Discover the Medical Data Exposed: Change Healthcare Reveals Impact of Ransomware Attack

UnitedHealth has recently confirmed the extent of the damage caused by the massive Change Healthcare ransomware attack. The company revealed that a significant amount of medical and patient data was stolen, with breach notifications set to go out in July.

Last week, UnitedHealth published a data breach notification, stating that a “substantial quantity of data” for a “substantial proportion of people in America” had been exposed. The exact number of affected individuals remains unknown, but UnitedHealth CEO Andrew Witty mentioned during a congressional hearing that “maybe a third” of all Americans’ health data might have been exposed.

The stolen data includes a wide range of sensitive information, such as:

• Health insurance information (e.g., primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
• Health information (e.g., medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
• Billing, claims, and payment information (e.g., claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
• Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.

Change Healthcare has stated that the scope of exposed data may vary for each individual and that patients’ complete medical histories have not been seen in the stolen data.

In a Change Healthcare data breach notification, the company explains the steps they are taking to address the issue and offers resources for those who believe their personal data may have been impacted. They also mention that they are providing two years of complimentary credit monitoring and identity theft protection services for affected individuals.

Change Healthcare plans to mail formal data breach notification letters starting in late July. However, they might not have mailing addresses for all impacted individuals. In the meantime, those affected can visit changecybersupport.com for more information and instructions on how to sign up for free credit monitoring and learn about potential risks associated with the stolen data.

The Change Healthcare ransomware attack

The data breach notifications are a result of a February ransomware attack on UnitedHealth subsidiary Change Healthcare, during which attackers stole 6 TB of data from the company. This attack caused significant disruptions in the US healthcare system, preventing doctors and pharmacies from filing claims. Pharmacies, in particular, were affected heavily, as they could not process insurance claims or accept discount prescription cards, forcing some patients to pay full price for medications.

The BlackCat (aka ALPHV) ransomware gang carried out the attack, using stolen credentials to log into the company’s Citrix remote access service, which lacked multi-factor authentication. UnitedHealth eventually paid a ransom demand, allegedly $22 million, to the ransomware gang, which was supposed to be split with an affiliate who conducted the attack. However, the BlackCat operation shut down and kept the entire payment for themselves.

The angered affiliate announced that they still possessed Change Healthcare’s data and had not deleted it as promised. They began leaking some of the stolen data on the RansomHub data leak site, demanding additional payment to prevent further releases. Eventually, the entry for Change Healthcare disappeared from the RansomHub website, suggesting that United Health may have paid a second ransom demand.

United Health estimates that the Change Healthcare ransomware attack has caused $872 million in losses as of April, a figure that will likely increase once all investigations and remediations are completed.