Threat actors accessed the private health information of more than 100 million people in February's Change Healthcare breach, the largest healthcare data breach ever reported to federal regulators, the US Office for Civil Rights revealed. USA on October 22.
The hack, information about which was revealed in June, could affect up to a third of Americans. It has proven to be one of the biggest cyberattacks of the year and shows how rescued data can cause physical damage, such as late delivery of essential medicines.
SEE: Nation-state attackers can look for “target-rich, cyber-poor” organizations, such as public infrastructure or healthcare, said CISA advisor Nicole Perlroth.
What was the Change Healthcare cyberattack?
In February, UnitedHealth Group, the parent company of Change Healthcare, discovered that an attacker had introduced ransomware into Change Healthcare's systems. The ALPHV group, sometimes called BlackCat, claimed responsibility for the breach.
In March, Change Healthcare had determined that attackers accessed its systems from February 17 to 20. The company hired “leading data analytics and cybersecurity experts,” including Mandiant staff, and obtained a copy of the stolen records, analyzing the data set. United Healthcare released a more complete report of the incident in April.
At a Senate hearing on the matter in May, UnitedHealth Group CEO Andrew Witty said the company had paid a ransom of $22 million in Bitcoin to release the stolen data.
Cybersecurity experts do not recommend paying ransoms because it rewards threat actors, can cause significant financial damage to the company, and does not guarantee the return of data. The US government has considered the controversial idea of banning ransom payments.
Change Healthcare said it cannot specify what data has been affected for each individual. Generally, the stolen data included:
- First and last name, address, date of birth, telephone number and email.
- Health information such as diagnoses, medical record numbers, images, and test results.
- Billing, claims and payment information
- Other personal information that may be associated with medical records, such as Social Security numbers, driver's license or state identification numbers, or passport numbers.
No complete medical records or medical records were found among the stolen data.
The attack delayed prescription deliveries and caused a business disruption impact of $705 million. Overall, Change Healthcare's financial outlook for next year is lower than expected.
Change Healthcare offers resources for affected clients
United Healthcare says its investigation into the attack is still ongoing, but in its final stages.
The company continues to send notifications to those affected. Change Healthcare offers two years of free IDX credit monitoring and identity theft protection services to eligible customers. They provided “clinicians trained to provide emotional support services” through a dedicated call center. The call center cannot provide information on what specific data may have been exposed from individual accounts.
United Healthcare recommends that affected patients monitor their bank accounts and health insurance statements. Unusual activity should be reported to your financial institution or healthcare provider, as appropriate.
Ransomware attacks on healthcare have far-reaching consequences
Cyberattacks on healthcare data are a perfect storm of potentially lucrative random opportunities for threat actors and increased distrust among affected customers. Patients may lose access to necessary medications and care may be delayed if operations are interrupted.
In May, a ransomware attack on the Ascension hospital system slowed care. Around the same time, the U.S. Healthcare Advanced Research Projects Agency announced its intention to invest more than $50 million in tools for information technology professionals in hospital environments to improve their cybersecurity.
