The Change Healthcare Data Breach: A Wake-Up Call for the Healthcare Industry

In a digital age where data breaches are becoming all too common, the healthcare sector has been hit with what could be the most significant cyberattack in its history. Change Healthcare, a cornerstone in healthcare data management and a vital intermediary between payers and providers, has fallen victim to a sophisticated cyberattack, suspected to be orchestrated by a notorious Russian hacking group — BlackCat/ALPHV linked to previous high-profile breaches, including incidents involving Reddit and the MGM casino.

It’s expected to take at least another month before Change Healthcare systems come back online.

Immediate Impact: A Crippled Healthcare Payment Ecosystem

The breach forced Change Healthcare to voluntarily shut down its systems, a drastic measure taken to prevent further damage. However, the full extent of the data leaked remains unclear, raising alarms about the potential exposure of sensitive healthcare information. The immediate fallout is profound: numerous payers and providers are in disarray, unable to check eligibility, submit claims, or receive payments. This disruption not only affects those directly using Change Healthcare’s services but also cascades through the industry due to the interconnectedness of payment processes, especially involving government payers. I have seen this firsthand with the many providers whom I have spoken with.

Data flow of medical data and each touchpoint with a clearinghouse such as Change Healthcare

The Ripple Effects: Administrative and Operational Chaos

Healthcare providers, who often rely on a single EDI (Electronic Data Interchange) clearinghouse like Change Healthcare for seamless integration with their other software systems, are now facing significant hurdles. This incident underscores the vulnerabilities and inefficiencies inherent in the current system, where a direct connection to insurers, though possible, is impractically burdensome for providers dealing with multiple insurers.

Change Healthcare’s involvement in almost every medical transaction

Moreover, the structure of data transmission in the healthcare sector, often requiring data to “hop” through multiple clearinghouses, highlights the extensive access to sensitive data these intermediaries have. This situation is fraught with risks, as evidenced by the current breach, underscoring the need for stringent data rights and privacy measures.

Legal Background: Prevention May Have Been Possible

This breach is not just a wake-up call for better cybersecurity measures but also shines a light on the broader implications of healthcare data consolidation. The 2022 lawsuit brought by the Department of Justice and the state of Minnesota to prevent the acquisition of Change Healthcare by UnitedHealth Group voiced concerns over the consolidation of healthcare data under a single entity. These concerns have now been starkly realized, emphasizing the dangers of such concentration in the healthcare industry.

Here are 5 challenges brought in the lawsuit:

1. Data rights: The merger would give United access to and control of sensitive business information about its health insurance rivals, such as their claims data and proprietary plan and payment rules, which United could use to co-opt or undermine their competitive strategies.
2. EDI clearinghouse: The merger would allow United to use its control over Change’s EDI clearinghouse, which transmits data between providers and insurers, to disadvantage its health insurance rivals by raising their costs, denying or delaying their access to innovations and quality improvements, and threatening to drop them to paper claims.
3. Claims editing: The merger would eliminate significant head-to-head competition between United and Change for the sale of first-pass claims editing solutions, which are software and services health insurers use to help adjudicate claims, resulting in higher prices, lower quality, and reduced innovation for health insurers.
4. Health insurance markets: The merger would likely substantially reduce competition in the markets for commercial health insurance to national accounts and large group employers, resulting in higher cost, lower quality, and less innovative health insurance plans for employers and their employees.
5. Remedy: The merger would be difficult to remedy effectively, as efforts to cordon off a health insurance rival’s competitively sensitive information through information firewalls would be insufficient, and United has not proposed any remedy that would preserve competition and prevent the anticompetitive effects of the merger.

Looking Forward: Save the Providers & Patient Data

This incident is likely to serve as a catalyst for major policy changes aimed at preventing the consolidation of health data under one company. For providers, the immediate concern is survival; the inability to process claims and payments threatens the very existence of many, especially smaller providers. As the healthcare industry grapples with the aftermath of this breach, the need for a more resilient, decentralized, and secure data management ecosystem has never been clearer.

A Call to Action: Support and Transparency from Change and United

In light of the substantial challenges posed by the data breach, it is imperative for Change Healthcare and UnitedHealth Group to step up and demonstrate their commitment to the healthcare providers who have been adversely affected. The announcement of temporary funding for providers is a step in the right direction, yet the implementation leaves much to be desired. Providers struggling to navigate the aftermath of the breach are finding little solace in tools like the Optum Pay portal, which, despite promises, lacks clarity and accessibility in offering the much-needed financial support.

Change Healthcare and UnitedHealth Group need to:

• Ensure Absolute Transparency: Both entities must provide clear, regular updates on how the breach is being addressed, including the steps taken to secure data and prevent future incidents. This transparency is crucial for rebuilding trust with their partners and the public.
• Simplify Access to Support: The temporary funding initiative must be accompanied by straightforward, easy-to-use access points. The current state of the Optum Pay portal, with its lack of clear guidance on accessing temporary funding, is unacceptable. I urge a swift improvement to the portal to make it genuinely helpful for providers in need.
• Extend Direct Financial Support: Beyond temporary funding, Change and United should consider additional measures to support affected providers financially, ensuring they can continue their operations without the threat of closure. This support is especially critical for smaller providers who are disproportionately impacted.
• Engage with Providers to Understand Needs: Direct dialogue with affected providers, especially smaller ones, is essential to understand their challenges and adjust support mechanisms accordingly. This engagement should be ongoing, responsive, and reflective of the providers’ immediate and long-term needs.

By addressing these calls to action, Change Healthcare and UnitedHealth Group can play a pivotal role in stabilizing the healthcare ecosystem in the aftermath of this breach. Their response will not only affect their reputation but will also set a precedent for how such crises are managed in the healthcare industry moving forward.

Time for a Change in Healthcare Data Handling

The Change Healthcare breach is a loud wake-up call, reminding us that it’s high time the healthcare industry beefs up its data management game. We’re looking at a future where using FHIR APIs for direct connections between healthcare providers and payers could become the norm, sidestepping the bulky, centralized systems that are proving to be Achilles’ heels in cybersecurity. And let’s not overlook the potential of breaking down data into smaller chunks to keep things safer and more manageable. This isn’t just about bouncing back from a breach; it’s an opportunity to revolutionize how we handle healthcare data, making it smarter, safer, and more patient-focused. The industry needs to grab this moment and run with it, ensuring we’re all better protected down the line.

Learn more about the work we do at Paradigm.