In a shocking revelation, more than 100 million individuals had their private health data stolen during a ransomware attack on Change Healthcare in February. The cyberattack led to months of severe outages and disruption across the U.S. healthcare sector. This data breach, owned by the U.S. health insurance provider UnitedHealth Group (UHG), is the largest known digital theft of U.S. medical records and one of the biggest data breaches in modern history.
Updated Breach Numbers Reported
The U.S. Department of Health and Human Services reported the updated number of affected individuals on its data breach portal recently. UHG spokesperson Tyler Mason stated, “We continue to notify potentially impacted individuals as quickly as possible, given the volume and complexity of the data involved and the investigation is still in its final stages.”
Details of Stolen Data
The stolen data includes personal information such as names, addresses, dates of birth, phone numbers, email addresses, and government identity documents. The stolen health data includes diagnoses, medications, test results, imaging, care and treatment plans, and health insurance information. Financial and banking information found in claims and payment data were also taken by the criminals.
Change Healthcare’s Role in the Healthcare Sector
Change Healthcare, one of the largest handlers of health, medical data, and patient records, processes patient insurance and billing across the U.S. healthcare sector. The company handles vast amounts of health and medical-related information on around a third of all Americans.
Details of the Cyberattack
The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders. UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack. The ransomware gang’s leaders later vanished after taking a $22 million ransom paid by the health insurance giant.
Efforts to Catch the Hackers
Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The U.S. State Department increased its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.
Corporate Consolidation and Poor Security Blamed for Data Breach
Portions of Change Healthcare’s network remain offline as the company continues to recover from the February cyberattack. Lawmakers are also investigating the breach and the effect on the millions of Americans whose health data was irreversibly stolen. During a House hearing into the cyberattack, UnitedHealth’s CEO Witty confirmed that the cybercriminals broke into one of its employee systems using stolen credentials that were not protected with multi-factor authentication (MFA).
UnitedHealth Group’s Financial Overview
According to its 2023 full-year earnings report, UHG made $22 billion in profit on revenues of $371 billion. Witty made $23.5 million in executive compensation the same year. The lack of MFA was abused in this case, the sheer size and wealth of highly sensitive data that Change Healthcare collects and stores made it a target in itself, lawmakers said.
Merging of Healthcare Giants
Change Healthcare merged with U.S. healthcare provider Optum in 2022 as part of a $7.8 billion deal by UnitedHealth Group. The deal faced scrutiny by U.S. federal antitrust authorities, who sued to block UHG from buying Change Healthcare and merging it with Optum. However, a judge ultimately approved the deal.