Change Healthcare lost personal, financial, and medical records to approximately 100 million Americans in a February 2024 ransomware attack that caused the largest known data breach of protected health information. announced that it had been notified that it may have been stolen.
Image: Tamer Tuncay, Shutterstock.com.
The ransomware attack on Change Healthcare in the third week of February quickly disrupted the entire U.S. healthcare system, thanks to the company's central role in processing payments and prescriptions on behalf of thousands of organizations. The effects lasted for several months.
Change estimated in April that the breach would affect “a significant percentage of Americans.” On October 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notifications have been submitted regarding this breach.”
According to the notification letter from Change Healthcare, the breach included the theft of:
-Health data: medical record numbers, doctors, diagnoses, medications, test results, images, care and treatments.
– Billing Records: Records including payment cards, financial and banking records.
-Personal Data: Social Security Number. Driver's license or state ID number.
-Insurance Data: Medical Plan/Insurance, Insurance Company, Member/Group ID Number, and Medicaid, Medicare, Government Payer ID Number.
HIPAA Journal reports that United Health Group, Change's parent company, incurred $1.521 billion in direct breach response costs and $2.457 billion in total cyberattack impact for the nine months ended September 30, 2024. reached the dollar.
These costs include $22 million that the company admitted to paying extortionists (ransomware groups known as BlackCat and ALPHV) in exchange for promises to destroy stolen medical data .
The ransom payment went as planned after an affiliate that gave BlackCat access to Change's network claimed that the criminal organization had been defrauded of its share of the ransom. The entire BlackCat ransomware campaign then ceased and all outstanding funds were taken away by affiliates hired to install the ransomware.
Infringement Notice from Change Healthcare.
Days after BlackCat collapsed, the same stolen medical data was being put up for sale by a competing ransomware group called RansomHub.
RansomHub's victim shaming blog announced on April 16 that “affected insurance companies can contact us to prevent their data from being compromised and (remove) it from sale.” Something unbelievable. For most Americans who doubt us, we probably have your personal data. ”
It remains unclear whether RansomHub ever sold stolen medical data. The chief information security officer of a large academic health system affected by this breach participated in a call with the FBI and said that third-party partners were able to recover at least 4 terabytes of data leaked from Change by the cybercrime group. told KrebsOnSecurity. . The FBI did not respond to requests for comment.
Change Healthcare's breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In a section of the letter entitled “Why did this happen?” Change said only that “cybercriminals gained access to our computer systems without our authorization.”
However, in testimony before the Senate Finance Committee in June 2024, the intruder stole or purchased credentials for the Citrix portal used for remote access, and that the account did not require multi-factor authentication. It turned out.
Last month, Sen. Mark Warner (D-Va.) and Sen. Ron Wyden (D-Ore.) announced a series of strict minimum cybersecurity requirements for health care providers, health plans, clearinghouses, and businesses. Introduced legislation that would require HHS to develop and enforce standards. fellow. The measure also eliminates existing fine caps under the Health Insurance Portability and Accountability Act, which severely limits the fines that HHS can impose against health care providers.
According to HIPAA Journal, the largest fine ever imposed for a HIPAA violation was a paltry $16 million fine against insurance company Anthem Inc., which suffered a data breach that affected 78.8 million people in 2015. It was a fine. Anthem reported approximately $80 billion in revenue in 2015.
Change Violation Post from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.
There is little that victims of this breach can do about their medical records being compromised. However, the leaked data contains enough information for identity thieves to act, so if you don't have a security freeze on your credit file and the credit files of your family, you should do so. is wise.
The best way to prevent identity thieves from creating new accounts in your name is to freeze your Equifax, Experian, and TransUnion credit files. This process is currently free to all Americans and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files of their children and dependents.
Freezing the Big 3's credit files deters all types of identity theft fraud, as few creditors are willing to grant a new line of credit without determining how risky it is to grant them. A great way to do that. A freeze will not prevent you from using any existing lines of credit you already have, such as credit cards, mortgages, or bank accounts. If you need to grant access to your credit file, such as when applying for a loan or a new credit card, you must remove or temporarily remove the freeze with one or more financial institutions beforehand.
All three bureaus allow users to electronically freeze their accounts after they create an account, but all seek to discourage consumers from doing so. Instead, the Bureau expects consumers to choose the confusingly named “Credit Lock” service. This achieves the same result, but allows the bureau to continue selling access to its files to partners of its choice.
If you haven't done this in a while, now is a great time to check your credit file for fraud or mistakes. By law, everyone is entitled to one free credit report every 12 months from three credit reporting agencies. However, the Federal Trade Commission notes that the three major bureaus have permanently extended a program they established in 2020 that allows you to check your credit report for free at each bureau once a week.
