In February, a ransomware attack against Change Healthcare resulted in more than 100 million individuals having their personal medical information stolen. This cyberattack caused months of unprecedented outages and widespread disruption across the U.S. healthcare industry.
This is the first time UnitedHealth Group (UHG), a US health insurance company that owns health tech companies, has exposed a large number of affected individuals to a data breach, although it has previously said that the breach contained “critical data”. He said he expected it to be included. Percentage of the American population. ”
The U.S. Department of Health and Human Services first reported the latest numbers on its data breach portal Thursday.
“Given the amount and complexity of the data involved, and as the investigation is still in its final stages, we would like to inform all potentially affected individuals as soon as possible,” UHG spokesperson Tyler Mason said in a short statement. We will continue to provide prompt and regular notification.”
The ransomware attack and data breach at Change Healthcare is the largest known digital theft of U.S. medical records and one of the largest data breaches in living history. The impact on the millions of Americans whose personal medical information has been irretrievably stolen is likely to last a lifetime.
UHG began notifying affected individuals in late July, which continued through October.
Although the data stolen varies from person to person, Change has previously stolen personal information such as name and address, date of birth, phone number, and email address, as well as government information including Social Security number, driver's license number, and passport number. I made sure to include my ID. . Stolen health data includes diagnoses, medications, test results, imaging, care and treatment plans, health insurance information, as well as financial and banking information contained in claims and payment data harvested by criminals. .
Change Healthcare is one of the largest health, medical data and patient records companies, processing insurance and claims for patients across the U.S. healthcare sector, including thousands of hospitals, pharmacies and medical practices. As a result, Change handles vast amounts of health and medical information on about one-third of all Americans, CEO Andrew Whitty told lawmakers in May.
The cyberattack became public on February 21, when Change Healthcare took much of its network offline to thwart the intruders, and the U.S. healthcare industry relied on Change to process patient insurance and claims. There was an immediate outage across the board.
UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang that was later held responsible for the cyberattack.
The ransomware gang's leaders fled with a $22 million ransom paid by the health insurance giant, then disappeared and blackmailed the group's contractors who carried out the Change Healthcare hack as a new source of income. . The contractors took the data stolen from Change Healthcare, formed a new group, extorted a second ransom from UHG, and in the process published some of the stolen files online to prove the threat. .
There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including Rockbit, have been found to keep stolen data even after victims have paid and criminals have claimed to have deleted the data.
Upon paying the ransom, Change obtained a copy of the stolen datasets. This allows the company to identify and notify affected individuals whose information is found within the data.
The US government's efforts to capture the hackers behind ALPHV/BlackCat, one of today's most prolific ransomware groups, have so far failed. The gang bounced back in 2023 after conducting a takedown operation to seize the gang's dark web leak site.
Months after the Change Healthcare breach, the US State Department increased the reward to $10 million for information regarding the whereabouts of the ALPHV/BlackCat cybercriminals.
Corporate integration and security vulnerabilities are blamed for data breaches
As Change Healthcare continues to recover from the February cyberattack, parts of its network remain offline. Lawmakers are also investigating this breach and its impact on the millions of Americans whose health data was irreversibly stolen.
At a House hearing on the April cyberattack, UnitedHealth CEO Whitty said cybercriminals used stolen credentials that were not protected by multi-factor authentication (MFA). Admitted to breaking into one of the employee systems. Exploitation of password theft.
By gaining access to critical internal systems using only stolen passwords, the ransomware gang was able to reach other parts of Change Healthcare's network and deploy ransomware.
It is unclear why the systems were not protected by MFA, but this will continue to be a key part of the ongoing investigation by lawmakers and the government. Whitty told lawmakers that the organization became active after the cyber attack and is now enforcing MFA.
Lawmakers focused on how UHG processes large amounts of data, generates huge revenues, and fails at basic cybersecurity.
According to its 2023 full-year earnings report, UHG made a profit of $22 billion on revenue of $371 billion. Mr. Whitty earned $23.5 million in executive compensation that year.
While the lack of MFA was exploited in this case, the sheer volume and richness of the highly sensitive data that Change Healthcare collects and stores makes it a target in its own right, the lawmakers said.
Change Healthcare merged with U.S. healthcare provider Optum in 2022 as part of a $7.8 billion deal by UnitedHealth Group. The deal brings the two medical giants under UHG and gives Optum, which owns physician groups and provides technology and data to insurance companies and medical services, broad access to Change's patient records.
In total, UnitedHealth Group provides benefit plans to more than 53 million customers in the United States and an additional 5 million customers outside the United States, according to its latest full-year earnings report. There is. Optum serves approximately 103 million customers in the United States.
The partnership faced scrutiny from U.S. federal antitrust authorities, who filed a lawsuit to block UHG's acquisition of Change Healthcare and its merger with Optum, with UnitedHealth claiming “about half of each citizen's health insurance claims.” They argued that gaining access to this would give them an unfair competitive advantage. year. “A judge ultimately approved the deal.
The Justice Department reportedly began ramping up its investigation into UHG and its potential anti-competitive practices in the months before the Change Healthcare hack.
Updated with UHG comment.
read more: