UnitedHealth says Change Healthcare hack affects over 100 million, the largest-ever US healthcare data breach | TechCrunch (2024)

More than 100 million individuals had their private health information stolen during the ransomware attack on Change Healthcare in February, a cyberattack that caused months of unprecedented outages and widespread disruption across the U.S. healthcare sector.

This is the first time that UnitedHealth Group (UHG), the U.S. health insurance provider that owns the health tech company, has put a number of affected individuals to the data breach, after previously saying it anticipated the breach to include data on a “substantial proportion of people in America.”

The U.S. Department of Health and Human Services first reported the updated number on its data breach portal on Thursday.

UHG spokesperson Tyler Mason said in a brief statement: “We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages.”

The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, and one of the biggest data breaches in living history. The ramifications for the millions of Americans whose private medical information was irretrievably stolen are likely to be life lasting.

UHG began notifying affected individuals in late July, which continued through October.

The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver’s license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information — as well as financial and banking information found in claims and payment data taken by the criminals.

Change Healthcare is one of the largest handlers of health, medical data, and patient records, as it processes patient insurance and billing across the U.S. healthcare sector, including thousands of hospitals, pharmacies, and medical practices. As such, Change handles huge amounts of health and medical-related information on around a third of all Americans, the company’s chief executive Andrew Witty told lawmakers in May.

The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders, causing immediate outages across the U.S. healthcare sector that relied on Change for handling patient insurance and billing.

UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack.

The ransomware gang’s leaders later vanished after absconding with a $22 million ransom paid by the health insurance giant, stiffing the group’s contractors who carried out the hacking of Change Healthcare out of their new financial windfall. The contractors took the data they stole from Change Healthcare and formed a new group, which extorted a second ransom from UHG, while publishing a portion of the stolen files online in the process to prove their threat.

There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including LockBit, have been shown to hoard stolen data, even after the victim pays and the criminals claim to have deleted the data.

In paying the ransom, Change obtained a copy of the stolen dataset, allowing the company to identify and notify the affected individuals whose information was found in the data.

Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The gang bounced back following a takedown operation in 2023 to seize the gang’s dark web leak site.

Months after the Change Healthcare breach, the U.S. State Department upped its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.

Corporate consolidation and poor security blamed for data breach

Portions of Change Healthcare’s network remain offline as the company continues to recover from the February cyberattack. Lawmakers are also investigating the breach and the effect on the millions of Americans whose health data was irreversibly stolen.

During a House hearing into the cyberattack in April, UnitedHealth’s CEO Witty confirmed that the cybercriminals broke into one of its employee systems using stolen credentials that were not protected with multi-factor authentication (MFA), a security feature that can help to protect against the misuse of password theft.

By gaining access to a critical internal system using only a stolen password, the ransomware gang was able to reach other parts of Change Healthcare’s network and deploy ransomware.

UnitedHealth says Change Healthcare hack affects over 100 million, the largest-ever US healthcare data breach | TechCrunch (1)

It’s unclear why the system was not protected with MFA, but this will likely remain a key part of the ongoing investigations by lawmakers and the government. Witty told lawmakers that the organization has since rolled out and now enforces MFA following the cyberattack.

Lawmakers homed in on how UHG handles so much data and generates so much revenue and failed at basic cybersecurity.

According to its 2023 full-year earnings report, UHG made $22 billion in profit on revenues of $371 billion. Witty made $23.5 million in executive compensation the same year.

While the lack of MFA was abused in this case, the sheer size and wealth of highly sensitive data that Change Healthcare collects and stores made it a target in itself, lawmakers said.

Change Healthcare merged with U.S. healthcare provider Optum in 2022 as part of a $7.8 billion deal by UnitedHealth Group. The deal brought the two healthcare giants under UHG and allowed Optum, which owns physician groups and provides tech and data to insurance companies and healthcare services, broad access to patient records handled by Change.

UnitedHealth Group collectively provides over 53 million U.S. customers with benefit plans and another 5 million outside of the United States, according to its latest full-year earnings report. Optum serves about 103 million U.S. customers.

The deal faced scrutiny by U.S. federal antitrust authorities, who sued to block UHG from buying Change Healthcare and merging it with Optum, arguing that UnitedHealth would get an unfair competitive advantage by gaining access to “about half of all Americans’ health insurance claims pass each year.” A judge ultimately approved the deal.

The Justice Department reportedly began cranking up its investigation into UHG and its potential anticompetitive practices in the months prior to the Change Healthcare hack.

Updated with UHG comment.

Read more:

  • How the ransomware attack at Change Healthcare went down: A timeline
  • Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans
  • Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO
UnitedHealth says Change Healthcare hack affects over 100 million, the largest-ever US healthcare data breach | TechCrunch (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Kieth Sipes

Last Updated:

Views: 5559

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.