Massive Data Breach Impacts 100 Million In U.S. Healthcare System

In a major data breach, UnitedHealth has confirmed that personal and healthcare information for more than 100 million people was stolen in a February ransomware attack targeting Change Healthcare. This incident is now regarded as one of the most extensive healthcare data breaches in recent years, according to BleepingComputer (BC).

Change Healthcare, a major processor of insurance and billing data across the U.S., handles healthcare information for about a third of Americans. The breach exposed sensitive data across thousands of hospitals, pharmacies, and medical practices, highlighting vulnerabilities in the U.S. healthcare data infrastructure, as noted by TechCrunch (TC).

BC reports that, in the months following the June breach, Change Healthcare has disclosed that the stolen data includes a broad range of sensitive information.

Health insurance details, medical records, payment and billing information, and personal identifiers such as Social Security and driver’s license numbers were among the compromised data. However, not every affected person’s medical history was exposed, as noted by BC.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently updated the incident to its breach report. OCR noted on its FAQ  page that, “approximately 100 million individual notices have been sent regarding this breach.”

Earlier this month, Reuters reported that Change Healthcare anticipates significant operational disruptions from the breach, projecting a $705 million financial impact due to payment delays and service outages. UnitedHealth responded by issuing billions of dollars in loans to healthcare providers and covering notification costs for affected customers.

TC reports that the attack, attributed to the ALPHV/BlackCat ransomware group, first surfaced in February when Change Healthcare shut down much of its network to contain the breach, causing immediate service interruptions across the healthcare sector.

Following the attack, ALPHV/BlackCat disappeared with a reported $22 million ransom paid by UnitedHealth. After internal disputes, contractors involved in the hack formed a new group, attempting a second extortion and leaking some of the stolen data online as proof of their demands, as reported by TC.

Change Healthcare’s access to a copy of the stolen data enabled the company to identify and alert affected individuals, said TC. Although no evidence suggests the data was fully deleted, other ransomware groups, such as LockBit, have shown a tendency to retain stolen data even after victims comply with ransom demands, noted TC.