What Tampa Bay patients should know about major health care cyberattack

Weeks after a massive cyberattack, Tampa Bay patients still have little insight into whether their personal health data was breached during the incident, which paralyzed a company many hospitals and doctors’ offices use to submit medical claims to insurers and get reimbursed.

The Feb. 21 cyberattack has drawn the scrutiny of federal lawmakers and investigators and has led to three class-action lawsuits against UnitedHealth Group, the country’s largest health insurer, and a subsidiary, Change Healthcare, which acts as a digital middleman between physicians and insurance companies nationwide. The firm plays a crucial role in the health care system and is involved in 1 of every 3 U.S. patient records.

Here’s what people should know about the cyberattack and its aftermath.

Who’s responsible?

A group known as BlackCat or ALPHV has taken responsibility for attacking Change Healthcare. The Russian-speaking gang develops ransomware, then “affiliates” deploy it against targets, stealing data and encrypting victims’ computer systems. They demand a ransom in exchange for decrypting the systems and not publishing the data.

BlackCat claims it extracted more than 6 terabytes of data from Change Healthcare, including millions of medical and dental records, phone numbers, addresses, Social Security numbers, emails and active U.S. military personnel information, according to one of the class-action lawsuits filed in Minnesota federal court.

The gang said it obtained sensitive data about Medicare, Tricare, CVS Caremark, Loomis and MetLife, among other organizations, according to the lawsuit. The personal information exposed is “highly coveted,” the lawsuit alleged, because criminals can use it to commit identity fraud.

“The potential impact,” the lawsuit said, “is enormous and its effects may be felt for years to come.”

WIRED reported that a bitcoin address connected to the gang recently received about $22 million, suggesting that Change Healthcare paid a ransom.

Was patients’ data actually breached?

Tampa Bay hospitals have yet to receive any confirmation, according to emails from representatives this week.

HCA Healthcare is in “regular communication” with the companies, but “we have not heard anything official on the topic,” said Deb McKell, spokesperson for the hospital chain’s West Florida division.

The 16-hospital BayCare Health System “has not received any notification of personally identifiable health information being involved” in the cyberattack, spokesperson Joni James said.

AdventHealth expects UnitedHealth Group will notify any patients “potentially affected,” according to spokesperson Beth Tunis.

Change Healthcare “has not informed us of information disclosed,” Tampa General Hospital spokesperson Amanda Bevis added.

Orlando Health, which owns Bayfront Hospital in St. Petersburg, provided a statement that didn’t answer the Tampa Bay Times’ questions and did not comment further. Johns Hopkins Medicine didn’t respond before publication of this story.

Asked if it was likely that patients’ data was breached, Mary Mayhew, president and chief executive of the Florida Hospital Association, said she was unable to offer comment.

“We know that cyberattacks and the persistent efforts to get access to data is a real threat,” she said.

What do the companies say?

UnitedHealth Group directed the Times to a webpage about the cyberattack and said no other information was available.

The webpage says privacy and security staff are “working to understand” the impact to patients.

Is there an investigation?

Yes. Civil rights investigators at the U.S. Department of Health and Human Services are looking into the matter, focusing on the companies’ compliance with patient privacy rules.

Kevin Butler, a University of Florida professor who heads the Florida Institute for Cybersecurity Research, said the Federal Bureau of Investigation is likely involved, too. The agency declined to comment. UnitedHealth Group said it’s been in touch with law enforcement.

An investigation may take months, Butler said.

“It’s hard to speculate on exactly what might have been exposed,” he said.

The Florida Attorney General’s Office on Wednesday said it hasn’t received any consumer complaints about the cyberattack.

Why are lawmakers upset?

A group of 20 House Republicans sent a letter Thursday to Xavier Becerra, the health and human services secretary, saying they’re worried the agency’s investigation is not focusing on consumers.

“The lack of transparency for patients regarding the status of their protected health information poses an active threat to patient well-being,” the letter said.

The lawmakers, including Reps. Vern Buchanan, R-Longboat Key, and Greg Steube, R-Sarasota, asked officials to explain when patients will be notified of stolen data.

The agency didn’t immediately respond to a request for comment.

What do the lawsuits claim?

The class-action complaints filed in Minnesota, where UnitedHealth Group is based, allege that the health care giant’s cybersecurity practices were inadequate and failed to protect consumers’ personal data.

The company has “yet to affirmatively notify impacted patients individually regarding which specific data was stolen,” one of the lawsuits said.

What can patients do?

People should regularly check their credit report, Butler said, in case their Social Security number was disclosed and criminals used it to take out a loan.

The Federal Trade Commission announced last year that credit bureaus Equifax, Experian and TransUnion permanently extended a COVID-19 program making it free to check credit reports weekly.

Consumers can report suspected identity theft to federal officials at identitytheft.gov.

Editor’s note: This story has been updated to reflect that Orlando Health did comment for this story.