[ad_1]
More than 100 million individuals had their private health information stolen during the Change Healthcare ransomware attack in February, a cyberattack that caused months of unprecedented outages and widespread disruption to the U.S. healthcare sector.
This is the first time that UnitedHealth Group, the US health insurer that owns the health technology company, has listed a number of individuals affected in a data breach, having previously said it expected the breach would involve data on a “large proportion of people” in America.”
US Department of Health and Human Services First reported the updated figure On the data breach portal on Thursday.
Tyler Mason, a UHG spokesman, did not immediately respond to a request for comment.
The Change Healthcare ransomware attack and data breach represents the largest known digital theft of U.S. medical records, and one of the largest data breaches in living history. For the millions of Americans whose private medical information was irrevocably stolen, the consequences are likely to be lifelong.
UHG began notifying affected individuals in late July, which continued into October.
The stolen personal data varies depending on individuals, but Al-Change previously confirmed that it includes personal information, such as names, addresses, dates of birth, phone numbers, email addresses, and government identification documents, including Social Security numbers, driver’s licenses, and passport numbers. Stolen health data includes diagnoses, medications, test and imaging results, care and treatment plans, and health insurance information – as well as financial and banking information found on claims and payment data taken by criminals.
Change Healthcare is one of the largest companies handling health and medical data and patient records, processing patient insurance and billing across the US healthcare industry, including thousands of hospitals, pharmacies and medical practices. As such, Change handles vast amounts of health and medical information related to about a third of all Americans, the company’s CEO, Andrew Witty, told lawmakers in May.
The cyberattack became public on February 21 when Change Healthcare took a large portion of its network offline to contain the hackers, causing an immediate outage throughout the U.S. healthcare sector that relies on Change to handle patient insurance and billing.
UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking extortion and ransomware gang, which later claimed responsibility for the cyberattack.
The leaders of the ransomware ring later disappeared after escaping with a $22 million ransom paid by the health insurance giant, discouraging the group’s contractors who carried out the Change Healthcare hack to cash in on their new financial windfall. The contractors took the data they had stolen from Change Healthcare and formed a new group that extorted a second ransom from UHG, while publishing part of the stolen files online in the process to prove their threat.
There is no evidence that cybercriminals later deleted the data. Other extortion gangs, including LockBit, have been shown to store stolen data, even after the victim pays and the criminals claim to have deleted the data.
By paying the ransom, Change obtained a copy of the stolen data set, allowing the company to identify and notify affected individuals whose information was found in the data.
Efforts by the US government to catch the hackers behind ALPHV/BlackCat, one of the most prevalent ransomware gangs today, have so far been unsuccessful. The gang returned again after a takedown in 2023 to take over the gang’s dark web leak site.
Months after the Change Healthcare hack, the US State Department raised its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.
Corporate consolidation and poor security blame data breaches
Parts of Change Healthcare’s network remain offline as the company continues to recover from a cyberattack it suffered in February. Lawmakers are also investigating the breach and its impact on millions of Americans whose health data was irreversibly stolen.
During a House hearing on the cyberattack in April, Whitty, CEO of UnitedHealth, confirmed that cybercriminals broke into one of her employees’ systems using stolen credentials that were not protected by multi-factor authentication (MFA), a security feature that can help protect against attacks. Electronic. Password theft abuse.
By gaining access to a critical internal system using only a stolen password, the ransomware gang was able to access other parts of the Change Healthcare network and spread the ransomware.
It is unclear why the system is not protected by the MFA, but this is likely to remain a key part of ongoing investigations by lawmakers and the government. Whitty told lawmakers that the organization has since gone public and is now implementing MFA after the cyberattack.
Lawmakers focused on how UHG handled so much data and generated so much revenue, and failed on basic cybersecurity.
According to its 2023 full-year earnings report, UHG generated profits of $22 billion on revenue of $371 billion. Whitty, UHG’s CEO, received executive compensation of $23.5 million that same year.
While the lack of MFA was abused in this case, the sheer volume and wealth of highly sensitive data that Change Healthcare collects and stores makes it a target in itself. The lawmakers said.
Change Healthcare merged with US healthcare company Optum in 2022 as part of a $7.8 billion deal for UnitedHealth Group. The deal brought the two healthcare giants under the UHG umbrella and allowed Optum, which owns physician groups and provides technology and data to insurers and healthcare services, broad access to the patient records handled by Change.
UnitedHealth Group collectively provides benefits plans to more than 53 million U.S. customers and another five million outside the United States, according to Latest full-year earnings report. Optum serves approximately 103 million US customers.
The deal has faced scrutiny from US federal antitrust authorities She filed a lawsuit to prevent UHG from purchasing Change Healthcare and merging it with Optumarguing that UnitedHealth would gain an unfair competitive advantage by accessing “about half of Americans’ health insurance claims that go through each year.” The judge eventually approved the deal.
Ministry of Justice It has reportedly begun strengthening its investigations into UHG and its potential anticompetitive practices In the months leading up to the Change Healthcare hack.
Read more:
[ad_2]