Home

Donate

It’s Time to Fight For Personal Data Rights

Linda Jeng / Nov 27, 2024

Like most Americans, I've been a victim of numerous data breaches. I want to tell you the story of one in particular, which, earlier this year, compromised both sensitive medical and banking data for over 100 million Americans, including my family. At a time when massive companies fall victim to devastating hacks with alarming frequency, the Change Healthcare hack stands out not just for its size but also for the ways in which it highlights all that's broken with how we protect people's personal information. When the new President and Congress take office in January, the legislative agenda is bound to be packed. It's imperative that federal legislators take the opportunity to tackle this urgent vulnerability in society.

To satisfy the cybercriminals that extorted it, Change Healthcare paid a $22 million ransom, yet sensitive data was still leaked onto the dark web and is probably still available there. Meanwhile, my family was not notified that we were victims until seven months after the hack occurred.

Unlike the other data hacks for which I had a clear customer or employment relationship with the hacked organization, I did not know what Change Healthcare was. To my knowledge, I had never dealt with Change Healthcare before. I certainly was not a customer and had never knowingly signed up for an account with them.

How did this company, which I had never heard of before, have two of our most sensitive types of personal data? And why were we informed over seven months after the fact, during which time criminals could have been selling our data on the dark web or actively using them to steal our identities?

It turns out that Change Healthcare is the middleman that processes healthcare claims from health insurance companies and disburses payments to hospitals, physicians, and other healthcare providers. At the time of the hack, Change Healthcare was processing up to half of all medical claims in the US.

The gory details of this hack and its ramifications, which are still playing out, have been widely publicized. Change Healthcare stopped all claims processing and nearly paralyzed the US medical industry. Many hospitals could not make payroll, and many physicians’ practices still struggle to make ends meet despite the nearly $9 billion loan assistance program set up by Change’s parent company UnitedHealth Group.

For consumers like my family, we still do not know how this data hack will impact our financial security and if or when our identities will be stolen. My family spent at least eight frustrating hours placing security freezes on our credit files from the three credit reporting agencies. For our child, this process involved sending via snail mail our child’s birth certificate, our social security numbers, and my driver’s license, plus an hour on the phone begging Equifax to the same request.

Ultimately, the Change Healthcare hack exemplifies what’s broken with how our personal data are managed. Large middlemen in the healthcare, financial services, and credit reporting industries collect and control our personal data without our informed consent. This situation will only grow worse with AI.

In the absence of federal action, states have taken matters into their own hands. For example, California was the first state to adopt comprehensive data protection laws with the passage of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020. These laws give Californians the right to know, the right to delete, the right to opt out, the right to correct, and the right to limit the use of sensitive personal data. At least 20 states have comprehensive data protection laws on the books.

If lawmakers in Washington, DC, do not act, the US will soon have a patchwork of 50 different state laws. If the goal is to require businesses to comply and protect user data, this is nowhere near the place to start. It is time for Congress to grant these important consumer rights to better control and protect personal data and privacy.

Related reading

Authors

Linda Jeng
Linda Jeng is the founder & CEO of Digital Self Labs, the Visiting Scholar on Financial Technology at Georgetown Law's Institute for International Economic Law, a Senior Lecturing Fellow at Duke Law School, and a Research Fellow at the Bank of International Settlements.

Topics