Change Healthcare confirmed that its systems were hit by a ransomware attack in February, causing widespread disruption to the US healthcare system for several weeks and resulting in the theft of the medical records of a “significant proportion of Americans.”
Change Healthcare said in a statement Thursday that it has begun the process of notifying affected individuals whose information was stolen during the cyberattack.
The medical technology giant, owned by US insurance conglomerate UnitedHealth Group, processes insurance and billing for patients across the US healthcare sector for thousands of hospitals, pharmacies and clinics, giving it access to vast amounts of health information for roughly a third of the nation's population.
The cyberattack forced the company to shut down its systems, causing outages and delays for thousands of healthcare providers who use Change, impacting countless patients, including those unable to get prescriptions and experiencing delays in care and procedures.
In its latest statement, Change said it was “unable to confirm exactly what data” was stolen about each individual, and that information may vary from person to person.
Affected information includes personal information such as name, address, date of birth, phone number, email address, as well as government issued identification such as Social Security number, driver's license, and passport number.
The data also includes medical records and health information, such as diagnoses, medications, lab results, medications, images, care and treatment plans, according to Change. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said also included financial and banking information.
Change said its investigation into the stolen data is still in the “final stages” to determine what was stolen and that more individuals may be identified. The company said some of the stolen information may relate to guarantors who paid for other people's medical bills.
The company added that affected individuals will be notified by mail starting in late July.
The Change Healthcare ransomware attack is one of the largest digital thefts of medical records in history in the U.S. While the full impact of this data breach is unknown, the implications for the millions of Americans whose personal medical information was irretrievably compromised will be devastating.
Change said it had obtained a copy of the dataset stolen in March in order to identify and notify affected individuals. TechCrunch previously reported that the dataset was obtained in exchange for a ransom payment.
UnitedHealth confirmed that it paid at least one ransom demand to the cybercrime group behind the ransomware attacks, known as ALPHV, to prevent the release of stolen files. Another hacker group, RansomHub, claimed that ALPHV ran off with the first ransom but left the stolen data with its affiliates (essentially contractors) who then infiltrated and deployed the ransomware on Change's systems, demanding an additional payment from UnitedHealth.
RansomHub then published some of the files on a dark web leak site, threatening to sell the data to the highest bidder if the ransom wasn't paid.
UnitedHealth CEO Andrew Whitty said the hackers gained access to Change Healthcare's network using a set of stolen credentials to an internal system that wasn't protected by multifactor authentication, a security feature that makes it difficult for malicious actors to exploit stolen passwords.
UnitedHealth, which had revenue of $100 billion in the first three months of the year, said in its financial results that the ransomware attack cost it about $870 million. UnitedHealth is due to report its latest earnings in mid-July.