It’s been more than 44 days since Change Healthcare fell victim to a ransomware cyberattack on Feb. 21, yet not much is known about the nature and scope of the hack, as The New York Times reported.
Also unknown is exactly how many patients, physicians, hospitals, or other providers were affected and how many providers have been unpaid over more than seven weeks. Still, news about the hack breaks almost daily, meaning there are plenty of questions journalists need to ask in the wake of and recovery from this attack.
Why it matters
Among all sectors of the U.S. economy, health care is the most susceptible to such attacks, and as critical to the nation’s infrastructure as energy and water, wrote Reed Abelson and Margot Sanger-Katz for The New York Times in March. National health care spending accounted for 17.3% of the U.S. gross domestic product in 2022, federal data show.
The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history.
Rick Pollack, president and CEO of the American Hospital Association
Change Healthcare is one of the largest clearinghouses for insurance billing and payments in the country, processing some 15 billion transactions annually and about one out of every three health care claims, according to the federal Department of Health and Human Services. The February hack severely disrupted operations for hospitals, medical offices and pharmacies nationwide.
“The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history,” Rick Pollack, president and CEO of the American Hospital Association, said in a statement. “This attack has made it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims and receive payment for the essential health care services they provide.”
One of the most important questions journalists can ask is if the Change hack portends such cyberattacks on other health care clearinghouses and health insurers. After all, since Change is a division of the nation’s largest health insurer, does that mean that other insurers also are vulnerable, or perhaps more vulnerable, to such hacks?
In October 2022, UnitedHealth Group subsidiary Optum spent $13 billion to acquire Change after succeeding against an antitrust challenge from the U.S. Department of Justice, Bruce Japsen reported for Forbes. In its challenge, the DOJ said the acquisition would reduce competition and harm consumers.
Big problems for consumers
As the DOJ warned, consumers have been harmed. What’s unknown is how many patients have been unable to fill prescriptions and for how long they went without their medications.
Also unknown is how many patients could not use their drug-coupon cards nor if they had to pay more (and how much more) out of pocket than usual.
“For some consumers, the hack has forced them to pay cash for expensive drugs, denied their use of pharmaceutical discount coupons or left them unable to get their refills at all,” wrote Marlene Cimons, McKenzie Beard and Teddy Amenabar for the Washington Post in March.
And the hack has created uncertainty about how and whether health insurers can approve requests for drugs and verify patients’ insurance coverage, Bob Herman reported for STAT in March.
The problems consumers face getting prescriptions filled and paid for has not been widely reported, making it an important angle for journalists. Also, most people won’t know if the hack has affected their medical claims until they try to fill a prescription or visit a doctor, the Post reported.
In the coming weeks and months, consumers may find that the Change cyberattack resulted in stolen medical claims data, a factor that could put patients’ personal, financial and health data at risk. Once hackers have that data, they can use it themselves to scam or hack those consumers, their banks or credit cards, Dean Sittig, Ph.D., a professor at the University of Texas Health School of Biomedical Informatics, told us in an interview. They also could sell that data to other criminals who could scam or hack the consumers, he added.
Medical records sell for an estimated $60 on the dark web, compared with $15 for Social Security numbers and $3 for credit card information, a cybersecurity researcher told CNBC in March. That may not sound like a lot, but multiplied by thousands or millions of patients, it adds up, Sittig said.
The effect on physicians and hospitals
One angle covered more widely has been the effect on physicians and hospitals. Since the cyberattack, getting a definitive answer to the question of how many claims Change Healthcare processes has been difficult. Estimates have ranged from 15% to 50%.
Change and its parent companies, Optum and UnitedHealth Group, may not want to disclose those numbers, but without that data, assessing the effect of the hack is difficult for journalists and regulators.
Keep in mind that UnitedHealth is the nation’s largest health insurer and reported $22 billion in profits for 2023, as Japsen reported for Forbes in January. In 2023, the company’s portfolio of health insurance and provider services grew by double-digit percentages, he added.
While Change, Optum and UnitedHealth have provided multiple reports on the ransomware attack, some providers said they had no official information in the early days after Feb. 21, reported James Rundle and Kim S. Nash for The Wall Street Journal on April 3.
UnitedHealth has loaned $4.4 billion to help providers who lost revenue, but some of those who got loans “felt pressured by UnitedHealth to make upbeat public statements about the support,” the Journal story said.
In March, CNBC reported on March 27 about the loans to providers, it added that an unknown number of physicians, hospitals and other providers were affected by the cyberattack.
Change originally estimated it would have its operations back online by mid-March. But its website has a timeline for product restoration extending through April 29 at time of publication.
Check back early next week for an in-depth tip sheet on how the hack happened and possible story angles.
