UnitedHealth Group has confirmed that a ransomware attack targeted its subsidiary, Change Healthcare, in February 2024, impacting 190 million Americans. Discover the key details, impact, and implications of US history’s largest healthcare data breach.
UnitedHealth Group has confirmed that a ransomware attack that targeted its subsidiary, Change Healthcare, in February 2024, has impacted an estimated 190 million individuals in the United States.
This significantly surpasses earlier estimates of around 100 million (PDF), making it the largest medical data breach in the US’s history. To give you an idea, this breach is 2.5 times larger than the 2015 Anthem Inc. data breach, which had exposed 78.8 million records.
It is worth noting that Change Healthcare is a major player in the healthcare technology sector, and handles a substantial volume of sensitive health and medical data, including patient records and healthcare claims, clearing nearly 40% of all medical claims annually.
The breach, attributed to the ALPHV aka Black Cat ransomware group, exploited a compromised account lacking multi-factor authentication and used compromised credentials on Citrix remote-access software to gain unauthorized access to Change Healthcare’s systems. The attack resulted in a reported $872 million financial impact and 6TB of sensitive data exfiltration. It took months for the company to restore systems.
While UnitedHealth claims no evidence of misuse of the stolen data despite hackers having access to the stolen data for almost a year, it is still concerning because the breach exposed sensitive medical records. This includes health insurance details, patient diagnoses, test results, and treatment information.
In addition, attackers stole sensitive personal data, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical records. Following the attack, the company paid $22 million in ransom to prevent further data leaks.
Reportedly, BlackCat scammed the affiliate “Notchy” who conducted this breach, pocketing the ransom payment without paying their share. In response, the affiliate collaborated with RansomHub, attempting to extort Change Healthcare further, but no additional payments were made, leaving the stolen data in cybercriminals’ hands.
The impact of this breach extends far beyond the immediate theft of data. It disrupted healthcare services across the country, causing significant operational challenges and raising concerns about patient privacy and data security. A survey by the American Hospital Association revealed severe financial and patient care impacts of this breach with 94% of US hospitals bearing financial losses, nearly 40% of hospitals facing difficulty accessing care due to authorization delays and 67% of hospitals finding switching clearinghouses very difficult.
In adherence to the Health Insurance Portability and Accountability Act (HIPAA), UnitedHealth Group has notified most affected individuals about the February 2024 ransomware attack.
The incident has raised concerns about patient data security and healthcare sector vulnerabilities and highlighted the urgent need for implementing advanced cybersecurity measures to protect sensitive information and mitigate such threats.
