The ransomware attack earlier this year on UnitedHealth's health tech company Change Healthcare is likely the largest data breach of U.S. health and medical data in history.
Months after the February data breach, a “significant percentage of people living in the United States” are receiving email notifications that their personal and health information was stolen by cybercriminals during the Change Healthcare cyberattack. . At least 100 million people are currently known to be affected by this breach.
Change Healthcare processes billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare industry. As such, we collect and store vast amounts of sensitive medical data about patients in the United States. Through a series of mergers and acquisitions, Change has become one of the largest processors of healthcare data in the United States, processing between one-third and one-half of all healthcare transactions in the United States.
Here's what's happened since the ransomware attack began.
February 21, 2024
First report of outage due to security incident
It seemed like a normal Wednesday afternoon, but it wasn't. The power outage was sudden. On February 21st, the billing systems of clinics and medical institutions stopped working, causing the processing of insurance claims to stop. The status page on Change Healthcare's website was flooded with outage notices affecting every part of the business, and later in the day the company acknowledged that it was “experiencing network interruptions related to cyber security issues.” Ta. Clearly something was very wrong.
It turns out that Change Healthcare invoked security protocols and shut down its entire network to isolate the intruder it discovered within its systems. This meant a sudden and massive outage across the healthcare sector, which relies on a small number of companies such as Change Healthcare to process health insurance and claims for vast swathes of the United States. It was later determined that the hackers first broke into the company's systems more than a week ago, on or about February 12th.
February 29, 2024
UnitedHealth confirms attack by ransomware group
UnitedHealth initially (and falsely) claimed the intrusion was caused by hackers working for a government or nation-state, but later announced on February 29 that the cyberattack was actually the work of a ransomware gang. did. UnitedHealth said the gang “refers to us as ALPHV/BlackCat,” a company spokesperson told TechCrunch at the time. A dark web leak site associated with the ALPHV/BlackCat gang also took credit for the attack, claiming it stole sensitive health and patient information from millions of Americans, highlighting just how many lives this incident affected. For the first time, I showed what I had given.
ALPHV (also known as BlackCat) is a known Russian-speaking ransomware-as-a-service gang. Its affiliates (contractors working for the gang) infiltrate victims' networks and deploy malware developed by ALPHV/BlackCat leaders. They receive a portion of the profits from the ransom money collected from the victims and get their files back.
Now that we know that this breach was caused by a ransomware gang, the attack equation is similar to the kind of hacking governments do (sometimes sending messages to another government in exchange for exposing the personal information of millions of people). (for commercial purposes) to breaches caused by financially motivated cybercriminals. , they may adopt completely different strategies to earn a salary.
March 3-5, 2024
UnitedHealth pays $22 million ransom to hackers, then hackers disappear
In early March, the ALPHV ransomware group went extinct. The gang's leaked site on the dark web, which was blamed for masterminding the cyberattack weeks ago, has been replaced with a seizure notice claiming that UK and US law enforcement agencies have taken down the gang's site. . However, both the FBI and British authorities denied attempting to take down the ransomware group months ago. All signs pointed to ALPHV fleeing with the ransom and committing an “exit scam.”
In the post, the ALPHV affiliate that carried out the Change Healthcare hack said it had stolen the $22 million ransom paid by ALPHV leadership and provided a link to a single Bitcoin transaction on March 3 as evidence. He claimed to have included it. However, despite losing its share of the ransom payment, its affiliate said the stolen data was “still in our hands.” UnitedHealth had paid a ransom to hackers who disappeared and left behind data.
Fake law enforcement seizure notice posted on BlackCat dark web leak site shortly after receiving $22 million ransom. Image credit: TechCrunch (screenshot)
March 13, 2024
Data breach concerns cause widespread disruption across U.S. healthcare
Meanwhile, weeks after the cyberattack, power outages continued, leaving many people unable to get their prescriptions filled or having to pay in cash. Tricare, the military health insurance company, said “all military pharmacies worldwide” were affected as well.
The American Medical Association said there has been little information from UnitedHealth and Change Healthcare about the ongoing outages, which have caused massive disruption and continue to ripple throughout the healthcare industry.
By March 13, Change Healthcare had received a “secure” copy of the stolen data it had purchased days earlier for $22 million. This allowed Change to begin the process of scrutinizing datasets to determine whose information was stolen in the cyber attack, with the aim of notifying as many affected individuals as possible. .
March 28, 2024
US government increases reward to $10 million for information leading to ALPHV capture
By late March, the US government announced an increased reward for information on key leaders of ALPHV/BlackCat and its affiliates.
By offering $10 million to anyone who can identify or identify the people behind the gang, the U.S. government appears to be hoping that one of the gang's insiders will rebel against its former leader. This could also be seen as the US recognizing the threat that a significant number of Americans' health information could be exposed online.
April 15, 2024
Contractors form new ransom gang and release some stolen health data
Then there were two ransoms. By mid-April, the affected affiliates had set up a new extortion ring called RansomHub and demanded a second ransom from UnitedHealth because they still had data stolen from Change Healthcare. At the time, RansomHub released some of the stolen files, including what appeared to be private and sensitive patient records, as evidence of the threat.
Ransomware gangs do more than just encrypt your files. It also steals as much data as possible and threatens to release the files if the ransom is not paid. This is known as “double extortion.” In some cases, once the victim has paid, the ransomware criminal organization may extort the victim again, or even extort the victim's customers, known as “triple extortion.”
With UnitedHealth willing to pay one ransom, the healthcare giant was at risk of being extorted again. That's why law enforcement agencies have long opposed ransom payments that allow criminals to profit from cyberattacks.
April 22, 2024
UnitedHealth says ransomware hackers stole health data of 'a significant percentage of people in America'
UnitedHealth said on April 22, more than two months after the ransomware attack began, that the data breach affected “a significant percentage of the U.S. He acknowledged for the first time that it is likely to have an impact on people. accompanied by. UnitedHealth also acknowledged paying a ransom for the data, but declined to say how much ransom it ultimately paid.
The company said the stolen data included highly sensitive information such as medical records and health information, diagnoses, medications, test results, imaging, care and treatment plans, and other personal information. That's what it means.
Given that Change Healthcare handles the data of approximately one-third of U.S. residents, a data breach could affect at least 100 million people or more. Speaking to TechCrunch, a UnitedHealth spokesperson did not dispute the potentially affected numbers, but said the company's review of the data is ongoing.
May 1, 2024
UnitedHealth Group CEO Testifies Change Doesn't Use Basic Cybersecurity
Perhaps unsurprisingly, when your company suffers one of the biggest data breaches in recent history, its CEO is sure to be called to testify before lawmakers. Sho.
This is what happened to Andrew Whitty, chief executive of UnitedHealth Group (UHG), who told Parliament House that a hacker had hacked a single Admitted using passwords to break into Change Healthcare's systems. Prevents password reuse attacks by requiring a second code sent to the account holder's phone.
The key message was that one of the largest data breaches in U.S. history was completely preventable. Whitty said the data breach is likely to affect about one-third of people living in the United States. This is consistent with the company's previous estimates that the breach would impact approximately the same number of people for whom Change Healthcare processes health insurance claims.
UnitedHealth CEO Andrew Whitty testifies before the Senate Finance Committee on Capitol Hill in Washington, D.C., May 1, 2024 Image Credit: Kent Nishimura/Getty Images
June 20, 2024
UHG begins notifying affected hospitals and healthcare providers what data was stolen
It took until June 20 for Change Healthcare to begin formally notifying affected individuals that their information had been stolen, as legally required by the law commonly known as HIPAA. The delay is likely due to the large scale of the stolen data set.
The company published a notice disclosing the data breach and said it would begin notifying individuals it identified with “secure” copies of stolen data. But Change said it was “not able to confirm exactly” what data about each individual was stolen, and that the information could vary from person to person. Change said it posted a notice on its website because “we may not have enough addresses for all affected individuals.”
The incident was so large and complex that the U.S. Department of Health and Human Services intervened, and the affected healthcare providers (whose patients would ultimately be affected by the breach) filed a lawsuit against UnitedHealth. It has been announced that affected patients can request notification on their behalf. The burden on small providers whose finances have been hit by continued outages.
July 29, 2024
Change Healthcare begins notifying known affected individuals by letter
In late June, the health tech giant announced it would begin periodically notifying people whose healthcare data was stolen in a ransomware attack. That process began in late July.
Letters sent to affected individuals will most likely come from Change Healthcare, if not the specific healthcare providers affected by the Change hack. The letter confirms what type of data was stolen, including medical data, health insurance information, billing and payment information, and Change said it also includes financial and banking information. It is said that
October 24, 2024
UnitedHealth confirms at least 100 million people affected by data breach
The health insurance giant has now confirmed that the data breach affected more than 100 million individuals, although it took more than eight months to make the announcement. The number of people affected is expected to grow, given that some people received data breach notifications as recently as October. The U.S. Department of Health and Human Services reported the latest numbers on its data breach portal on Oct. 24.
As it stands, the data breach at Change Healthcare is the largest digital theft of U.S. medical records and one of the largest data breaches in living history.