A February 2024 ransomware assault on UnitedHealth-owned well being tech firm Change Healthcare stands as the most important data breach of well being and medical knowledge in U.S. historical past.
Change Healthcare confirmed in January 2025 that its data breach impacts roughly 190 million individuals in America, nearly double the corporate’s earlier estimate.
The corporate stated it has notified hundreds of thousands of people by mail that their private and well being data was stolen by cybercriminals, and revealed a separate public discover for anybody whose contact data couldn’t be discovered.
Change Healthcare processes billing and insurance coverage for lots of of 1000’s of hospitals, pharmacies and medical practices throughout the U.S. healthcare sector. As such, the corporate collects and shops huge quantities of extremely delicate medical knowledge on sufferers in the US. Following a collection of company mergers and acquisitions, Change Healthcare turned one of many greatest processors of U.S. well being knowledge, dealing with as many as half of all U.S. well being transactions.
Right here’s what has occurred because the ransomware assault started.
February 21, 2024
First report of outages as security incident emerges
It appeared like an strange Wednesday afternoon, till it wasn’t. The outage was sudden. On February 21, billing programs at medical doctors workplaces and healthcare practices stopped working, and insurance coverage claims stopped processing. The standing web page on Change Healthcare’s web site was flooded with outage notifications affecting each a part of its enterprise, and later that day the corporate confirmed it was “experiencing a community interruption associated to a cyber security problem.” Clearly one thing had gone very improper.
It seems that Change Healthcare invoked its security protocols and shut down its total community to isolate intruders it present in its programs. That meant sudden and widespread outages throughout the healthcare sector that depends on a handful of corporations — like Change Healthcare — to deal with healthcare insurance coverage and billing claims for huge swathes of the US. It was later decided that the hackers initially broke into the corporate’s programs over every week earlier, on or round February 12.
February 29, 2024
UnitedHealth confirms it was hit by ransomware gang
After initially (and incorrectly) attributing the intrusion to hackers working for a authorities or nation-state, UnitedHealth later stated on February 29 that the cyberattack was in actual fact the work of a ransomware gang. UnitedHealth stated the gang “represented itself to us as ALPHV/BlackCat,” an organization spokesperson instructed information.killnetswitch on the time. A darkish internet leak web site related to the ALPHV/BlackCat gang additionally took credit score for the assault, claiming to have stolen hundreds of thousands of People’ delicate well being and affected person data, giving the primary indication of what number of people this incident had affected.
ALPHV (aka BlackCat) is a recognized Russian-speaking ransomware-as-a-service gang. Its associates — contractors who work for the gang — break into sufferer networks and deploy malware developed by ALPHV/BlackCat’s leaders, who take a lower of the income collected from the ransoms collected from victims to get their recordsdata again.
Understanding that the breach was attributable to a ransomware gang modified the equation of the assault from the sort of hacking that governments do — generally to ship a message to a different authorities as a substitute of publishing hundreds of thousands of individuals’s non-public data — to a breach attributable to financially motivated cybercriminals, who’re more likely to make use of a completely totally different playbook to get their payday.
March 3-5, 2024
UnitedHealth pays a ransom of $22 million to hackers, who then disappear
In early March, the ALPHV ransomware gang vanished. The gang’s leak web site on the darkish internet, which weeks earlier took credit score for the cyberattack, was changed with a seizure discover claiming that U.Okay. and U.S. legislation enforcement took down the gang’s web site. However each the FBI and U.Okay. authorities denied taking down the ransomware gang as they’d tried months earlier. All indicators pointed to ALPHV operating off with the ransom and pulling an “exit rip-off.”
In a posting, the ALPHV affiliate who carried out the hack on Change Healthcare claimed that the ALPHV management stole $22 million paid as a ransom and included a hyperlink to a single bitcoin transaction on March 3 as proof of their declare. However regardless of shedding their share of the ransom cost, the affiliate stated the stolen knowledge is “nonetheless with us.” UnitedHealth had paid a ransom to hackers who left the info behind and disappeared.
March 13, 2024
Widespread disruption throughout U.S. healthcare amid fears of data breach
In the meantime, weeks into the cyberattack, outages had been nonetheless ongoing with many unable to get their prescriptions crammed or having to pay money out of pocket. Army medical health insurance supplier TriCare stated “all navy pharmacies worldwide” had been affected as properly.
The American Medical Affiliation was saying there was little data from UnitedHealth and Change Healthcare in regards to the ongoing outages, inflicting large disruption that continued to ripple throughout the healthcare sector.
By March 13, Change Healthcare had acquired a “secure” copy of the stolen knowledge that it had simply days earlier paid $22 million for. This allowed Change to start the method of poring via the dataset to find out whose data was stolen within the cyberattack, with the intention of notifying as many affected people as potential.
March 28, 2024
U.S. authorities ups its bounty to $10 million for data resulting in ALPHV seize
By late March, the U.S. authorities stated it was upping its bounty for data on key management of ALPHV/BlackCat and its associates.
By providing $10 million to anybody who can determine or find the people behind the gang, the U.S. authorities appeared to hope that one of many gang’s insiders would activate their former leaders. It additionally may very well be seen because the U.S. realizing the specter of having a big variety of People’ well being data probably revealed on-line.
April 15, 2024
Contractor varieties new ransom gang and publishes some stolen well being knowledge
After which there have been two — ransoms, that’s. By mid-April, the aggrieved affiliate arrange a brand new extortion racket referred to as RansomHub, and because it nonetheless had the info that it stole from Change Healthcare, it demanded a second ransom from UnitedHealth. In doing so, RansomHub revealed a portion of the stolen recordsdata containing what gave the impression to be non-public and delicate affected person information as proof of their risk.
Ransomware gangs don’t simply encrypt recordsdata; additionally they steal as a lot knowledge as potential and threaten to publish the recordsdata if a ransom isn’t paid. This is called “double extortion.” In some circumstances when the sufferer pays, the ransomware gang can extort the sufferer once more — or, in others, extort the sufferer’s clients, generally known as “triple extortion.”
Now that UnitedHealth was prepared to pay one ransom, there was a danger that the healthcare big can be extorted once more. It’s why legislation enforcement have lengthy advocated towards paying a ransom that permits criminals to revenue from cyberattacks.
April 22, 2024
UnitedHealth says ransomware hackers stole well being knowledge on a “substantial proportion of individuals in America”
For the primary time, UnitedHealth confirmed on April 22 — greater than two months after the ransomware assault started — that there was a data breach and that it probably impacts a “substantial proportion of individuals in America,” with out saying what number of hundreds of thousands of those that entails. UnitedHealth additionally confirmed it paid a ransom for the info however wouldn’t say what number of ransoms it in the end paid.
The corporate stated that the stolen knowledge consists of extremely delicate data, together with medical information and well being data, diagnoses, medicines, check outcomes, imaging and care and remedy plans, and different private data.
On condition that Change Healthcare handles knowledge on as many as half of everybody dwelling in the US, the data breach is more likely to have an effect on greater than 100 million individuals not less than. When reached by information.killnetswitch, a UnitedHealth spokesperson didn’t dispute the probably affected quantity however stated that the corporate’s knowledge evaluate was ongoing.
Might 1, 2024
UnitedHealth Group chief government testifies that Change wasn’t utilizing fundamental cybersecurity
Maybe unsurprisingly when your organization has had one of many greatest data breaches in latest historical past, its chief government is certain to get referred to as to testify earlier than lawmakers.
That’s what occurred with UnitedHealth Group (UHG) chief government Andrew Witty, who on Capitol Hill admitted that the hackers broke into Change Healthcare’s programs utilizing a single set password on a person account not protected with multi-factor authentication, a fundamental security function that may stop password reuse assaults by requiring a second code despatched to that account holder’s cellphone.
One of many greatest data breaches in U.S. historical past was totally preventable, was the important thing message. Witty stated that the data breach was more likely to have an effect on about one-third of individuals dwelling in America — consistent with the corporate’s earlier estimates that the breach impacts round as many individuals that Change Healthcare processes healthcare claims for.
June 20, 2024
UHG begins notifying affected hospitals and medical suppliers what knowledge was stolen
It took Change Healthcare till June 20 to start formally notifying affected people that their data was stolen, as legally required beneath a legislation generally generally known as HIPAA, probably delayed partly by the sheer dimension of the stolen dataset.
The corporate revealed a discover disclosing the data breach and stated that it will start notifying people it had recognized within the “secure” copy of the stolen knowledge. However Change stated it “can’t affirm precisely” what knowledge was stolen about every particular person and that the data could differ from individual to individual. Change says it was posting the discover on its web site, because it “could not have ample addresses for all affected people.”
The incident was so huge and complicated that the U.S. Division of Well being and Human Providers stepped in and stated that affected healthcare suppliers, whose sufferers are in the end affected by the breach, can ask UnitedHealth to inform affected sufferers on their behalf, an effort seen at lessening the burden on smaller suppliers whose funds had been hit amid the continued outage.
July 29, 2024
Change Healthcare begins notifying recognized affected people by letter
The well being tech big confirmed in late June that it will start notifying these whose healthcare knowledge was stolen in its ransomware assault on a rolling foundation. That course of started in late July.
The letters going out to affected people will more than likely come from Change Healthcare, if not the particular healthcare supplier affected by the hack at Change. The letter confirms what sorts of knowledge was stolen, together with medical knowledge and medical health insurance data, and claims and cost data, which Change stated consists of monetary and banking data.
A spokesperson for UnitedHealth instructed information.killnetswitch that the info evaluate was in its “remaining levels.”
October 24, 2024
UnitedHealth confirms not less than 100 million individuals affected by data breach
It took the medical health insurance big greater than eight months to announce, however it has now confirmed that the data breach impacts greater than 100 million people. The variety of these affected is anticipated to rise, given some have acquired data breach notifications as lately as October. The U.S. Division of Well being and Human Providers reported the up to date quantity on its data breach portal on October 24.
Because it stands, the data breach at Change Healthcare is now the most important digital theft of U.S. medical information, and one of many greatest data breaches in dwelling historical past.
December 16, 2024
New particulars about Change hack emerge in Nebraska lawsuit
The state of Nebraska filed a lawsuit towards Change Healthcare in December, accusing the well being tech big of security failings that led to the huge breach of not less than 100 million individuals in America. New particulars in regards to the hack emerged within the state’s criticism, together with that the ALPHV hackers initially broke in utilizing the stolen username and password of a “low-level buyer assist worker,” which wasn’t protected with multi-factor authentication. The state’s criticism additionally accuses Change Healthcare of getting poorly segmented IT programs, which allowed the hackers to journey freely between servers as soon as inside the corporate’s firewall.
UnitedHealth Group, which owns Change Healthcare, instructed information.killnetswitch that the corporate was nonetheless within the “remaining levels” of notifying people affected by the data breach (the identical factor it instructed us in July), suggesting that the variety of People affected by the data breach can be far greater than the 100 million disclosed thus far.
January 24, 2025
Change Healthcare says 190 million individuals in America affected by data breach
On a Friday night nearly a 12 months after the cyberattack, UnitedHealth confirmed that the variety of individuals in America who had non-public well being data stolen within the data breach stands at 190 million, greater than half of the inhabitants of the US. The healthcare insurance coverage big stated it deliberate to inform the U.S. Division of Well being and Human Providers of the up to date determine, as required by legislation, at a later date.
Hundreds of thousands of individuals are affected by the breach, even when they didn’t have UnitedHealthcare insurance coverage, given the huge quantities of medical knowledge and billion transactions that Change Healthcare processes throughout the U.S. healthcare system daily.
