Greater than 100 million people had their non-public well being info stolen throughout the ransomware assault on Change Healthcare in February, a cyberattack that induced months of unprecedented outages and widespread disruption throughout the U.S. healthcare sector.
That is the primary time that UnitedHealth Group, the U.S. medical insurance supplier that owns the well being tech firm, has put various affected people to the information breach, after beforehand saying it anticipated the breach to incorporate knowledge on a “substantial proportion of people in America.”
The U.S. Division of Well being and Human Providers first reported the up to date quantity on its knowledge breach portal on Thursday.
Tyler Mason, a spokesperson for UHG, didn’t instantly reply to a request for remark.
The ransomware assault and knowledge breach at Change Healthcare stands as the biggest recognized digital theft of U.S. medical data, and one of many largest knowledge breaches in residing historical past. The ramifications for the thousands and thousands of Individuals whose non-public medical info was irretrievably stolen are prone to be life lasting.
UHG started notifying affected people in late July, which continued by means of October.
The stolen private knowledge varies by particular person, however Change beforehand confirmed that it contains private info, equivalent to names and addresses, dates of delivery, cellphone numbers and e mail addresses, and authorities identification paperwork, together with Social Safety numbers, driver licenses and passport numbers. The stolen well being knowledge contains diagnoses, medicines, check outcomes, imaging and care and remedy plans, and medical insurance info — in addition to monetary and banking info present in claims and cost knowledge taken by the criminals.
Change Healthcare is without doubt one of the largest handlers of well being, medical knowledge and affected person data because it processes affected person insurance coverage and billing throughout the U.S. healthcare sector, together with hundreds of hospitals, pharmacies and medical practices. As such, Change handles enormous quantities of well being and medical-related info on round a 3rd of all Individuals, the corporate’s chief govt Andrew Witty informed lawmakers in Might.
The cyberattack grew to become public on February 21 when Change Healthcare pulled a lot of its community offline to comprise the intruders, inflicting quick outages throughout the U.S. healthcare sector that relied on Change for dealing with affected person insurance coverage and billing.
UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit score for the cyberattack.
The ransomware gang’s leaders later vanished after absconding with a $22 million ransom paid by the medical insurance large, stiffing the group’s contractors who carried out the hacking of Change Healthcare out of their new monetary windfall. The contractors took the information they stole from Change Healthcare and shaped a brand new group, which extorted a second ransom from UHG, whereas publishing a portion of the stolen information on-line within the course of to show their menace.
There is no such thing as a proof that the cybercriminals subsequently deleted the information. Different extortion gangs, together with LockBit, have been proven to hoard stolen knowledge, even after the sufferer pays and the criminals declare to have deleted the information.
In paying the ransom, Change obtained a duplicate of the stolen dataset, permitting the corporate to determine and notify the affected people whose info was discovered within the knowledge.
Efforts by the U.S. authorities to catch the hackers behind ALPHV/BlackCat, one of the vital prolific ransomware gangs immediately, have thus far failed. The gang bounced again following a takedown operation in 2023 to grab the gang’s darkish net leak web site.
Months after the Change Healthcare breach, the U.S. State Division upped its reward for info of the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.
Company consolidation and poor safety blamed for knowledge breach
Parts of Change Healthcare’s community stay offline as the corporate continues to recuperate from the February cyberattack. Lawmakers are additionally investigating the breach and the impact on the thousands and thousands of Individuals whose well being knowledge was irreversibly stolen.
Throughout a Home listening to into the cyberattack in April, UnitedHealth’s CEO Witty confirmed that the cybercriminals broke into one in every of its worker methods utilizing stolen credentials that weren’t protected with multi-factor authentication (MFA), a safety characteristic that may assist to guard towards the misuse of password theft.
By getting access to a important inside system utilizing solely a stolen password, the ransomware gang had been capable of attain different elements of Change Healthcare’s community and deploy ransomware.
It’s unclear why the system was not protected with MFA, however this may possible stay a key a part of the continued investigations by lawmakers and the federal government. Witty informed lawmakers that the group has since rolled out and now enforces MFA following the cyberattack.
Lawmakers homed in on how UHG handles a lot knowledge and generates a lot income, and failed at fundamental cybersecurity.
In keeping with its 2023 full-year earnings report, UHG made $22 billion in revenue on revenues of $371 billion. UHG’s CEO Witty made $23.5 million in govt compensation the identical yr.
Whereas the shortage of MFA was abused on this case, the sheer dimension and wealth of extremely delicate knowledge that Change Healthcare collects and shops made it a goal in itself, lawmakers stated.
Change Healthcare merged with U.S. healthcare supplier Optum in 2022 as a part of a $7.8 billion deal by UnitedHealth Group. The deal brough the 2 healthcare giants beneath UHG and allowed Optum, which owns doctor teams and offers tech and knowledge to insurance coverage corporations and healthcare companies, broad entry to affected person data dealt with by Change.
UnitedHealth Group collectively offers over 53 million U.S. clients with profit plans and one other 5 million exterior of the USA, in keeping with its newest full-year earnings report. Optum serves about 103 million U.S. clients.
The deal confronted scrutiny by U.S. federal antitrust authorities, who sued to dam UHG from shopping for Change Healthcare and merging it with Optum, arguing that UnitedHealth would get an unfair aggressive benefit by getting access to “about half of all Americans’ health insurance claims pass each year.” A decide finally authorized the deal.
The Justice Division reportedly started cranking up its investigation into UHG and its potential anticompetitive practices within the months previous to the Change Healthcare hack.
Learn extra:
