The Bid Picture with Bidemi Ologunde 335. Unexpected Repercussions from the Change Healthcare Cyberattack.
In this episode, host Bidemi Ologunde discussed the recent data breach at Change Healthcare. The breach was facilitated by the absence of multi-factor authentication (MFA) on their Citrix portal, allowing threat actors to easily access and compromise the system. The attack, attributed to the ALPHV/BlackCat ransomware group, resulted in significant operational disruptions and financial losses estimated at $872 million.
The breach is particularly concerning because medical records, unlike financial information, do not have a shelf life and remain valuable indefinitely. This makes healthcare data a prime target for cybercriminals. The aftermath of the breach has seen a considerable impact on the cash flow of medical providers due to disruptions in payment processing and other critical services.
In response to the breach, government agencies like the Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) have taken steps to mitigate the impact. CMS, for instance, has allowed states to make interim Medicaid payments to affected providers, and OCR is actively investigating the incident and reminding covered entities of their breach notification obligations under HIPAA.
Lawmakers have also been engaged, with discussions around the breach occurring in senate hearings and the deployment of class-action lawsuits against UnitedHealth Group, accusing it of inadequate cybersecurity measures that led to the breach.