UnitedHealth has confirmed for the primary time that over 100 million individuals had their private info and healthcare information stolen within the Change Healthcare ransomware assault, marking this as the biggest healthcare information breach in recent times.
In Might, UnitedHealth CEO Andrew Witty warned throughout a congressional listening to that “maybe a third” of all American’s well being information was uncovered within the assault.
A month later, Change Healthcare printed a knowledge breach notification warning that the February ransomware assault on Change Healthcare uncovered a “substantial quantity of data” for a “substantial proportion of people in America.”
In the present day, the U.S. Division of Well being and Human Companies Workplace for Civil Rights information breach portal up to date the entire variety of impacted individuals to 100 million, making it the primary time UnitedHealth, the mum or dad firm of Change Healthcare, put an official quantity to the breach.
“On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach,” reads an up to date FAQ on the OCR web site.
Supply: HHS
Knowledge breach notifications despatched by Change Healthcare since June state {that a} huge quantity of delicate info was stolen through the February ransomware assault, together with:
- Medical insurance info (similar to major, secondary or different well being plans/insurance policies, insurance coverage firms, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Well being info (similar to medical report numbers, suppliers, diagnoses, medicines, check outcomes, photos, care and remedy);
- Billing, claims and cost info (similar to declare numbers, account numbers, billing codes, cost playing cards, monetary and banking info, funds made, and steadiness due); and/or
- Different private info similar to Social Safety numbers, driver’s licenses or state ID numbers, or passport numbers.
The knowledge could also be totally different for every particular person, and never everybody’s medical historical past was uncovered.
The Change Healthcare ransomware assault
This information breach was brought on by a February ransomware assault on UnitedHealth subsidiary Change Healthcare, which led to widespread outages within the U.S. healthcare system.
The disruption to the corporate’s IT programs prevented medical doctors and pharmacies from submitting claims and prevented pharmacies from accepting low cost prescription playing cards, inflicting sufferers to pay full value for medicines.
The BlackCat ransomware gang, aka ALPHV, performed the assault, utilizing stolen credentials to breach the corporate’s Citrix distant entry service, which didn’t have multi-factor authentication enabled.
Throughout the assault, the menace actors stole 6 TB of knowledge and in the end encrypted computer systems on the community, inflicting the corporate to close down IT programs to forestall the unfold of the assault.
The UnitedHealth Group admitted to paying a ransom demand to obtain a decryptor and for the menace actors to delete the stolen information. The ransom cost was allegedly $22 million, based on the BlackCat ransomware affiliate who performed the assault.
This ransom cost was alleged to be break up between the affiliate and the ransomware operation, however the BlackCat abruptly shut down, stealing your complete cost for themselves and pulling an exit rip-off.
Nevertheless, this wasn’t the top of Change Healthcare’s issues, because the affiliate claimed they nonetheless had the corporate’s information and didn’t delete it as promised. The affiliate partnered with a brand new ransomware operation named RansomHub and started leaking among the stolen information, demanding a further cost for the information to not be launched.
The entry for Change Healthcare entry on RansomHub’s information leak web site mysteriously disappeared just a few days later, probably indicating that United Well being paid a second ransom demand.
UnitedHealth stated in April that the Change Healthcare ransomware assault precipitated $872 million in losses, which elevated as a part of the Q3 2024 earnings to an anticipated $2.45 billion for the 9 months to September 30, 2024,
