Change Healthcare has confirmed a February ransomware assault on its techniques, which introduced widespread disruption to the U.S. healthcare system for weeks, resulted within the theft of medical information affecting a “substantial proportion of individuals in America.”
In a press release Thursday, Change Healthcare stated it has begun the method of notifying affected people whose info was stolen through the cyberattack.
The well being tech large, owned by U.S. insurance coverage conglomerate UnitedHealth Group, processes affected person insurance coverage and billing for 1000’s of hospitals, pharmacies and medical practices throughout the U.S. healthcare sector. As such, the corporate has entry to huge quantities of well being info on a few third of all People.
The cyberattack prompted the corporate to close down its techniques, leading to outages and delays to 1000’s of healthcare suppliers who depend on Change, and affecting numerous sufferers who couldn’t receive prescriptions or had medical care or procedures delayed.
Change stated in its newest assertion that it “can not affirm precisely” what information was stolen about every particular person, and that the knowledge could differ from individual to individual.
The affected info contains private info, resembling names and addresses, dates of start, cellphone numbers and e-mail addresses, in addition to authorities identification paperwork, resembling Social Safety numbers, driver’s licenses and passport numbers.
The information additionally contains medical information and well being info, resembling diagnoses, medicines, take a look at outcomes, medicines, imaging, and care and remedy plans, stated Change. The hackers stole medical insurance info, together with plan and coverage particulars, in addition to billing, claims and cost info, which Change stated contains monetary and banking info.
Change stated it was nonetheless within the “late levels” of its evaluate of the stolen information to find out what was taken and that extra affected people could also be recognized. A number of the stolen info could relate to guarantors who paid healthcare payments for another person, the corporate stated.
The corporate added that affected people ought to obtain discover by mail starting late July.
The ransomware assault on Change Healthcare stands as one of many largest-ever identified digital thefts of U.S. medical information. Whereas the complete affect of this data breach stays unclear, the ramifications for the hundreds of thousands of People whose personal medical info was irretrievably compromised are seemingly incalculable.
Change stated it secured a duplicate of the stolen dataset in March to evaluate for figuring out and notifying affected people, which information.killnetswitch beforehand reported was obtained in change for paying a ransom demand.
UnitedHealth confirmed it paid at the least one ransom demand to the cybercriminal group behind the ransomware assault, referred to as ALPHV, in an effort to forestall the publication of the stolen recordsdata. One other hacking group known as RansomHub demanded a further cost from UnitedHealth after claiming ALPHV made off with the primary ransom cost however left the stolen information with one in every of its associates — basically a contractor — who broke in and deployed the ransomware on Change’s techniques.
RansomHub subsequently printed a number of recordsdata on its darkish internet leak website and threatened to promote the information to the very best bidder if one other ransom wasn’t paid.
Based on UnitedHealth chief government Andrew Witty, the hackers broke into Change Healthcare’s community utilizing a set of stolen credentials to an inner system that was not protected with multi-factor authentication, a security characteristic that makes it harder for malicious hackers to misuse stolen passwords.
The ransomware assault value UnitedHealth round $870 million within the first three months of the 12 months, throughout which the corporate made $100 billion in income, in response to the corporate’s earnings report. UnitedHealth is anticipated to report its most up-to-date earnings in mid-July.
