Photo by Pixabay
UnitedHealth has confirmed that over 100 million people had their healthcare and personal data compromised in a February ransomware attack on its subsidiary, Change Healthcare. This revelation solidifies the breach as one of healthcare’s most extensive data thefts, potentially affecting nearly a third of the American population.
During a congressional hearing in May, UnitedHealth CEO Andrew Witty hinted at the staggering scope of the breach, suggesting that millions of Americans might be impacted. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has updated its portal with an official tally, indicating that Change Healthcare notified OCR on October 22, 2024, that approximately 100 million individuals have been contacted regarding the breach.
Change Healthcare began issuing breach notifications in June, alerting individuals that sensitive information, including health insurance details, medical records, payment and billing data, and critical personal identifiers such as Social Security numbers, was exposed in the attack.
However, the data compromised varied for each individual, meaning not every person affected had the same information stolen.
The attack began in February 2024, when the BlackCat ransomware gang, also known as ALPHV, exploited a weakness in Change Healthcare’s Citrix remote access system, which lacked multi-factor authentication. Armed with stolen credentials, BlackCat infiltrated the company’s network, stealing 6 RB of data before launching a sweeping encryption attack that crippled Change Healthcare’s systems.
The resulting outages impacted the U.S. healthcare system, preventing pharmacies from accepting discount prescription cards and leaving patients to pay full price for medications. They also caused significant disruption in the processing of medical claims.
To mitigate the attack, UnitedHealth ultimately paid a ransom of $22 million to recover access to its system. However, it was later revealed that the payment may not have achieved its intended outcome. The ransomware affiliate responsible for the attack claimed the data had not been deleted as promised, leading to further extortion demands.
As BleepingCompter reports, the ransomware affiliate responsible for the initial breach allegedly began collaborating with a new ransomware group, RansomHub. It leaked portions of the stolen data on a data leak site, demanding an additional ransom to withhold further releases. This entry on RansomHub’s leak site disappeared only a few days later, hinting that United Health may have paid a second ransom.
The financial impact on UnitedHealth Group has been substantial. Initially estimated at $872 million, the cost has since risen to a projected $2.45 billion for the first nine months of 2024.
In the News: Perplexity responds to legal claims from Dow Jones and NY Post