Skip to content

Change Healthcare hack exposed data of 100 million Americans

  • by
  • 3 min read

Photo by Pixabay

UnitedHealth has confirmed that over 100 million people had their healthcare and personal data compromised in a February ransomware attack on its subsidiary, Change Healthcare. This revelation solidifies the breach as one of healthcare’s most extensive data thefts, potentially affecting nearly a third of the American population.

During a congressional hearing in May, UnitedHealth CEO Andrew Witty hinted at the staggering scope of the breach, suggesting that millions of Americans might be impacted. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has updated its portal with an official tally, indicating that Change Healthcare notified OCR on October 22, 2024, that approximately 100 million individuals have been contacted regarding the breach.

Change Healthcare began issuing breach notifications in June, alerting individuals that sensitive information, including health insurance details, medical records, payment and billing data, and critical personal identifiers such as Social Security numbers, was exposed in the attack.

However, the data compromised varied for each individual, meaning not every person affected had the same information stolen.

The attack began in February 2024, when the BlackCat ransomware gang, also known as ALPHV, exploited a weakness in Change Healthcare’s Citrix remote access system, which lacked multi-factor authentication. Armed with stolen credentials, BlackCat infiltrated the company’s network, stealing 6 RB of data before launching a sweeping encryption attack that crippled Change Healthcare’s systems.

The official victim count of the Change Healthcare cyber attack is now 100 million. | Source: U.S. Department of Health and Human Services Office for Civil Rights

The resulting outages impacted the U.S. healthcare system, preventing pharmacies from accepting discount prescription cards and leaving patients to pay full price for medications. They also caused significant disruption in the processing of medical claims.

To mitigate the attack, UnitedHealth ultimately paid a ransom of $22 million to recover access to its system. However, it was later revealed that the payment may not have achieved its intended outcome. The ransomware affiliate responsible for the attack claimed the data had not been deleted as promised, leading to further extortion demands.

As BleepingCompter reports, the ransomware affiliate responsible for the initial breach allegedly began collaborating with a new ransomware group, RansomHub. It leaked portions of the stolen data on a data leak site, demanding an additional ransom to withhold further releases. This entry on RansomHub’s leak site disappeared only a few days later, hinting that United Health may have paid a second ransom.

The financial impact on UnitedHealth Group has been substantial. Initially estimated at $872 million, the cost has since risen to a projected $2.45 billion for the first nine months of 2024.

In the News: Perplexity responds to legal claims from Dow Jones and NY Post

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>