UnitedHealth has officially confirmed that the Change Healthcare ransomware attack resulted in the theft of personal information and healthcare data for over 100 million individuals, establishing it as the most significant healthcare data breach in recent years.
In May, during a congressional hearing, UnitedHealth CEO Andrew Witty cautioned that “perhaps a third” of all Americans’ health data had been compromised in this incident. A month later, Change Healthcare issued a data breach notification indicating that the ransomware attack in February had exposed a “substantial quantity of data” affecting a “significant proportion of individuals in America.”
As of today, the U.S. Department of Health and Human Services Office for Civil Rights has updated its data breach portal to reflect that 100 million individuals have been impacted, marking the first instance in which UnitedHealth, the parent company of Change Healthcare, has provided an official figure regarding the breach.
An updated FAQ on the OCR website states, “On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach.”
Notifications regarding the data breach sent by Change Healthcare since June have indicated that a vast amount of sensitive information was compromised during the February ransomware attack, including:
– Health insurance details (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
– Health information (including medical record numbers, providers, diagnoses, medications, test results, images, care, and treatment);
– Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and outstanding balances); and/or
– Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.
The specific information compromised may vary for each individual, and not all individuals had their complete medical history exposed.
A ransomware attack in February targeting Change Healthcare, a subsidiary of UnitedHealth, resulted in a significant data breach that disrupted the U.S. healthcare system extensively.
The attack compromised the company’s IT infrastructure, hindering doctors and pharmacies from processing claims and preventing pharmacies from accepting discount prescription cards, which forced patients to pay full prices for their medications.
The incident was orchestrated by the BlackCat ransomware group, also known as ALPHV, which exploited stolen credentials to access the company’s Citrix remote access service, notably lacking multi-factor authentication.
During the breach, the attackers exfiltrated 6 TB of data and encrypted numerous computers within the network, prompting the company to shut down its IT systems to contain the incident.
UnitedHealth Group acknowledged that it paid a ransom to obtain a decryption tool and to ensure the deletion of the stolen data. Reports suggest that the ransom amounted to $22 million, as stated by the BlackCat affiliate responsible for the attack.
This payment was intended to be divided between the affiliate and the broader ransomware operation; however, the BlackCat group unexpectedly ceased operations, absconding with the entire ransom and executing an exit scam.
Nevertheless, Change Healthcare continued to face challenges, as the affiliate claimed to retain the company’s data and failed to delete it as agreed. They subsequently allied with a new ransomware group called RansomHub, beginning to leak portions of the stolen data and demanding further payment to prevent additional releases.
Shortly thereafter, the listing for Change Healthcare on RansomHub’s leak site vanished, potentially suggesting that UnitedHealth made a second ransom payment.
In April, UnitedHealth reported that the ransomware incident involving Change Healthcare resulted in losses amounting to $872 million, a figure that escalated to an anticipated $2.45 billion for the nine months ending September 30, 2024, as reflected in the Q3 2024 earnings report.
