses.
A study published in JAMA Health Forum in December 2022 found that the annual number of ransomware attacks against hospitals and other healthcare providers doubled from 2016 to 2021. Accordingly, healthcare providers, already burdened with the responsibility of delivering quality care, now face the added challenge of safeguarding sensitive patient information from increasingly sophisticated cyberattacks. The breach at Change underscores the urgent need for heightened cybersecurity measures within the healthcare sector.
First and foremost, patient data privacy and security must remain paramount. Healthcare entities must invest in robust encryption protocols, multi-factor authentication, and continuous monitoring to detect and thwart potential threats. Regular cybersecurity audits can help identify vulnerabilities before they are exploited by malicious actors.
Moreover, fostering a culture of cybersecurity awareness among staff is crucial. Healthcare providers and entities should prioritize employee training programs to educate staff on identifying phishing attempts, implementing strong password practices, and recognizing potential security breaches. Employees must understand their role in safeguarding patient data and be empowered to report any suspicious activity promptly.
Collaboration and information sharing within the healthcare industry are also vital. By sharing threat intelligence and best practices, healthcare providers can collectively strengthen their defenses against cyber threats. Additionally, partnerships with cybersecurity experts and government agencies can provide valuable insights and resources to enhance security posture.
Furthermore, investing in advanced technologies such as artificial intelligence and machine learning can bolster cybersecurity efforts. These technologies can analyze vast amounts of data in real-time, identifying anomalous behavior and potential threats with greater accuracy and speed than traditional methods.
Accordingly, the February 2024 cyberattack on Change serves as a sobering reminder of the persistent threats facing the healthcare industry in the digital age. As Congresswoman Anna Eschoo stated during the Health Subcommittee on Health Sector Cybersecurity hearing held on April 16, 2024, the “health care sector is a hackers’ playground because it offers services people need and handles a massive amount of medical records which sell on the dark web for $60 a pop.”
The attack against Change highlights the urgent need for healthcare providers and entities to prioritize cybersecurity and adopt proactive measures to safeguard patient data and preserve operational integrity. By investing in robust cybersecurity measures, fostering a culture of awareness, and leveraging advanced technologies, healthcare providers can fortify their defenses and mitigate the risk of future cyberattacks. The Healthcare and Privacy and Cybersecurity teams at Mandelbaum Barrett PC remain committed to helping healthcare providers during this process.