Weeks after the massive cyberattack, Tampa Bay patients still have little insight into whether their personal health data was compromised during the incident, and many hospitals and clinics The company they use to submit medical claims to insurance companies and receive reimbursement has been paralyzed.
The Feb. 21 cyberattack drew intense scrutiny from federal lawmakers and law enforcement agencies, targeting UnitedHealth Group, the nation's largest health insurance company, and its subsidiary, which acts as a digital intermediary between doctors and insurance. This led to three class action lawsuits against Change Healthcare. Companies across the country. The company plays an important role in the health care system and is involved in one of his three patient records in the United States.
Here's what people need to know about cyberattacks and their aftermath.
Who is responsible?
A group known as BlackCat or ALPHV was responsible for the attack on Change Healthcare. The Russian-speaking gang develops ransomware, which “associates” deploy to targets to steal data and encrypt victims' computer systems. They decrypt the system and demand a ransom in exchange for not publishing the data.
According to one class action lawsuit filed in 2016, BlackCat stole more than 6 terabytes of information from Change Healthcare, including millions of medical and dental records, phone numbers, addresses, Social Security numbers, emails, and information about active-duty U.S. military personnel. claims to have extracted data. Federal Court of the State of Minnesota.
The complaint says the group obtained sensitive data about organizations such as Medicare, Tricare, CVS Caremark, Loomis, and MetLife. The complaint alleges that the leaked personal information is “highly coveted” because criminals could use it to commit identity fraud.
“The potential impacts are significant and may continue for years to come,” the lawsuit states.
WIRED reports that a Bitcoin address associated with the gang recently received about $22 million, suggesting that Change Healthcare paid the ransom.
Was patient data actually compromised?
Tampa Bay hospitals have not yet received confirmation, according to an email from a representative this week.
HCA Healthcare is in “regular communication” with both companies, but “we have not heard anything official regarding this matter,” said Deb McKell, a spokeswoman for the hospital chain's West Florida division.
The 16-hospital BayCare Health System “has not been notified that personally identifiable medical information was involved” in the cyberattack, spokeswoman Joni James said.
AdventHealth expects UnitedHealth Group to notify patients who “may be affected,” spokeswoman Beth Tunis said.
Change Healthcare “has not informed us of the information disclosed,” Tampa General Hospital spokeswoman Amanda Beavis added.
Orlando Health, which owns Bayfront Hospital in St. Petersburg, declined to comment. Johns Hopkins School of Medicine did not respond by the time this article was published.
/cloudfront-us-east-1.images.arcpublishing.com/tbt/UD4IDQTGHFFUZM43GMJ7RO2ZFE.JPG "Check out the top stories in Tampa Bay")
Check out the top stories in Tampa Bay
Subscribe to the free DayStarter Newsletter
We'll send you the latest news and information you need to know every morning.
Everyone is registered!
Want more free weekly newsletters sent to your inbox? let's start.
consider all options
Asked whether patient data may have been compromised, Mary Mayhew, president and CEO of the Florida Hospital Association, said she could not comment.
“We know that cyberattacks and persistent efforts to access data are the real threat,” she said.
What are companies saying?
UnitedHealth Group directed the Times to a webpage about the cyberattack, but said it had no other information available.
The webpage says privacy and security staff are “working to understand” the impact on patients.
Is there a survey?
yes. Civil rights investigators at the U.S. Department of Health and Human Services are investigating the issue, focusing on companies' compliance with patient privacy rules.
Kevin Butler, a University of Florida professor and director of the Florida Cybersecurity Institute, said the Federal Bureau of Investigation is also likely involved. The agency declined to comment. UnitedHealth Group said it is in contact with law enforcement.
Butler said the investigation could take several months.
“It's hard to guess exactly what was exposed,” he says.
The Florida Attorney General's Office said Wednesday that it has not received any consumer complaints about the cyberattack.
Why are lawmakers angry?
A group of 20 House Republicans sent a letter to Health and Human Services Secretary Xavier Becerra on Thursday saying they are concerned that the agency's investigation is not focused on consumers.
“The lack of transparency to patients regarding the status of their protected health information poses a serious threat to their well-being,” the letter said.
Lawmakers, including Rep. Vern Buchanan (R-Longboat Key) and Rep. Greg Steube (R-Sarasota), called on authorities to explain when patients will be notified of stolen data. Ta.
The agency did not respond to requests for comment.
What does the lawsuit allege?
A class action lawsuit filed in UnitedHealth Group's home state of Minnesota alleges the healthcare giant's cybersecurity practices were inadequate and failed to protect consumers' personal data.
According to one of the lawsuits, the company “has not yet proactively notified affected patients individually about what specific data has been stolen.”
What can patients do?
Butler said people should regularly check their credit reports in case their Social Security numbers are exposed and criminals use them to take out loans.
The Federal Trade Commission announced last year that credit reporting companies Equifax, Experian and TransUnion were permanently extending a coronavirus relief program that made weekly credit report checks free.
Consumers can report suspected identity theft to federal authorities at identitytheft.gov.
