In February 2024, the BlackCat ransomware group breached UnitedHealth's Change Healthcare platform — the largest healthcare data breach in U.S. history. Change Healthcare processes roughly 15 billion medical transactions per year, touching nearly every hospital, pharmacy, and insurer in the country. When the system went down, the entire pipeline of payments, prescriptions, and patient records froze overnight.
UnitedHealth paid a $22 million ransom to the attackers. They took the money and never returned the data — an exit scam. Social Security numbers, credit card details, and medical billing information were sold to the highest bidder. The breach rippled outward to families and caregivers who never used the platform themselves. UnitedHealth's CEO Andrew Witty testified before Congress in May 2024, disclosing that roughly 100 million people were affected. UnitedHealth later confirmed in breach notification filings that the final count reached 192.7 million individuals — nearly 60% of the entire U.S. population.
"I mean literally, you're talking about $0 in your bank account, and you have seventy employees to pay."
Dr. Catherine Mazzola, pediatric neurosurgeon — treats low-income children with cerebral palsy and spina bifida in New Jersey. When the breach halted all reimbursements, her practice lost an estimated $1 million. She wasn't alone: an AMA survey found that 80% of physician practices lost revenue from unpaid claims during the outage.3
The breach creates three cascading threats that outlast the attack itself:
These threats don't require sophisticated hacking. In a 2017 study by Thales, 73% of healthcare professionals reported using a colleague's login credentials to access medical records — a clear HIPAA violation. 46% share work-related passwords across accounts used by multiple coworkers.5 In systems like MyChart or Change Healthcare, there is no tamper-proof record of changes made to documents, making it easy for anyone with access to quietly edit records with little chance of being caught.
Today, every doctor, nurse, or insurer who needs to check your records must first unlock all of them — even if they only need a single answer. Your pharmacist can see every prescription you've ever had. Your entire medical history sits exposed every time someone asks a simple question. And every visit, you fill out the same forms — your information passing through the hands of office staff, nurses, and filing systems, none of them built with cybersecurity in mind. These people have good intentions, but protecting your data isn't their expertise — and it shouldn't have to be.
What if no one ever had to unlock your records to use them?
That's what homomorphic encryption makes possible. Think of it like a locked suggestion box: someone can drop a question in, the box processes it, and spits out an answer — but nobody ever opens the box. Your records stay locked the entire time. Only you hold the key.
The solution to healthcare breaches isn't more firewalls or stronger passwords. It's a fundamentally different approach: make the data useless to anyone who steals it. A hacker could steal your entire record and it wouldn't matter — without your keys, all they have is scrambled noise. The hospital never had the unscrambled version in the first place.
Your record lives on-chain by default, fully encrypted. The level of access is up to you — it could be unlocked with biometrics, a passphrase, or any method you choose. Nothing gets shared without your active consent.
What if you're unconscious or incapacitated? You designate a secondary keyholder — like a power of attorney or emergency contact — who can authorize access on your behalf. Your data stays protected, even when you can't protect it yourself.
"Now imagine that using mind-meld technology, I read your innermost thoughts without your knowledge… Like a doctor who makes a decision to operate without consulting the patient, I'm diminishing your autonomy by undermining it. I'm making your decision to share or not to share information with me completely moot. I've already made that decision for you."
Michael P. Lynch, philosopher and director of the Humanities Institute at the University of Connecticut, on why reading someone's private information without consent diminishes their autonomy as a person. When 100 million medical records are stolen, it's not just a financial crisis — it's a violation of personhood on a national scale.6
The regulatory landscape is shifting fast. As of January 2026, new federal rules require prior authorization decisions in 7 days instead of 14 — with electronic data sharing mandated by 2027.
Deloitte found that 80% of healthcare executives say regulatory changes will shape their 2026 strategy, and 70% plan alliances with technology companies.4 The industry is actively looking for solutions like OBERISK.
Healthcare records need protection for 50+ years. A child born today will still need their medical history protected in 2080. OBERISK uses blockchain (what's a blockchain?) not as a buzzword, but as the backbone for a system where every access is permanently logged, every record is encrypted, and every computation happens without exposing the underlying data.
You have full control over your records. Hospitals can query them without ever seeing the raw data — and nothing is shared without your active consent, whether that's a biometric scan, a passphrase, or a tap.
With patient consent, doctors access the full aggregated record from every provider in one place. Every access is permanently timestamped — who viewed what, and when. See how this works
Every change to every record is permanently logged and mathematically verified — no one can secretly edit your chart.
The encryption is designed to survive even future quantum computers, which could break today's standard security.
In 2024, the U.S. government finalized new encryption standards designed to resist quantum computers.
The largest security upgrade in history is already underway.
OBERISK is built on it from day one.
Every interaction is permanently logged on a tamper-proof ledger. No one can quietly view, edit, or delete records. Here's what each person experiences:
Today's encryption is like a lock that works perfectly — until someone builds a better lockpick. Quantum computers, which are advancing rapidly, will eventually crack the encryption that protects most of the internet, including healthcare data. An analysis published in Nature showed that quantum machines could dramatically reduce the time needed to break current blockchain security.7
OBERISK is designed for this future. It combines four distinct technologies — each one handling a different part of the problem — and all of them use math that quantum computers can't crack. The entire system's security rests on just two well-studied mathematical foundations, meaning there are fewer things that can go wrong.
The core breakthrough: run calculations on encrypted data and get correct answers — without ever decrypting it. The hospital can check if you're allergic to penicillin without seeing your full medical history.
Mathematically prove that a computation was done correctly — without showing the data used. Think of it as a receipt that proves the math was right, without revealing what was calculated.
A doctor can prove "I'm a licensed cardiologist" without exposing credentials to hackers or third parties — while the system still tracks exactly who accessed what. Every login is verified and auditable.
Not Bitcoin. Not Ethereum. A private blockchain built specifically for healthcare, governed by hospitals and regulators — not cryptocurrency miners. Every change is permanently recorded and auditable.
OBERISK is built in five layers, each handling a different job — identity, encryption, verification, execution, and storage. All five use quantum-resistant math, so even future supercomputers can't break in.
We ran three real clinical queries on fully encrypted patient records. The server answered each question correctly — without ever seeing the actual data. Here's what that looks like:
All queries executed on real encrypted data using TFHE. Times measured on a single machine. The server produces correct answers without ever decrypting the record.
Most security systems rely on dozens of assumptions — any one of which could fail. OBERISK's entire security rests on just two math problems that no one has ever solved — not with supercomputers, not with nation-states, and not even with quantum computers.
We designed OBERISK assuming the worst-case scenario: hackers with government-level resources, corrupt insiders, and even future quantum computers. Every defense is built into the math itself — it doesn't depend on people following rules or policies.
The full research paper explains our approach in detail, including threat models, benchmark data, and the math behind each layer. The UX demo shows what the experience could look like for patients, doctors, and insurers.