UnitedHealth has confirmed the types of medical and patient data stolen in the massive Change Healthcare ransomware attack, stating that data breach notifications will be mailed starting at the end of July.
What happened
The BlackCat (ALPHV) ransomware group executed a sophisticated attack on Change Healthcare, compromising as much as one-third of all Americans' health data. The stolen information comprises health insurance details, medical records, billing information, and personal identifiers.
Change Healthcare plans to commence mailing notifications to affected individuals in late July, following the completion of quality assurance procedures.
The backstory
The BlackCat cyber counteroffensive, a series of coordinated cyberattacks on healthcare organizations, began after U.S. law enforcement seized the group's darknet website and infrastructure in December.
In retaliation, the Russia-based ransomware group intensified their attacks, targeting healthcare organizations worldwide, including the U.S. military's Tricare healthcare program, Medicare, CVS Caremark, MetLife, and Health Net. The attack on Change Healthcare resulted in the theft of 6 TB of data and caused widespread outages in the U.S. healthcare system.
Going deeper
BlackCat uses various tactics, including double-extortion, where data is first exfiltrated and then encrypted. Thereafter, victims are pressured to meet ransom demands to prevent the release of stolen data.
The attackers used stolen credentials to access Change Healthcare’s Citrix remote access service, which lacked multi-factor authentication, further complicating detection and prevention efforts.
Read also: Going deeper: The Change Healthcare attack
What was said
According to their press release on June 21, 2024, Change Healthcare “cannot confirm exactly what data has been affected for each impacted individual, information involved for affected individuals may have included contact information (such as first and last name, address, date of birth, phone number, and email) and one or more of the following:
- Health insurance information (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
- Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
- Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.”
However, the specific information affected varies for each impacted individual. So far, no complete medical histories have been found in the data review. Additionally, some information might pertain to guarantors who paid bills for healthcare services.
The bottom line
Protecting patient data is not just about compliance. It is also about ensuring trust, continuity of care, and the integrity of healthcare services.
Additionally, those potentially impacted by the Change Healthcare breach should take advantage of the free credit monitoring services offered and remain vigilant for signs of identity theft.
