The potential impact of cyberattacks like the Change Healthcare ransomware hack will be a factor in evaluating mergers and whether companies are protecting consumers, Federal Trade Commission Chair Lina Khan said Tuesday.
The Feb. 21 Change hack has snarled payment systems, seriously crimping cash flow for providers and others in what's been described as the biggest cyberattack against healthcare. It has sparked a furor from the federal government and Capitol Hill. The company said Monday it paid a ransom.
Related: Feds launch healthcare antitrust reporting portal
How to head off such attacks, or at least limit their damage, has been an ongoing discussion, and Khan said while the Justice Department has jurisdiction over insurers, there are elements for the FTC to address.
Speaking to reporters at a roundtable sponsored by healthcare policy think tank KFF, Khan compared the fallout to what happened in other realms such as when baby formula supplies were severely limited because of failures at one factory and supply chain issues during the COVID-19 pandemic.
"The more you concentrate production, the more you concentrate risk. And so if you have a single shock or a single disaster, that could have cascading ramifications," Khan said.
The most recent merger guidelines put out by the FTC address not only issues such as price and quality, but data security as well.
"If we think a merger could substantially lessen competition in ways that could eliminate either the incentive to continue investing in data security or otherwise create some of those consolidation risks, that could definitely be part of our analysis," Khan said.
That investigation would be in addition to the agency's consumer protection responsibilities, which Khan was asked about in the context of the Change attack.
"We enforce the consumer protection laws, including against companies that we think are being reckless and not adequately putting in place data security safeguards," Khan said.
"It's fair to say we have seen ways in which consolidation and concentration of data can create more vulnerabilities, because if there's a hack, there's more that could get exposed," Khan said. "That's why across our privacy and data security work, one of the key remedies that we've been pushing is this concept of data minimization, the idea that you should really minimize what data you're even collecting, or storing in the first place, again, because the less you collect and store the less that any hack could ultimately expose."
The Justice Department opposed Optum's acquisition of Change — as did groups like the American Hospital Association — but lost in court.