A ransomware attack on UnitedHealth-owned medical technology company Change Healthcare earlier this year is likely one of the largest data breaches of U.S. health and medical data in history.
Months after the February data breach, a “significant percentage of people living in the United States” have received notifications in the mail that their personal and health information was stolen by cybercriminals during a cyberattack on Change Healthcare.
Change Healthcare processes billing and insurance for hundreds of thousands of hospitals, pharmacies, and clinics across the U.S. healthcare sector. As such, the company collects and stores large amounts of sensitive healthcare data about U.S. patients. Through a series of mergers and acquisitions, Change Healthcare has become one of the largest healthcare data processors in the U.S., processing one-third to one-half of all U.S. healthcare transactions.
Here's what happened since the ransomware attack began.
February 21, 2024
First report of service outage due to security incident
It seemed like a normal Wednesday afternoon, but it wasn't. There was a sudden power outage. On February 21, billing systems for clinics and medical facilities stopped working, and insurance claims processing stopped. The status page on Change Healthcare's website was inundated with outage notices affecting every part of the company's business, and later that same day the company confirmed it was “experiencing a network interruption related to a cybersecurity issue.” Clearly, something big had gone wrong.
It turned out that Change Healthcare had triggered security protocols and shut down its entire network to isolate the intruder it had found in its systems. This caused a sudden and widespread outage across the healthcare sector, where vast swaths of the US rely on a small number of companies like Change Healthcare for health insurance and claims processing. It was later discovered that hackers had first penetrated the company's systems more than a week earlier, around February 12th.
February 29, 2024
UnitedHealth acknowledges being attacked by ransomware group
UnitedHealth initially (and incorrectly) attributed the intrusion to hackers working for the government or a nation state, but then announced on February 29 that the cyberattack was actually the work of a ransomware gang. UnitedHealth said the gang was “purporting to be ALPHV/BlackCat,” a company spokesperson told TechCrunch at the time. A dark web leak site linked to the ALPHV/BlackCat gang also claimed responsibility for the attack, claiming to have stolen sensitive health and patient information for millions of Americans, marking the first indication of how many individuals the incident had affected.
ALPHV (aka BlackCat) is a known Russian-speaking ransomware-as-a-service group whose affiliates (contractors working for the group) infiltrate victim networks and deploy malware developed by ALPHV/BlackCat leaders, who take a cut of the profits from the ransoms collected from victims to get their files back.
The discovery that the breach was caused by a ransomware gang has changed the equation from a government hack (which may send a message to other governments rather than expose the personal information of millions of people) to a financially motivated breach by cybercriminals, who may employ entirely different methods to make money.
March 3-5, 2024
UnitedHealth pays $22 million ransom to hackers, who then disappear
In early March, the ALPHV ransomware gang disappeared. The gang's leak site on the dark web, which had claimed responsibility for the cyberattack a few weeks earlier, was replaced with a seizure notice stating that UK and US law enforcement had shut down the gang's site. However, both the FBI and UK authorities denied that they had shut down the ransomware gang as they had attempted to do a few months earlier. All indications point to ALPHV fleeing with the ransom money and committing an “exit scam”.
In a post, the ALPHV affiliate that carried out the Change Healthcare hack claimed that ALPHV executives had stolen the $22 million paid in ransom, and included a link to a March 3rd Bitcoin transaction as proof. But despite losing its share of the ransom, the affiliate said the stolen data was “still in our hands.” UnitedHealth paid the ransom to the hackers, who then disappeared, leaving the data behind.
A fake law enforcement seizure notice posted on BlackCat's dark web leaks site shortly after the $22 million ransom was received. Image credit: TechCrunch (screenshot)
March 13, 2024
Data breach fears cause widespread disruption to US healthcare
Meanwhile, weeks after the cyberattack, outages are still occurring, leaving many people unable to collect prescriptions or having to pay with cash. Military health insurer Tricare said “all military pharmacies worldwide” were also affected.
The American Medical Association says it has received little information from UnitedHealth and Change Healthcare about the ongoing outages, causing widespread confusion that continues to ripple through the health care industry.
By March 13, Change Healthcare had received a “secure” copy of the stolen data it had obtained a few days earlier after paying $22 million, allowing Change Healthcare to begin the process of sifting through the dataset, determining whose information had been stolen in the cyberattack, and notifying as many affected individuals as possible.
March 28, 2024
U.S. government increases bounty for information leading to capture of ALPHV to $10 million
By late March, the US government announced it would increase bounties for information regarding key leaders of ALPHV/BlackCat and its affiliates.
By offering a $10 million reward to anyone who could identify or locate the people behind the gang, the US government may have hoped that someone within the gang would turn against its former leader, and may also have recognized the risk that a large amount of Americans' health information could be made public online.
April 15, 2024
Contractors Form New Ransom Ring, Release Stolen Health Data
Then came the second ransom demand: By mid-April, the victim affiliate had launched a new extortion ring called RansomHub, which still held the data stolen from Change Healthcare, and demanded a second ransom from UnitedHealth, publishing some of the stolen files, believed to be private and sensitive patient records, as evidence of the extortion.
In addition to encrypting files, ransomware gangs also steal as much data as they can and threaten to make the files public if the ransom isn't paid. This is called “double extortion.” Once the victim pays the ransom, the ransomware gang may extort the victim again. They may also extort the victim's customers. This is called “triple extortion.”
UnitedHealth's readiness to pay the ransom once raised the risk that the healthcare giant could be blackmailed again, which is why law enforcement has long spoken out against paying ransoms that allow criminals to profit from cyberattacks.
April 22, 2024
UnitedHealth says ransomware hackers stole health data from “a significant percentage of Americans”
UnitedHealth first acknowledged on April 22, more than two months after the ransomware attack began, that there had been a data breach and that it likely affected “a significant proportion of people in the U.S.,” but did not specify how many millions of people that meant. UnitedHealth also acknowledged that it had paid a ransom for its data, but did not disclose the amount of the ransom it ultimately paid.
The company said the stolen data included highly sensitive information such as medical records, health information, diagnoses, medications, lab results, imaging, care and treatment plans, and other personal information.
The data breach could potentially affect at least 100 million people, given that Change Healthcare handles data on roughly one-third of people living in the U.S. When contacted by TechCrunch, a UnitedHealth spokesperson did not dispute the number of people potentially affected, but said the company's review of the data is ongoing.
May 1, 2024
UnitedHealth Group CEO says Changi failed to use basic cybersecurity practices
Perhaps unsurprisingly, when a company suffers one of the largest data breaches in recent history, its chief executive officer will inevitably be called to testify before lawmakers.
That's exactly what happened to UnitedHealth Group CEO Andrew Whitty, who admitted to Congress that hackers broke into Change Healthcare's systems by using a single password on a user account that wasn't protected by multifactor authentication, a basic security feature that can prevent password reuse attacks by requiring a second code to be sent to the account holder's mobile phone.
The takeaway message was that one of the largest data breaches in U.S. history was entirely preventable. Whitty said the data breach could affect about one-third of people living in the U.S. This is in line with the company's previous estimate that as many people as Change Healthcare processes medical claims will be affected by the breach.
UnitedHealth CEO Andrew Whitty testifies before the Senate Finance Committee on Capitol Hill in Washington, DC on May 1, 2024. Image by Kent Nishimura/Getty Images
June 20, 2024
UHG begins notifying affected hospitals and healthcare providers of stolen data
It took until June 20th for Change Healthcare to begin formally notifying affected individuals that their information had been stolen, as required by the law commonly known as HIPAA, a delay likely due in part to the sheer volume of the stolen dataset.
The company released a notice publicizing the data breach and said it would begin notifying identified individuals with “secure” copies of the stolen data. But Change said it “cannot confirm exactly what data” was stolen about each individual, and that information may vary from person to person. Change said it was posting the notices on its website because it may not have enough addresses for all affected individuals.
The scale and complexity of the incident prompted the U.S. Department of Health and Human Services to step in and announce that health care providers whose patients would ultimately be affected by the breach could ask UnitedHealth to notify affected patients on their behalf, in a move likely intended to ease the burden on smaller health care providers financially hit by the ongoing outages.
July 29, 2024
Change Healthcare will begin notifying known affected individuals by letter.
The medical technology giant confirmed in late June that it would begin notifying people whose medical data was stolen in the ransomware attack on an ongoing basis, a process that began in late July.
The letters sent to affected individuals will likely come from Change Healthcare; they will not be sent from any of the specific healthcare providers affected by the Change Healthcare hack. The letters will list the types of data that was stolen, including medical data, health insurance information, and billing and payment information. Change Healthcare says this information also includes financial and banking information.