Science and TechData Privacy and Cybersecurity

Actions

More than 100 million affected in February Change Healthcare hack, UnitedHealth says

The February attack caused UnitedHealth to shut down its insurance claims and payment platforms.
UnitedHealthcare building
Posted

Healthcare data and personal information of more than 100 million people was stolen in the ransomware attack on Change Healthcare in February, UnitedHealth has confirmed for the first time.

Acting as a pipeline between health care and insurance providers, Change operates 15 billion medical transactions each year, representing more than $1.5 trillion in health care claims, its website states. The Justice Department also says the company manages half of all medical insurance claims in the country.

That all came to a halt, however, when notorious ransomware group AlphV/BlackCat attacked on Feb. 21, and the shutdown of Change's financial services left those dependent on them scrambling to fill prescriptions, process claims, bill patients, verify insurance coverage, pay employees, refill hospital medication, supply inventories and more for weeks.

Months later, UnitedHealth, which owns Change, said a "substantial proportion of people in America" were affected by the attack, and the CEO later noted that the breach may have compromised the data of as many as one-third of Americans.

RELATED STORY | Hackers in Change Healthcare attack receive $22M in alleged ransom

Now with this tally of more than 100 million, first published on the U.S. Department of Health and Human Services Office for Civil Rights' Breach Portal Thursday, the attack has become the largest data breach on the federal body's list — and one of the largest in history — with the stolen information potentially including everything from payment processing and health insurance information to medical records and personal data.

UnitedHealth CEO Andrew Witty said in a hearing before the Senate Committee on Finance that the hackers used "compromised credentials" to access Change Healthcare's Citrix portal remotely, which didn't have multifactor authentication. He also admitted to paying AlphV/BlackCat a ransom, amounting to $22 million, for the 6TB of data used in medical insurance claims that it said it accessed after claiming responsibility for the attack.

AlphV/BlackCat is the world's second-most prolific ransomware-as-a-service variant based on the hundreds of millions of dollars in ransoms paid by its victims, the Justice Department said in December. That's when an FBI operation was thought to have crippled the gang by seizing several of its websites and tools, but two months later, it made this attack on Change.

RELATED STORY | UnitedHealth sets dates to restore hacked systems as fallout continues