Threat actors accessed the private health information of more than 100 million people in the February breach of Change Healthcare — the largest-ever health care data breach reported to federal regulators — the U.S. Office for Civil Rights revealed on Oct. 22.
The hack, information about which was revealed in June, could affect up to one-third of Americans. It has proven to be one of the most significant cyberattacks of the year and shows how ransomed data can lead to physical harms such as belated delivery of essential medication.
SEE: Nation-state attackers may search for “target-rich, cyber-poor” organizations like public infrastructure or health care, said CISA advisor Nicole Perlroth.
What was the Change Healthcare cyberattack?
In February, UnitedHealth Group, the parent company of Change Healthcare, found out that an attacker had introduced ransomware into Change Healthcare’s systems. The group ALPHV, sometimes called BlackCat, claimed responsibility for the breach.
By March, Change Healthcare had determined attackers accessed their systems from Feb. 17 to 20. The company brought in “leading cybersecurity and data analysis experts,” Mandiant personnel among them, and obtained a copy of the stolen records, analyzing the dataset. United Healthcare released a more thorough accounting of the incident in April.
In a Senate hearing on the matter in May, UnitedHealth Group CEO Andrew Witty said the company had paid a ransom of $22 million in Bitcoin to release the stolen data.
Cybersecurity experts don’t recommend paying ransoms because it rewards threat actors, can cause significant financial harm to the business, and does not guarantee the return of the data. The U.S. government has considered the controversial idea of banning ransom payments.
Change Healthcare said it can’t specify what data has been affected for each individual. In general, the stolen data included:
- First and last name, address, date of birth, phone number, and email.
- Health information such as diagnoses, medical record numbers, images, and test results.
- Billing, claims, and payment information
- Other personal information that may be associated with medical records, such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.
Full medical histories or doctors’ charts have not been found among the stolen data.
The attack delayed prescription deliveries and led to a business disruption impact of $705 million. Overall, Change Healthcare’s financial outlook for next year is lower than expected.
Change Healthcare offers resources for affected customers
United Healthcare says their investigation of the attack is still ongoing but in its final stages.
The company is still sending notifications to those affected. Change Healthcare offers two years of complimentary credit monitoring and identity theft protection services from IDX to eligible customers. They provided “trained clinicians to provide emotional support services” through a dedicated call center. The call center cannot provide information about what specific data may have been exposed from individual accounts.
United Healthcare recommends impacted patients monitor their bank accounts and medical insurance statements. Unusual activity should be reported to their financial institution or health care provider as appropriate.
Ransomware attacks on health care have far-reaching consequences
Cyberattacks on health care data are a perfect storm of potentially lucrative random opportunities for threat actors and heightened mistrust among affected customers. Patients can lose access to necessary medications and care can be delayed if operations are disrupted.
In May, a ransomware attack at hospital system Ascension slowed down care. Around the same time, the U.S. Advanced Research Projects Agency for Health announced its intention to invest more than $50 million in tools for information technology professionals in hospital settings to improve their cybersecurity.