It's being called the largest ever breach of protected patient health information by a government-regulated medical company in America's history.
Change Healthcare, owned by UnitedHealth Group, fell victim to a cyberattack eight months ago, but revealed on Thursday that 100 million people had been impacted.
That surpassed the previous recordholder for worst breach of US patient data: a 2015 episode at Anthem Inc. that compromised 78.8 million individuals.
The first official report by Change Healthcare, which manages revenue and payments for medical providers, estimated in July that only 500 people had been compromised.
Now, the scope of the February 21 ransomware attack has spurred Congress to call for lifting the cap on how much a negligent healthcare firm can be fined.
'The healthcare industry has some of the worst cybersecurity practices in the nation,' Senator Mark Warner said, 'despite its critical importance to Americans' well-being and privacy.'
Today, existing legislation provides a ceiling of $2 million per violation for offenders of the Health Insurance Portability and Accountability Act (HIPPA).
If passed, these 'commonsense reforms' would also include 'include jail time for CEOs that lie to the government about their cybersecurity,' Wyden added.
The hack, which Change Healthcare's parent company attributed to a 'foreign nation' this past winter.
Anthem was fined $16 million, the largest penalty imposed for a for a HIPAA violation, but experts worry such a fine would barely deter today's healthcare giants.
Change Healthcare alerted the Department of Health and Human Services' Office for Civil Rights (OCR) on July 19, noting their internal investigation was ongoing.
Industry observers at the HIPAA Journal noted that the big round number of 100 million, issued in Change's update this month, suggests that 'it is possible that that figure will change.'
'Neither Change Healthcare nor its parent company, UnitedHealth Group (UHG), has confirmed that the file review has been completed,' the journal noted.
But these eye-popping numbers mask the myriad intimate tragedies created by Change Healthcare's and UHG's allegedly lax cybersecurity, which lead to millions of Americans losing their healthcare privacy.
Linda Barbour, a career medical director for several large health insurance firms, told reporters that she had assumed the firm would have contacted her the moment it knew her data was exposed.
Change did not get around to informing Barbour until this month.
'Getting it at this point, this delayed, there's really nothing that I could do because so much time had passed,' Barbour told STAT news.
OCR officials at the Department of Health and Human Services (HHS) have reportedly been urging Congress to raise maximum penalties for HIPAA violations, hoping more serious fines might encourage firms to take patient privacy seriously.
And Congress appears to be listening: 'Mega corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,' Wyden noted in his call for tougher federal HIPPA laws.
The new legislation would update Titles XI and XVIII of the Social Security Act — expanding oversight and noncompliance penalties for firms that fail to meet security standards protecting health information.
Called 'The Health Infrastructure Security and Accountability Act,' the bills will also mandate minimum standards for cybersecurity across all US healthcare networks.
Payments processors, private data brokers and major names in tech have all reported massive data breaches this year — including a historic leak of US social security numbers and a hack that pulled data on 1.7 million consumer credit cards.
But healthcare firms have been unique in their sensitivity and lax standards.
The HHS' Office for Civil Rights Breach Portal reports that 394 significant data breaches were documented in 2024, whether due to hacking or IT gaffes. Those 2024 breaches leaked data on over 43 million individuals, the office estimates.
Last year, 602 data breaches were reported as either hacking IT incidents, estimated to have exposed private healthcare records of at least 151 million people nationwide.