UnitedHealth has confirmed for the primary time that over 100 million folks had their private data and healthcare knowledge stolen within the Change Healthcare ransomware assault, marking this as the biggest healthcare data breach in recent times.
In Might, UnitedHealth CEO Andrew Witty warned throughout a congressional listening to that “perhaps a 3rd” of all American’s well being knowledge was uncovered within the assault.
A month later, Change Healthcare printed a data breach notification warning that the February ransomware assault on Change Healthcare uncovered a “substantial amount of information” for a “substantial proportion of individuals in America.”
At present, the U.S. Division of Well being and Human Companies Workplace for Civil Rights data breach portal up to date the full variety of impacted folks to 100 million, making it the primary time UnitedHealth, the father or mother firm of Change Healthcare, put an official quantity to the breach.
“On October 22, 2024, Change Healthcare notified OCR that roughly 100 million particular person notices have been despatched relating to this breach,” reads an up to date FAQ on the OCR web site.
Supply: HHS
Data breach notifications despatched by Change Healthcare since June state {that a} huge quantity of delicate data was stolen in the course of the February ransomware assault, together with:
- Medical insurance data (comparable to major, secondary or different well being plans/insurance policies, insurance coverage firms, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Well being data (comparable to medical document numbers, suppliers, diagnoses, medicines, take a look at outcomes, pictures, care and therapy);
- Billing, claims and fee data (comparable to declare numbers, account numbers, billing codes, fee playing cards, monetary and banking data, funds made, and stability due); and/or
- Different private data comparable to Social Safety numbers, driver’s licenses or state ID numbers, or passport numbers.
The knowledge could also be completely different for every particular person, and never everybody’s medical historical past was uncovered.
The Change Healthcare ransomware assault
This data breach was attributable to a February ransomware assault on UnitedHealth subsidiary Change Healthcare, which led to widespread outages within the U.S. healthcare system.
The disruption to the corporate’s IT techniques prevented medical doctors and pharmacies from submitting claims and prevented pharmacies from accepting low cost prescription playing cards, inflicting sufferers to pay full worth for medicines.
The BlackCat ransomware gang, aka ALPHV, performed the assault, utilizing stolen credentials to breach the corporate’s Citrix distant entry service, which didn’t have multi-factor authentication enabled.
In the course of the assault, the risk actors stole 6 TB of information and finally encrypted computer systems on the community, inflicting the corporate to close down IT techniques to forestall the unfold of the assault.
The UnitedHealth Group admitted to paying a ransom demand to obtain a decryptor and for the risk actors to delete the stolen knowledge. The ransom fee was allegedly $22 million, in line with the BlackCat ransomware affiliate who performed the assault.
This ransom fee was presupposed to be break up between the affiliate and the ransomware operation, however the BlackCat all of a sudden shut down, stealing your entire fee for themselves and pulling an exit rip-off.
Nonetheless, this wasn’t the tip of Change Healthcare’s issues, because the affiliate claimed they nonetheless had the corporate’s knowledge and didn’t delete it as promised. The affiliate partnered with a brand new ransomware operation named RansomHub and started leaking a few of the stolen knowledge, demanding an extra fee for the information to not be launched.
The entry for Change Healthcare entry on RansomHub’s knowledge leak web site mysteriously disappeared just a few days later, presumably indicating that United Well being paid a second ransom demand.
UnitedHealth mentioned in April that the Change Healthcare ransomware assault brought about $872 million in losses, which elevated as a part of the Q3 2024 earnings to an anticipated $2.45 billion for the 9 months to September 30, 2024,
