Credit Monitoring Won’t Save You: The True Fallout of the Change Healthcare Hack is Just Beginning

Four months after the Feb. 21 cyberattack on Change Healthcare, news of the hack is dying down in the headlines just as the full fallout is beginning. Recent reports confirm the attack exposed sensitive medical and financial data of 110-130 million Americans. Even more troubling, these records are presumably for sale on the dark web here and now — everything from comprehensive medical histories to diagnoses to financial records, giving detailed dossiers on millions of lives to criminals, employers, enemies and anyone with the means and motivation to exploit them.

This isn’t just another data breach. It’s a healthcare catastrophe. And it’s being inexplicably downplayed. As a veteran of financial technology now working in healthcare innovation, I’m shocked by the lack of attention and action this crisis has received. Consider the scale: Change Healthcare, a UnitedHealth Group subsidiary, processes 15 billion healthcare transactions annually. It’s the backbone of America’s healthcare payment system. When it was compromised, it was a direct hit to our nation’s critical infrastructure. The ramifications of this hack are only beginning to unfold, threatening patients, providers, insurers, and government agencies alike.

The scope of this exposure is unprecedented

The compromised information goes beyond names and birthdates, including:

• Health insurance details (including member IDs and government payer numbers)
• Comprehensive medical records (diagnoses, treatments, test results)
• Financial and payment data (claim numbers, account details, payment history)
• Social Security numbers, driver’s licenses, and passport numbers

This level of exposure? Absolutely astounding. It’s as if the most intimate details of 110 million Americans’ health and financial lives were suddenly plastered on billboards across the country. Combined with publicly available information from social media, criminals can construct complete profiles of individuals and their families.

UnitedHealth’s response: A paper umbrella in a Category 5 hurricane

UnitedHealth’s response to this monumental breach is not just inadequate; it’s a slap in the face to millions of us whose most sensitive data is now exposed. Their grand gesture: mailing letters to victims (while admitting they don’t even have all the addresses) and offering two years of complimentary credit monitoring and identity theft protection services. Let’s be clear: Credit monitoring does nothing to protect against the complex and devastating forms of fraud that this breach enables. It’s like installing a smoke detector after your house has already burned down. Affected Americans now face a range of potentially life-altering frauds that no credit monitoring service can prevent or undo.

Five potential fraud scenarios

Based on the nature of the exposed data and current fraud trends, here are the top five threats I believe will emerge in the next nine months:

1. Synthetic identity creation: Criminals could fabricate new identities by combining fragments of real people’s information. These “synthetic identities” could be used to open credit accounts, secure loans and even receive medical treatment.
2. Provider fraud: Criminals could create synthetic doctor profiles using stolen Tax Identification Numbers (TINs) and patient data. Armed with patients’ visit histories, medications and test results, they could submit highly convincing fraudulent claims to Medicare and Medicaid.
3. Child identity theft: Criminals could also create synthetic identities for minors by combining stolen health data with information from social media. Exploiting the clean credit histories of young victims, they could open accounts or secure loans that may go undetected for years.
4. AI-powered healthcare fraud: This data could train AI to impersonate patients or providers, leading to unprecedented levels of fraud that could bankrupt individuals and healthcare providers.
5. Pharmaceutical fraud: Criminals could impersonate patients to obtain controlled substances like Adderall, potentially creating a black-market operation over time.

The anatomy of a catastrophe: How did we get here?

To truly understand the magnitude of this breach, we need to examine the vulnerabilities that made it possible. At its core, the healthcare industry is plagued by three interconnected issues: outdated technology, lag in oversight and monopolistic control.

First, the healthcare industry’s reliance on legacy systems isn’t just inefficient, it’s dangerous. This infrastructure was outdated when the iPhone was introduced, yet it’s still handling our most sensitive data. In 2024, the use of fax machines and CSV files for transmitting health information is an anachronistic security risk waiting to be exploited.

Governance is equally outdated. While other industries have modernized data protection practices, healthcare still relies on the Health Insurance Portability and Accountability Act (HIPAA) — a law from 1996, when the internet was in its infancy. This regulatory lag has left the industry unprepared for today’s evolving cyber threats.

Compounding these issues is the monopolistic control of healthcare administration. UnitedHealth’s dominance, cemented through acquisitions like Change Healthcare, has created a near-monopoly in health data processing. The result? A concentration of power so intense that a single point of failure can paralyze the entire system — exactly what we’re witnessing now. We don’t have a single-payer system in America, but we do have a single administrator, and that’s a catastrophic vulnerability.

Widespread complacency in the face of failure

The muted response to this crisis is puzzling and infuriating. UnitedHealth Group seems to be operating with impunity, underscoring a dangerous reality: Their dominance has made them seemingly untouchable. 

One reason we don’t see widespread outrage is the complexity of the healthcare system. Change Healthcare’s role is hard to understand, and many people haven’t even heard of this company nested within one of the largest health insurers. This complexity, however, doesn’t justify inaction.

We’ve become numb to cyberattacks, but the cost is too high to ignore. While I can forgive the general population’s lack of outrage, I cannot excuse policymakers and industry leaders. This is their responsibility, and their silence is deafening.

The road ahead

Our current systems are ill-equipped to handle the historic fraud we’re likely to witness in the coming months. The Change Healthcare hack exposed the rot at the core of our healthcare data systems, and this problem won’t be solved with half-measures.

What we need is a fundamental reimagining of how we collect, store and use health data. This requires committed engagement from market players and policymakers to tackle these issues head-on. We must ask: What infrastructure changes are necessary to truly resolve these vulnerabilities?

The fraud scenarios I’ve outlined aren’t hypothetical; they’re blueprints for impending chaos. The time for incremental change has passed. We need bold, decisive action to restore trust in our healthcare system and protect Americans from the devastating consequences of this breach. The stakes couldn’t be higher, and the clock is ticking.

Photo: traffic_analyzer, Getty Images

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.