Change Healthcare has confirmed a February ransomware attack on its systems that caused widespread disruption to the US healthcare system for weeks and resulted in the theft of medical data affecting a “significant percentage of people in America”. .
In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyber attack.
The health technology giant, owned by US insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the US healthcare sector. As such, the company has access to massive amounts of health information about about a third of all Americans.
The cyberattack prompted the company to shut down its systems, resulting in disruptions and delays for thousands of healthcare providers who rely on Change, and affecting countless patients who could not get prescriptions or had medical care or procedures delayed.
Change said in its latest statement that it “cannot confirm exactly” what data was stolen for each individual and that the information may vary from person to person.
Affected information includes personal information such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identification documents such as social security numbers, driver’s licenses and passport numbers.
The records also include medical records and health information, such as diagnoses, medications, test results, imaging and care and treatment plans, Change said. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said includes financial and banking information.
Change said it was still in the “late stages” of reviewing the stolen data to determine what was taken and that more affected individuals could be identified. Some of the stolen information could be linked to insurers who paid health care bills for someone else, the company said.
The company added that affected individuals should receive notification by mail starting in late July.
The ransomware attack on Change Healthcare stands as one of the largest-ever known digital thefts of medical data in the US. While the full impact of this data breach remains unclear, the ramifications for the millions of Americans whose private medical information has been irreversibly compromised are likely to be incalculable.
Change said it provided a copy of the stolen data in March for review to identify and notify affected individuals, which TechCrunch previously reported was obtained in exchange for paying a ransom demand.
UnitedHealth confirmed it had paid at least one ransom demand to the cybercriminal group behind the ransomware attack, known as ALPHV, in an effort to prevent the release of stolen files. Another hacking group called RansomHub demanded an additional payment from UnitedHealth after it claimed that ALPHV was removed with the first ransom payment, but left the stolen data to one of its affiliates — essentially a contractor — who broke in and planted the ransomware in Change systems.
RansomHub then published several files on its dark web leak site and threatened to sell the data to the highest bidder unless another ransom was paid.
According to UnitedHealth CEO Andrew Witty, hackers broke into Change Healthcare’s network using a set of stolen credentials on an internal system that was not protected with multi-factor authentication, a security feature that makes it more difficult for hackers to misuse of stolen passwords. .
The ransomware attack cost UnitedHealth about $870 million in the first three months of the year, during which the company made $100 billion in revenue, according to the company’s earnings report. UnitedHealth is expected to report its latest earnings in mid-July.