UnitedHealth has officially announced that more than 100 million individuals had their personal and health information compromised during the Change Healthcare ransomware incident, making it the most significant healthcare data breach in recent history.
In May, Andrew Witty, the CEO of UnitedHealth, cautioned in a congressional hearing that approximately one-third of all health data belonging to Americans may have been compromised in the cyberattack.
A month after the incident, Change Healthcare issued a notification regarding a data breach, indicating that the ransomware attack from February had compromised a significant amount of data affecting a large number of individuals across the United States.
The U.S. Department of Health and Human Services Office for Civil Rights has revised the data breach portal, revealing that 100 million individuals have been affected. This marks the first occasion on which UnitedHealth, the parent organization of Change Healthcare, has provided an official count regarding the breach.
An updated FAQ on the OCR website states that Change Healthcare informed OCR on October 22, 2024, that around 100 million individual notifications have been dispatched concerning this breach.
Notifications regarding data breaches issued by Change Healthcare since June indicate that a substantial quantity of sensitive data was compromised during the ransomware attack in February, which included:
- Details regarding health insurance, including primary and secondary plans, insurance providers, member group identification numbers, as well as ID numbers for Medicaid, Medicare, and other government payers.
- Details related to health (including medical record identifiers, healthcare providers, diagnoses, medications, test outcomes, imaging results, and care or treatment information);
- Information related to billing, claims, and payments—including details like claim numbers, account identifiers, billing codes, payment card details, financial and banking data, payments received, and outstanding balances;
- Additional personal details including Social Security numbers, driver’s license or state identification numbers, and passport numbers.
The details can vary from person to person, and not all medical histories were disclosed.
The ransomware incident involving Change Healthcare
A ransomware attack in February targeting Change Healthcare, a subsidiary of UnitedHealth, resulted in a significant data breach and caused extensive disruptions across the U.S. healthcare system.
The company’s IT system failure hindered doctors and pharmacies from submitting claims, as well as stopped pharmacies from processing discount prescription cards, resulting in patients having to pay the full price for their medications.
The attack was carried out by the BlackCat ransomware group, also known as ALPHV, who exploited stolen login information to infiltrate the company’s Citrix remote access service, which lacked multi-factor authentication.
In the course of the assault, the malicious actors extracted 6 TB of information and subsequently encrypted devices connected to the network. This forced the company to disable its IT systems in order to contain the attack’s expansion.
UnitedHealth Group acknowledged that it made a ransom payment to obtain a decryption tool and ensure the deletion of the stolen information. Reports indicate that this payment was approximately $22 million, as stated by the BlackCat ransomware affiliate responsible for the attack.
The ransom that was meant to be divided between the affiliate and the ransomware group ended up being taken entirely by BlackCat, which abruptly ceased operations and executed an exit scam.
Nonetheless, Change Healthcare continued to face challenges when the affiliate asserted that they retained the company’s data and had failed to erase it as they had agreed. This affiliate then collaborated with a new ransomware group called RansomHub, starting to disclose portions of the stolen information while insisting on further payment to prevent additional data from being made public.
A few days later, the listing for Change Healthcare on RansomHub’s data breach site vanished without explanation, suggesting that United Health may have fulfilled a second ransom request.
In April, UnitedHealth reported that the ransomware attack on Change Healthcare resulted in $872 million in losses. This figure has since risen, and as part of the Q3 2024 earnings report, it is now anticipated to reach $2.45 billion for the nine-month period ending September 30, 2024.