Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
UnitedHealth confirms for the first time that over 100 million people had their personal information and healthcare records stolen during the Change Healthcare ransomware attack.
Change Healthcare initially published a data breach notification warning in June, stating that a ransomware attack in February exposed a ‘substantial quantity of data’ for a significant proportion of the U.S. population.
UnitedHealth CEO, Andrew Witty, warned in May that ‘maybe a third’ of all American health data was exposed in the attack, and recently, the U.S. Department of Health and Human Services Office for Civil Rights gave an update on the number of impacted people.
According to their data breach portal, 100 million Americans were affected by the ransomware attack. This marks the first time UnitedHealth has put an official number on the breach.
Information stolen in the attack includes:
- Health insurance information (primary, secondary, or other health plans, insurance companies, member/group ID numbers, Medicaid-Medicare-government payor ID numbers);
- Health information (medical records, medicines, diagnoses, test results, images, care, and treatment);
- Billing, claims, and payment information such as account numbers, financial and banking information, and others;
- Social Security numbers, state ID numbers, passport numbers, driver’s licenses, and other personal information.
Details About the Change Healthcare Campaign
Back in February, the breach caused widespread outages in the U.S. healthcare system. Patients were forced to pay full price for prescription drugs because the company’s IT systems were disrupted, making it impossible for physicians and pharmacists to submit claims or for pharmacies to accept discount prescription cards.
Behind the attack was the BlackCat ransomware gang, also known as ALPHV. The threat actors used stolen credentials to breach the company’s Citrix remote access service, which did not have multi-factor authentication enables.
The corporation locked down its IT infrastructure to stop the attack from spreading after the threat actors encrypted endpoints on the network and stole 6 TB of data.
In order to obtain a decryptor and have the threat actors remove the stolen material, UnitedHealth Group acknowledged paying a ransom demand. The BlackCat ransomware branch that carried out the attack claims that the ransom payment was $22 million.
The ransom was supposed to be split between BlackCat and another affiliate, but the ransomware operation shut down and pulled an exit scam, stealing the entire payment.
The affiliate claimed they still had the company’s data and did not delete it as promised. It then partnered with RansomHub and began leaking some of the data and demanding an additional payment. The Change Healthcare entry on RansomHub’s data leak site disappeared a few days later.
The Change Healthcare ransomware attack cost UnitedHealth $872 million in April, which rose to an estimated $2.45 billion for the nine months ending September 30, 2024, as part of the company’s Q3 2024 earnings.
If you liked this piece, you can find more on the blog. Follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
