Despite the explosion in ransomware hacks like the one against Change Healthcare, regulation is spotty and few new safeguards have been proposed to protect patient data, vulnerable hospitals and medical groups.

The recent cyberattack on the billing and payment colossus Change Healthcare revealed just how serious the vulnerabilities are throughout the U.S. health care system, and alerted industry leaders and policymakers to the urgent need for better digital security.

Hospitals, health insurers, physician clinics and others in the industry have increasingly been the targets of significant hacks, culminating in the assault on Change, a unit of the giant UnitedHealth Group, on Feb. 21.

The ransomware attack on the nation’s largest clearinghouse, which handles a third of all patient records, had widespread effects. Fixes and workarounds have alleviated some distress, but providers are still unable to collect billions of dollars in payments. Many smaller hospitals and medical offices are still having trouble getting paid more than a month after Change was first forced to shut down many of its systems.

Even now, very little information about the exact nature and scope of the attack has been disclosed. UnitedHealth said that it had advanced more than $3 billion to struggling providers, and that it expected more of Change’s services to be available in the coming weeks as it brought the systems back online.

The F.B.I. and the Department of Health and Human Services are investigating the Change hack, including whether patients’ records and personal information have been compromised. Because Change’s network acts as a digital switchboard that connects information from a patient’s first doctor visit to a diagnosis like cancer or depression and then subsequent treatment to a health insurer for benefits and payments, there is a risk that people’s medical history could be exposed for years.

The attack on Change is just the most far-reaching example of what has become nearly commonplace in the health care industry. Ransomware attacks, in which criminals shut down computer systems unless the owners pay the hackers, affected 46 hospital systems last year, up from 25 in 2022, according to the data security firm Emsisoft. Hackers have also taken down companies that provide services such as medical transcription and billing in recent years.

We are having trouble retrieving the article content.

Please enable JavaScript in your browser settings.


Thank you for your patience while we verify access. If you are in Reader mode please exit and log into your Times account, or subscribe for all of The Times.


Thank you for your patience while we verify access.

Already a subscriber? Log in.

Want all of The Times? Subscribe.