In February, a ransomware attack against Change Healthcare resulted in more than 100 million individuals having their personal medical information stolen. This cyberattack caused months of unprecedented outages and widespread disruption across the U.S. healthcare industry.
UnitedHealth Group, the US health insurer that owns health tech companies, has disclosed data on a large number of individuals, after previously saying it expected the data breach to include data on a “significant proportion of people”. This is the first time I have exposed myself to a breach. In America. ”
The U.S. Department of Health and Human Services first reported the latest numbers on its data breach portal Thursday.
UHG spokesman Tyler Mason did not respond to a request for comment.
The ransomware attack and data breach at Change Healthcare is the largest known digital theft of U.S. medical records and one of the largest data breaches in living history. The impact on the millions of Americans whose personal medical information has been irretrievably stolen is likely to last a lifetime.
UHG began notifying affected individuals in late July, which continued through October.
While the personal data stolen varies from person to person, Change previously reported that personal information such as name and address, date of birth, phone number, and email address, as well as government information including Social Security number, driver's license, and passport number, were stolen. I made sure to include my ID. Stolen health data includes diagnoses, medications, test results, imaging, care and treatment plans, health insurance information, as well as financial and banking information contained in claims and payment data harvested by criminals. .
Change Healthcare processes patient insurance and claims across the U.S. healthcare sector, including thousands of hospitals, pharmacies and medical practices, and is one of the largest providers of health, medical data and patient records. As a result, Change handles vast amounts of health and medical information on about one-third of all Americans, CEO Andrew Whitty told lawmakers in May.
The cyberattack became public on February 21, when Change Healthcare took much of its network offline to thwart the intruders, and the U.S. healthcare industry relied on Change to process patient insurance and claims. There was an immediate outage across the board.
UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang that was later held responsible for the cyberattack.
The ransomware gang's leaders fled with a $22 million ransom paid by the health insurance giant, then disappeared and blackmailed the group's contractors who carried out the Change Healthcare hack as a new source of income. . The contractors took the data stolen from Change Healthcare, formed a new group, extorted a second ransom from UHG, and in the process published some of the stolen files online to prove the threat. .
There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including Rockbit, have been found to keep stolen data even after victims have paid and criminals have claimed to have deleted the data.
Upon paying the ransom, Change obtained a copy of the stolen datasets. This allows the company to identify and notify affected individuals whose information is found within the data.
The US government's efforts to capture the hackers behind ALPHV/BlackCat, one of today's most prolific ransomware groups, have so far failed. The gang bounced back in 2023 after conducting a takedown operation to seize the gang's dark web leak site.
Months after the Change Healthcare breach, the U.S. State Department increased the reward for information on the ALPHV/BlackCat cybercriminals' whereabouts to $10 million.
Corporate integration and security vulnerabilities are blamed for data breaches
As Change Healthcare continues to recover from the February cyberattack, parts of its network remain offline. Lawmakers are also investigating this breach and its impact on the millions of Americans whose health data was irreversibly stolen.
At a House hearing on the April cyberattack, UnitedHealth CEO Whitty said cybercriminals used stolen credentials that were not protected by multi-factor authentication (MFA). Admitted to breaking into one of the employee systems. Exploitation of password theft.
By gaining access to critical internal systems using only stolen passwords, the ransomware gang was able to reach other parts of Change Healthcare's network and deploy ransomware.
UnitedHealth CEO Andrew Whitty testifies before the Senate Finance Committee on Capitol Hill on May 1, 2024 in Washington, DC. Image credit: Kent Nishimura/Getty Images
It is unclear why the systems were not protected by MFA, but this will continue to be a key part of the ongoing investigation by lawmakers and the government. Whitty told lawmakers that the organization became active after the cyber attack and is now enforcing MFA.
Lawmakers focused on how UHG processes large amounts of data and generates vast amounts of revenue, saying it fails in basic cybersecurity.
According to its 2023 full-year earnings report, UHG made a profit of $22 billion on revenue of $371 billion. UHG CEO Whitty received $23.5 million in executive compensation that year.
While the lack of MFA was exploited in this case, the sheer volume and richness of the highly sensitive data that Change Healthcare collects and stores makes it a target in its own right, the lawmakers said.
Change Healthcare merged with U.S. healthcare provider Optum in 2022 as part of a $7.8 billion deal by UnitedHealth Group. The agreement between UHG's two leading healthcare companies gives Optum, which owns physician groups and provides technology and data to insurance companies and healthcare services, broad access to Change's patient records. Ta.
In total, UnitedHealth Group provides benefit plans to more than 53 million customers in the U.S. and an additional 5 million customers outside the U.S., according to its latest full-year earnings report. . Optum serves approximately 103 million customers in the United States.
The partnership faced scrutiny from U.S. federal antitrust authorities, who filed a lawsuit to block UHG's acquisition of Change Healthcare and its merger with Optum, with UnitedHealth claiming “about half of each citizen's health insurance claims.” They argued that gaining access to this would give them an unfair competitive advantage. year. “A judge ultimately approved the deal.
The Justice Department reportedly began ramping up its investigation into UHG and its potential anti-competitive practices in the months before the Change Healthcare hack.
read more: