On Feb. 21, a cyberattack targeted Change Healthcare, the U.S.’s largest health information exchange platform servicing providers and insurance companies, resulting in what could prove to be the most extensive healthcare data breach to date.
Change Healthcare is a part of Optum, a multifaceted healthcare company with a vertically integrated business model that provides direct healthcare services, pharmacy services and numerous technology solutions. Both Change and Optum are embedded in UnitedHealth Group, the nation’s largest healthcare company, with 2023 revenue reported at $371.6 billion. 1
Source: HealthcareHuddle/Jared Dashevsky
Change Healthcare can be thought of as the digital highway that ensures patient information can move between clinical entities – e.g., physician practices, hospitals and other health systems – and insurance companies so that the clinical groups and their respective workforces are paid for the services they provide to patients. In addition to information transfers, Change Healthcare’s digital highway helps ensure that prescribed pharmaceuticals make their way to pharmacies that provide medications to patients.
All information exchange platforms come with significant financial, operational, information security and personal risk, but in the case of Change Healthcare, that risk is immense. Its digital infrastructure processes about 15 billion healthcare claims annually, totaling over $1.5 trillion2 and accounting for roughly one-third of Americans’ patient records,3 creating the opportunity for an industry-halting attack.
The implications and ramifications of that attack are still being uncovered, communicated and haphazardly addressed.
In June, four months after the cyberattack, the company began releasing details on the type of patient information that had been compromised. A June 2024 Stat News article summarized the extent of the data breach:
“The company [Change Healthcare] said patients’ names, birth dates, and contact info were likely taken. It said other info that may have been compromised includes health insurance information, diagnoses, prescriptions, test results, diagnostic images, financial and banking information, account numbers, billing codes, state ID numbers, passport numbers, and Social Security numbers.”4
In late July, the company began notifying individuals whose data had been compromised.
Risk management for any company the size of UnitedHealth Group would be an extensive enterprise. Optimal risk mitigation strategies would extend beyond internal operations to encompass and safeguard the multitude of healthcare entities that use the central firm’s critical services. And yet, this sort of ecosystem-wide risk management is not the norm, as demonstrated in Change Healthcare’s data breach – a calamitous realization of the risks inherent to a company that is “too big to fail,” with consequences that affect every group in the goliath’s network. The smaller entities must use greater care and caution in their risk calculations than their larger partner employs because the minor firms’ resilience is likely more fragile. Unlike a behemoth, they are not too big to fail.
Provider practices and hospitals understand the stakes. Patients expect direct care providers to keep their sensitive data and information secure. These care providers are the primary handlers of patient data, the ones who interact with patients in person and who must answer patient concerns, yet they are not in complete control of patient data security. The Change Healthcare case has shown that massive companies like UnitedHealth are buffered, almost immune, from ramifications stemming from data breaches that could otherwise threaten the viability of their business. On the other hand, providers are left to handle varying degrees of public panic, spending vast amounts of time and energy to mitigate deleterious effects and continue mission critical operations. The share of risk management burdens is unbalanced.
The COVID-19 pandemic reminded the world how interconnected we are and that, without adequate attention and care, our connections are vulnerable to disruptive and pernicious forces. In the public health sector, government oversight and public funding play crucial roles, with far-reaching impacts and long-term precedence. Meanwhile, corporate behavior and preparedness can either sustain or collapse entire health systems.
In the case of Change Healthcare’s data breach, the lack of regulation moderating corporate vertical consolidation in healthcare allowed the information exchange platform’s near-monopoly in the health data space, leading to outsized risk and what Rick Pollack, the president and CEO of the American Hospital Association, has called the most significant and consequential cyberattack in the history of U.S. healthcare.5
Source: HealthcareHuddle/Jared Dashevsky
In fairness to government regulators, they did challenge Optum and parent company UnitedHealth’s acquisition of Change Healthcare. The Department of Justice filed a lawsuit in 2022 arguing that the merger would give UnitedHealth outsized control over the claims processing market as well as sensitive information about its competitors. The DOJ lost this case in court but have since launched multiple antitrust investigations into UnitedHealth and Optum pertaining to several other acquisitions.6 Anticompetitive mergers and acquisitions in the healthcare sector increase systemic risks from cybersecurity threats, a factor that should be considered and cited by regulators and litigators.
Individual patients and healthcare provider entities undoubtably paid the highest price for Change Healthcare’s risk miscalculation. While the company works to restore its systems to full capacity, the American Medical Association released a report surveying the harm caused by February’s cyberattack. Among its myriad impacts, the breach caused the suspension of medical services, led to financial insolvency for small and rural practices, and precipitated acquisitions in some cases where physician practices had no other recourse.7
In a recent Kenan Institute commentary titled “Building Business Resilience in an Age of Radical Uncertainty,” UNC Kenan-Flagler Business School Professor of Finance Christian Lundblad writes that, in trying to balance risk reduction with the pursuit of growth opportunities, companies face the challenge of answering to many stakeholders, often prioritizing to maximize near-term financial gains over investments in long-term risk management. Lundblad goes on to say:
“It is entirely understandable why business heads would prefer to operate in this manner, as it would be a difficult discussion for a company executive to have with the company’s board if a sizable investment were paid toward mitigating a risk that never materialized.”8
Considering this view, we can point to some critical questions that arise from the Change Healthcare case:
We are in an era when companies and regulators operate while facing radical uncertainty and ever-emerging new risks, so these questions are no longer mere afterthoughts. The time has come for them to be addressed.
1 10 of the largest US healthcare companies by revenue | 2024. Accessed July 10, 2024. https://www.beckershospitalreview.com/rankings-and-ratings/15-largest-us-healthcare-companies-by-revenue-2024.html
2 The Change Healthcare attack: Explaining how it happened. Accessed July 10, 2024. https://www.techtarget.com/whatis/feature/The-Change-Healthcare-attack-Explaining-how-it-happened
3 Chairman’s News | Newsroom | The United States Senate Committee on Finance. Accessed July 10, 2024. https://www.finance.senate.gov/chairmans-news/wyden-hearing-statement-on-change-healthcare-cyberattack-and-unitedhealth-groups-response
4 Change Healthcare cyberattack: Patients to be told of stolen data. Accessed July 10, 2024. https://www.statnews.com/2024/06/20/change-healthcare-cyberattack-patient-data-stolen-notification/
5 The impact of the Change Healthcare cyberattack: What to know | Association of Health Care Journalists. Accessed July 11, 2024. https://healthjournalism.org/blog/2024/04/the-impact-of-the-change-healthcare-cyberattack-what-to-know/
6 UnitedHealth under antitrust investigation by DOJ: reports | Healthcare Dive. Accessed July 11, 2024. https://www.healthcaredive.com/news/unitedhealth-antitrust-investigation-doj-unitedhealthcare-optum/708727/
7 cyberattack C. Over 1,400 individuals responded to an informal AMA survey of the Federation of Medicine (state medical associations and national medical specialty societies) on the impact of the.
8 Building Business Resilience in an Age of Radical Uncertainty – Frank Hawkins Kenan Institute of Private Enterprise. Accessed July 11, 2024. https://kenaninstitute.unc.edu/commentary/building-business-resilience-in-an-age-of-radical-uncertainty/
Business Resilience and Risk Management: The Change Healthcare Cyberattack