Skip to Main Content

September 25, 2024   

The Data Incident That Changed Health Care, Part 3: The Impact of the Change Healthcare Data Breach on the U.S. Health Care System and Lessons Learned for Health Care Providers

This Briefing is brought to you by AHLA’s Health Information and Technology Practice Group.
  • September 25, 2024
  • Gina L. Bertolini , K&L Gates LLP
  • Jennifer Kreick , Haynes and Boone LLP
  • Marty Folliard , K&L Gates LLP

Part 3: Best Practices to Mitigate Cybersecurity Risks for Health Care Organizations

Earlier this year, in the largest health care data breach to date in the United States, Change Healthcare, a subsidiary of UnitedHealth Group (UHG) was hacked. The intruders disrupted operations and stole from four to six terabytes (TB) of health care patient data, including personal information, payment details, insurance records, and other sensitive information. The outside world learned of this incident on February 21, 2024 when UHG filed a Form 8-K with the U.S. Securities and Exchange Commission to report a cybersecurity incident affecting Change Healthcare. In its filing, UHG reported that it identified that a “suspected nation-state associated cyber threat actor had gained access to some of the Change Healthcare information technology systems.” Change Healthcare further reported that it “proactively isolated the impacted systems from other connecting systems” and that it could not estimate the duration or extent of the disruption.

This report began one of the largest and most significant cybersecurity investigations impacting the U.S. health care sector to date, encompassing nearly 50% of all U.S. health care claims and approximately one-third of Americans. This article provides a summary of the Change Healthcare cybersecurity incident and the unprecedented industry and government response (based on facts known to date) and highlights best practices for health care providers to mitigate cybersecurity risks going forward.

In Part 3 of this three-part article, we outline best practices for health care providers to mitigate cybersecurity risks.

ARTICLE TAGS

You must be logged in to access this content.