Change Healthcare breach

The Change Healthcare hack shut down a key payment and claims switchboard in U.S. medicine, freezing prescriptions, billing and reimbursements nationwide. (sec.gov) UnitedHealth Group said it detected the intrusion on February 21, 2024, and isolated affected Change Healthcare systems the same day. Change later told the U.S. Department of Health and Human Services that about 100 million breach notices had gone out by October 22, 2024. (sec.gov) (hhs.gov) By January 24, 2025, Change told federal regulators that about 130 million notices had been sent and about 190 million people had been affected. The Office for Civil Rights called the attack's impact on patient care and privacy "unprecedented." (hhs.gov 1) (hhs.gov 2) Change Healthcare is a clearinghouse, a back-office middleman that moves claims and payment data between doctors, hospitals, pharmacies, insurers and government programs. The Treasury Department's Office of Financial Research said Change was the largest medical claims clearinghouse in the United States when the attack hit. (financialresearch.gov) That position turned one company outage into a national cash-flow crisis. In an American Hospital Association survey of nearly 1,000 hospitals fielded March 9-12, 2024, 94% reported a financial impact and 74% reported a direct patient care impact. (aha.org) Federal officials opened a relief valve on March 9, 2024, when the Centers for Medicare & Medicaid Services offered accelerated and advance payments to providers whose Medicare claims were stuck. The agency said the program was created specifically for providers facing cash-flow problems from the Change Healthcare incident. (cms.gov) UnitedHealth told providers on March 18, 2024, that it had advanced more than $2 billion to help keep practices and hospitals operating during the outage. The company later said the cyberattack cut into its 2024 results, including about $300 million in unfavorable effects in the third quarter alone. (unitedhealthgroup.com 1) (unitedhealthgroup.com 2) At a May 1, 2024, Senate Finance Committee hearing, Chief Executive Andrew Witty said the attackers got in through a server that did not have multifactor authentication, the extra login check that typically requires a code or second device. Senators from both parties used the hearing to question UnitedHealth's security practices and the risks of concentrating so much of the health system's plumbing in one company. (finance.senate.gov) (cbsnews.com) The Office for Civil Rights said its main investigation is focused on Change Healthcare and UnitedHealth Group, not on hospitals and doctors that used the company as a business associate. That leaves the biggest open questions on two tracks: how regulators judge the security failures, and how much more the attack will cost the health system that depended on Change to keep money and records moving. (hhs.gov)