UnitedHealth says the Change Healthcare data breach affects more than 100 million people in America

More than 100 million people had their private health information stolen during the Change Healthcare ransomware attack in February, a cyberattack that caused unprecedented months of downtime and widespread disruption to the US healthcare sector.

This is the first time that UnitedHealth Group, a US health insurance provider that owns a health technology company, has included the number of people affected in a data breach, after it previously said it expected the breach to include information on “a large number of people.” America.”

The US Department of Health and Human Services first reported the updated number on its data breach website on Thursday.

Tyler Mason, a UHG spokesman, did not immediately respond to a request for comment.

The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of US medical records, and one of the largest data breaches in living history. The benefits of the millions of Americans whose confidential medical information was irretrievably stolen may be forever.

UHG started notifying affected people in late July, which continued until October.

The personal data stolen varies from person to person, but Change has previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identification, including Social Security numbers, driver’s licenses and passport numbers. Stolen health data includes diagnoses, medications, test results, photos and care and treatment plans, as well as health insurance information — as well as financial and banking information found in claims and billing data taken by criminals.

Change Healthcare is one of the largest managers of health, medical data and patient records as it processes patient insurance and payments across the US healthcare sector, including thousands of hospitals, pharmacies and medical practices. As such, Change handles a large amount of health and medical-related information for about a third of all Americans, the company’s CEO Andrew Witty told lawmakers in May.

The cyberattack became public on February 21 when Change Healthcare pulled a large portion of its network offline to contain the attackers, causing an immediate outage across the entire US healthcare sector that relied on Change to manage patient insurance and billing.

UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and hacker group, which later gained credit for the cyberattack.

The leaders of the gang who were later rescued disappeared after fleeing with a $22 million ransom paid by the health insurance giant, strengthening the gang’s contractors who hacked Change Healthcare for their new financial windfall. The contractors took the data they had stolen from Change Healthcare and formed a new group, which took a second ransom from UHG, while publishing part of the stolen files online in the process of proving their threat.

There is no evidence that the hackers then deleted the data. Some hacking groups, including LockBit, have been shown to collect stolen data, even after the victim has paid and the hackers claim to have deleted the data.

Upon paying the ransom, Change received a copy of the stolen dataset, allowing the company to identify and notify affected individuals whose information was obtained from the data.

Efforts by the US government to arrest the criminals behind ALPHV/BlackCat, one of the most active ransom gangs today, have been unsuccessful. The gang went back after a 2023 takedown operation to seize the group’s leaky dark web site.

Months after the Change Healthcare breach, the US State Department increased its reward for information on the whereabouts of the ALPHV/BlackCat hackers to $10 million.

Business integration and poor security suspected of data breach

Part of Change Healthcare’s network remains offline as the company continues to recover from the February cyberattack. Lawmakers are also investigating the breach and the impact on millions of Americans whose health data was irretrievably stolen.

During a House hearing on the cyberattack in April, UnitedHealth CEO Witty confirmed that hackers hacked one of its employee systems using stolen information that was not protected by multi-factor authentication (MFA), a security feature that can help protect against crime. misuse of password theft.

By gaining access to a critical internal system using only a stolen password, the ransomware gang was able to access other parts of Change Healthcare’s network and execute the ransomware.

It is not clear why this program is not protected by MFA, but this will remain an important part of the ongoing investigation by law enforcement and the government. Witty told lawmakers that the agency has stepped in and is now enforcing the MFA following the cyberattack.

Lawmakers noted how UHG handled so much data and made so much money, and failed in basic cybersecurity.

According to its full year report for 2023, UHG made a profit of 22 billion on a revenue of 371 billion. UHG CEO Witty made $23.5 million in top compensation that same year.

While the lack of MFA was abused in this case, the size and wealth of highly sensitive data collected by Change Healthcare and the stores made it a target in itself, lawmakers said.

Change Healthcare is merging with US healthcare provider Optum in 2022 as part of UnitedHealth Group’s $7.8 billion deal. The deal brought the two healthcare giants under UHG and allowed Optum, which owns physician groups and provides technology and data to insurance companies and healthcare services, broader access to patient records managed by Change.

UnitedHealth Group collectively serves more than 53 million US customers with benefit plans and another five million outside the United States, according to its latest full-year earnings report. Optum serves about 103 million US customers.

The deal faced scrutiny from U.S. antitrust authorities, who sued to prevent UHG from buying Change Healthcare and merging it with Optum, saying UnitedHealth would gain an unfair competitive advantage by accessing “nearly half of all American health insurance claims go through each.” year.” The judge finally approved the deal.

The Justice Department reportedly began assembling its investigation into UHG and its potential competitors months before the Change Healthcare hack.

Read more: