U.S. finds 100 million people were affected by UnitedHealth healthcare hack

As many as 100 million people were affected by a healthcare hack earlier this year. NPR’s Ayesha Rascoe talks to KFF Health News reporter Darius Tahir about what that means for consumers affected.

AYESHA RASCOE, HOST:

Earlier this year, a Russian hacking group attacked a payment processor named Change Healthcare, which is owned by health insurance giant UnitedHealth. The attack threw the health care industry into chaos, but little was known about the scale of the hack. Last week, it became clear – more than 100 million people had their sensitive personal information stolen. How bad is that? Well, the Department of Health and Human Services says it is the country’s biggest health care data breach ever.

KFF health news reporter Darius Tahir is here to tell us more. Thanks for joining us.

DARIUS TAHIR, BYLINE: Thanks for having me.

RASCOE: Could you give us, like, a quick refresher? Like, what are the specifics of this ransomware attack?

TAHIR: Change operates what’s called a claims clearing house. Basically, what that means is if you’re a doctor, a pharmacist, or even, say, a physical therapist, and you need to bill a health insurer, you’ll probably send the bill through this claims clearing house. So when this hacking group hacked them, it was really a huge scope of attack that impacted not just patient privacy, but also the smooth functioning of the health care system.

RASCOE: Did they find the people responsible for this?

TAHIR: So, the group of people responsible for this seems to be this kind of ransomware group, BlackCat. In 2023, the Department of Justice alleged that they had previously been paid hundreds of millions of dollars in ransoms, and caused hundreds of millions of dollars more economic damage. So this is a rather prolific group.

RASCOE: Back in the spring, we talked to Bruce Japsen of Forbes, to get an idea of the kind of sensitive personal information that the hackers might have gotten access to. And here’s what he told us back then.

(SOUNDBITE OF ARCHIVED NPR BROADCAST)

BRUCE JAPSEN: Name, address, maybe the Social Security number, maybe credit card information. That type of thing.

RASCOE: Do we now know for sure the type of information that they got access to?

TAHIR: Yeah, so right on Change Healthcare’s website you can see a notice of some of the various details. It includes basic contact information, but it also seems to include medical record numbers, providers, diagnoses, medicines, Social Security numbers, driver’s license numbers. So it really was a wide array of information. It’s hard to tell what each individual person’s data has been taken, but that’s the kind of data that they were able to get in aggregate.

RASCOE: A hundred million people – that’s almost one in every three Americans. Even some of my colleagues on the show got letters warning that their data may be compromised. What happens now?

TAHIR: At an individual level, Change Healthcare is offering credit-monitoring services to make sure that your identity isn’t stolen. Now at a societal level, you know, some senators have offered some bills, and then the federal government is also attempting to do some beefed-up regulations. But there’s a question about whether or not it’s really going to do the job, because we really have a patchwork system.

RASCOE: Why do these kind of attacks keep happening? And will they keep happening, especially if they seem to be pretty profitable for the people who are doing them?

TAHIR: Yeah. Well, you’re exactly right. I mean, there’s a supply and demand issue, right? Got a bunch of groups that can get a lot of money to do it, so that’s why there’s a lot of motivation to do it. And then on the health care side, you know, what I’ve been told by folks in the industry is that a lot of health care institutions, especially, you know, if you’re a rural hospital or an independent doctor, you know, you don’t necessarily have the spare money to get every single thing you need to protect your data. So it’s sort of the perfect target, in that you have people who – managing so much else in their lives, they don’t necessarily have the wherewithal to defend their services. So that’s an important element.

RASCOE: Does HHS have any rules in place, or tools at their disposal, to make sure that companies are doing everything they can to secure consumer data?

TAHIR: The most famous regulation is called HIPAA. It helps protect some of your privacy stuff. Now, it has limitations. It doesn’t protect every single kind of data. And some people will say, look, you know, the level of fines that they have, and the amount of time it takes to assess these fines, mean that it’s not a great deterrent to make sure that you’re, you know, taking every step. You know, basically, when I’ve talked to, you know, folks of government, and formerly of government, you know, their point is that they’re a little outgunned when it comes to the amount of resources that they have.

RASCOE: That’s KFF health reporter Darius Tahir. Thanks for being with us.

TAHIR: Thank you for having me.

Copyright © 2024 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.