SCOTT SIMON, HOST:
Major hacking attack threw parts of the U.S. health care system into chaos a couple of months ago. The hackers breached the Change Healthcare company and took hold of sensitive consumer data for ransom. Change is owned by United Health. It processes payments for hundreds of thousands of health care providers. Bruce Japsen is senior health care contributor for Forbes. He joins us now from Chicago. Mr. Japsen, thanks for being with us.
BRUCE JAPSEN: Thanks for having me.
SIMON: What did they get? Do we know whose data got stolen?
JAPSEN: Well, we don't know all that they've gotten, but we do know that from a statement from United's CEO - the company had their earnings last week, and I listened to the call - that this affects a substantial portion of America. United, which is the nation's largest health insurance company - they acquired this company for $13 billion a couple of years ago. And Change - what they do is they're the nation's largest clearinghouse for insurance billing and payments.
Four in five physicians in the United States lost revenue because of this Change Healthcare attack. And that means, you know, that they weren't paid. They're still not being paid. Or they had their payments and their billing, which goes back and forth between, you know, doctors and hospitals and surgery centers, to get their money through Change Healthcare. And it's also delayed care for certain people. Neighbors of mine have two little girls who were born premature. They couldn't see their pediatrician for a few weeks because their system was down.
SIMON: So there are people who can't get health care and people whose most private health care information is just out there now.
JAPSEN: Could be. What they've said so far - and I can just read this to you. They've done an initial sampling, and they've found files containing protected health information or personally identifiable information. This would be name, address, maybe the Social Security number, maybe credit card information, that type of thing. And it would cover, quote, "a substantial proportion of people in America." That's a scary line, right? And that comes from the PR people. The company has not seen evidence of materials such as doctors, charts or full medical histories among the data. But they don't know this for sure. I mean, they say it's ongoing. It's complicated. And it's likely to take several months of continued analysis. I think so far, so good, you know, that they're not getting access to certain medical records.
But who really knows? You know, the company was concerned enough that they paid a ransom, and that - I know that was a big story. I think The New York Times might have broken that story, and they said, oh, my God, United paid a ransom to get this back. Well, I got news for you. That's not a new thing. We had a story in Forbes within the last year that the average ransom demand - this is just in health care - increased from around 800,000 in 2022 to 1.5 million in 2023.
SIMON: So health care systems now have to figure in the cost of ransoms to annual budgets?
JAPSEN: Well, that'll be one of their excuses, I'm sure, to raising your premiums next year. Listen - it is adding costs because this is the biggest health care company in the country. They also own through their Optum business doctor practices, surgery centers. Across the board, it's cost them already - they're projecting over $1 billion that it's going to cost them. And that doesn't include the $6 billion or so that they've been pushing out to pay their network providers and such.
SIMON: When you say it'll cost them, do you mean it'll cost us?
JAPSEN: It's going to cost us. Yes. Oh, yeah, they pass these costs along through their premiums for sure because, you know, they're a publicly traded company, and they answer to their shareholders. And for sure, you're already paying more for these elaborate systems. I think people would be willing, you know, to pay to protect their health information. But it's going to be significant.
SIMON: Does paying a ransom just make more hacks likely?
JAPSEN: Maybe. I'm not - you know, I'm the health care guy. I'm not the ransomware or cyberattack guy, but probably. These people clearly know what they're doing. And let's face it - in health care, companies like United - they have billions of dollars in profit. That's why banks and financial institutions get hacked.
SIMON: How would somebody hearing us today know if they've been hacked or not?
JAPSEN: Well, that's a really good question. You will be getting notified at some point. I think people are already finding out when they call their doctor's office, and they find out that their procedure has been delayed, or maybe a payment has been delayed, or a payment hasn't gone through. Four in five physicians have lost revenue in this. The average primary care physician has about 1,500 to 3,000 patients. So I would venture to guess that of the vast listenership of NPR and the people listening now, a good chunk of them will be getting notified.
SIMON: Forbes senior health care contributor Bruce Japsen, thank you so much for being with us.
JAPSEN: Thanks for having me. Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.