Changed: Independent Practice in the Age of Cyberterrorism
I became aware of a problem related to patient claim submission in late February, when the electronic claim submissions through my electronic medical record platform ground to a halt. As most psychologists are aware, Change Healthcare, a clearinghouse that processes approximately one-third of all medical claims in the United States was hacked. The U.S. Hospital Association called the hack the most impactful and consequential cybersecurity attack on the healthcare system in U.S. history.
By March 5, the U.S. Health and Human Services Department put out a press release. Change Healthcare, a subsidiary of United Healthcare, was hacked by BlackCat/ALPHV.
Andrew Witty, CEO of United Healthcare, testified before Congress and noted that the breach affected a “substantial portion of people across the country,” as well as military personnel.
Even more chilling, United Healthcare states on its website: “Based on initial targeted data sampling to date, we have found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”
Health Affairs Forefront reported that 8 terabytes of data affecting more than 85 million Americans was stolen.
Despite paying the extortioners, the stolen healthcare data was not returned. According to a March 4 article in the publication Wired, an affiliate partner involved in the cyberattack was not paid by BlackCat/ALPHV.
Consequently, this partner has maintained possession of the data. To date, United Healthcare is unable to notify victims of the attack because it is still analyzing the scope of the incident.
The vulnerability of psychotherapy patient records to cyberattacks is concerning. The number of ransomware attacks nearly doubled between 2022 and 2023 according to a 2024 white paper published by the Black Kite Research and Intelligence Team (BRITE).
The publication Frontiers in Digital Health reported in 2023 that psychotherapy records from the Behavioral Health Center in Bangor, Maine were hacked in 2017 and listed on the dark web. Similarly, the BBC reported in 2024 that children’s mental health records in the country of Scotland were hacked and published. Healthcare is a critical infrastructure with a great deal of sensitive data and thus healthcare systems provide attractive targets to cyber criminals. Hospitals in Connecticut and Rhode Island were targets of separate ransomware cyberattacks in 2023.
The Change Healthcare cyberattack makes clear that psychologists in clinical practice have no ability to protect electronic health data that is exchanged, whether to facilitate claims processing or comply with state-mandated healthcare data exchanges.
However, it is within our control to adhere to best practices for cyber security of electronic medical records. These include using strong passwords, multifactor authentication, control of who has access to the medical record, secure connections, and immediate software updates both to the operating system of a device as well as to any installed applications.
Regular training to recognize phishing scams and training for all employees is essential. Practitioners can develop incident response plans that will provide guidance in the event of a cybersecurity breach.
Though we are often asked to allow an outside party to synch another application with the mental health electronic medical record system calendar or to facilitate health care data exchange required by state law, every additional interface incurs some level of risk for data breach.
The website DataBreaches.Net reported that an ad for the records from Behavioral Health Center in Maine ran in 2017 on a dark web forum. It advertised that detailed information including substance abuse history, legal history, psychiatric history, and notes from all therapy sessions was being sold for a minimum bid of not less than $10,000.
The Change Healthcare incident is of such magnitude that it may take years to fully understand the long-term consequences. But this breach of a several thousand patient records in New England mental health practice is a relatable concern for any independent practitioner.
As psychologists, we need to balance our obligation to document appropriately in the electronic medical record with the goal of protecting patient privacy by documenting no more than needed. We can only hope that the Change Healthcare cybersecurity breach will live up to its name and serve as an impetus for policy change to improve the cybersecurity and privacy of mental health care.