Change Healthcare Data Breach Impacted 100 Million US Citizens

UnitedHealth Group’s subsidiary suffered a data breach that affected approximately 100 million Americans.

At a Glance

Change Healthcare, a UnitedHealth subsidiary, suffered a massive ransomware attack in February 2024.
6TB of sensitive customer data was stolen, including medical records and personal information.
The attack was carried out by an affiliate of the ALPHV ransomware group, also known as BlackCat.
UnitedHealth paid a $22 million ransom, but the hackers did not delete the data as agreed.

Unprecedented Scale of the Breach

UnitedHealth Group suffered a cyberattack on its subsidiary, Change Healthcare, which has resulted in what’s being considered the largest healthcare data breach in U.S. history. The attack, which occurred in February 2024, has impacted approximately 100 million Americans, according to the U.S. Department of Health and Human Services Office for Civil Rights, exposing a vast array of sensitive health and personal information.

Change Healthcare, a major health payment processing company, works with numerous insurers including Aetna, Anthem, Blue Cross Blue Shield, and Cigna. This wide-reaching network explains the extensive impact of the breach.

UnitedHealth says Change Healthcare data breach affects over 100 million people in America https://t.co/rcVMIPBgRm

— TechCrunch (@TechCrunch) October 24, 2024

Nature of the Attack and Stolen Data

The cyberattack was allegedly carried out by an affiliate of the ALPHV ransomware group, also known as BlackCat. The hackers managed to steal 6TB of sensitive customer data, which includes health insurance information, medical records, billing details, and personally identifiable information. The stolen data encompasses a wide range of sensitive information, including medical diagnoses, test results, Social Security numbers, and driver’s licenses or state ID numbers.

The breach allegedly occurred due to stolen employee login credentials and a critical security oversight – the lack of multi-factor authentication (MFA) on the company’s Citrix remote access service. This vulnerability allowed the hackers to gain unauthorized access to the system and exfiltrate data before deploying the ransomware.

Ransom Payment and Aftermath

In an attempt to mitigate the damage, UnitedHealth paid a $22 million ransom to receive a decryptor and an agreement for data deletion. However, the situation took a turn for the worse when the hackers allegedly reneged on their promise, failing to delete the data and instead shutting down their servers. This development raises serious concerns about the potential misuse of the stolen information.

The attack has had far-reaching consequences beyond the data breach itself. It has significantly disrupted the healthcare system, affecting doctors’ and pharmacies’ ability to file claims and accept discount cards. The financial cost of the cyberattack for UnitedHealth is projected to be about $2.45 billion as of the third quarter of 2024, highlighting the enormous economic impact of such breaches.

Ongoing Investigation and Response

The federal investigation into this massive breach is ongoing, and UnitedHealth is continuing to notify affected individuals. The company has updated its policies to require multi-factor authentication, addressing the security vulnerability that led to the breach. The Department of Health and Human Services Office for Civil Rights has been informed of the breach, and UnitedHealth began notifying affected organizations and individuals in June.

As this unprecedented healthcare data breach continues to unfold, it serves as a stark reminder of the critical importance of robust cybersecurity measures in the healthcare sector. The incident highlights the need for constant vigilance and the implementation of strong security protocols to protect sensitive health information in an increasingly digital healthcare landscape.