This year, a ransomware attack on UnitedHealth-owned change healthcare probably stands as one of the largest data breaches of U.S. health and medical data in history.
Months after the February breach, Change Healthcare cyberattack revelations mean that now a "significant portion of people living in America" are being mailed notices that cyber thieves made off with their personal and health information. At least 100 million people are now known to be affected by the breach.
Change Healthcare processes insurance and billing for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector. As a result, it gathers and maintains vast amounts of highly sensitive patient medical information in the United States. Through a series of mergers and acquisitions, Change has become one of the biggest processors of health data in the U.S. - processing between one-third and one-half of all health-related transactions in the country.
Here is what has happened since the ransomware attack began.
February 21, 2024
First reports of outages as security incident emerges
It was an average Wednesday afternoon until it wasn't. The outage was sudden. On February 21, doctors' offices and healthcare practices' billing systems all stopped working, and insurance claims weren't processing. The status page on Change Healthcare's website was flooded with outage notifications affecting every part of the firm, and later that day the company confirmed it was "experiencing a network interruption related to a cyber security issue." Clearly, something had gone very wrong.
It turns out that Change Healthcare invoked its security protocols and shut down the entire network to cut off intruders it found inside its systems. That meant sudden and widespread outages across the health care sector that relies on a handful of companies — like Change Healthcare — to process health insurance and billing claims for vast swaths of the United States. It then was revealed that the hackers had begun to access the company's systems on or around February 12-a week before the breach.
February 29, 2024
UnitedHealth confirms it was hit by ransomware gang
UnitedHealth initially-and incorrectly-attributed the breach to hackers working for a government or nation-state. UnitedHealth later stated that on February 29, the cyber attack was in fact the work of a ransomware gang. UnitedHealth said the gang "represented itself to us as ALPHV/BlackCat," a company spokesman told TechCrunch at the time. One dark web leak site associated with the ALPHV/BlackCat gang also took credit for the attack, saying it stole millions of Americans' sensitive health and patient information, giving the first indication of how many people this incident affected.
ALPHV, a.k.a. BlackCat, is a Russian-speaking ransomware-as-a-service gang, and its affiliates, who are basically contractors of the gang, break into networks with their infection tools that were developed by the leaders of ALPHV/BlackCat, who cut a piece of the profits collected from the ransoms paid by the victims to recover their files.
Knowing the attack was by a ransomware gang altered the calculus of the breach from the manner of hack that governments do — sometimes to embarrass another government rather than publish millions of citizens' private data — to one caused by financially motivated cyber criminals, likely with a very different play book to get their payday.
March 3-5, 2024
UnitedHealth pays ransom amounting to $22 million to hackers, who then disappear
Early March saw the ALPHV ransomware gang vanish. Weeks earlier, the gang's dark-web site took responsibility for the cyber attack, but a seizure notice appeared, boasting that U.K. and U.S. law enforcement had taken down the gang's site. But both the FBI and U.K. Today, though, officials denied taking down the ransomware gang as they had in fact attempted months before. Everything spelled out ALPHV running off with the ransom and pulling an "exit scam."
In a posting, the ALPHV affiliate behind the hack of Change Healthcare said that the leadership of ALPHV grabbed $22 million paid as ransom and attached a link to one bitcoin transaction on March 3 as proof of the claim. They still have it, though," said a relation, referring to the stolen data. UnitedHealth had paid hackers a ransom; they took the data with them when they left.
March 13, 2024
Rampant disruption across US healthcare amid fears of data breach
Meanwhile, weeks into the cyberattack, outages continued with many unable to get their prescriptions filled or having to pay cash out of pocket. Military health insurance provider TriCare said "all military pharmacies worldwide" were affected also.
The American Medical Association said yesterday that there was little information from UnitedHealth and Change Healthcare about what was causing outages, which caused huge disruption and were still continuing to ripple across the healthcare sector.".
By March 13, Change Healthcare had obtained a "safe" copy of the pilfered data it just days before spent $22 million on. This then enabled Change to start the process of sifting through the dataset to see whose information had been stolen in the cyber attack in the hope of informing as many affected people as possible. 18 March 28, 2024
The U.S. government boosts bounty to $10 million for information that leads to capture of ALPHV
By last March end, the U.S. government said it was upping the ante its bounty for information on key leadership of ALPHV/BlackCat and its affiliates.
It was almost like the U.S. was expecting that one of the inside members of the gang would turn against former leaders by accepting $10 million for anyone able to identify or locate the individuals behind the gang. It also could be considered as the U.S. realizing the threat from having a substantial number of health information about Americans potentially published online.
April 15, 2024
A contractor creates a new ransom gang and posts some stolen health data.
And then there were two ransoms. In mid-April, the offended partner created a new ransomware operation called RansomHub, and since it still possessed the data that it had stolen from Change Healthcare, it threatened to extort a second ransom from UnitedHealth. To prove the threat, RansomHub published part of the stolen files containing what appeared to be private and sensitive patient records.
Ransomware gangs encrypt files but also steal as much data as possible, threatening to publish the files unless a ransom is paid. This is known as "double extortion." In some cases when the victim pays, the ransomware gang can extort the victim again — or, in others, extort the victim's customers, known as "triple extortion.".
Now that UnitedHealth was willing to pay one ransom, there was a danger that the healthcare giant would be extorted again. It's why law enforcement have long advocated against paying a ransom that allows criminals to profit from cyberattacks.
April 22, 2024
UnitedHealth says ransomware hackers stole health data on a "substantial proportion of people in America"
For the first time, UnitedHealth acknowledged April 22, more than two months after ransomware began infiltrating its network that it had a data breach and that it likely impacts a "substantial proportion of people in America," without saying how many millions of people that entails. UnitedHealth also acknowledged that it paid a ransom to obtain the data but would not say how many ransoms it ultimately paid.
The company said that the data stolen comprises highly sensitive information such as medical records and health information, diagnoses, medications, test results, imaging, and care and treatment plans, and various other personal information.
Because Change Healthcare processes data for roughly one-third of all Americans living in the United States, the numbers affected by the data breach will likely exceed 100 million people.
Reached by TechCrunch, a UnitedHealth spokesperson said the company was reviewing the data and did not dispute the likely affected number.
May 1, 2024
UnitedHealth Group chief executive testifies that Change wasn't using basic cybersecurity
Perhaps not so surprisingly, given that your company has witnessed one of the most massive data breaches in very recent history, it does not come as a surprise when the Chief Executive of your company finds himself called up to testify before lawmakers.
That is what happened to UnitedHealth Group (UHG) chief Andrew Witty who, on Capitol Hill, admitted that the hackers invaded through a single set password on the Change Healthcare systems for a user account not protected with multi-factor authentication, a basic security feature that can prevent password reuse attacks by requiring a second code sent to that account holder's phone.
The hack covered one of the largest data breaches in U.S. history, entirely preventable, was its overriding lesson. The hacked data breach was likely to affect about a third of people living in America - in line with the company's previous estimates that the breach affects around as many people that Change Healthcare processes healthcare claims for.
June 20, 2024
UHG begins notifying affected hospitals and medical providers what data was stolen
It was until June 20 that Change Healthcare began to issue formal letters to impacted parties informing them their data has been stolen, legally required by a law commonly known as HIPAA, likely held back in part by the sheer scale of the dataset that was stolen.
The company posted a notice saying that it had determined to notify individuals it identified in the "safe" copy of the stolen data. However, Change said it "cannot confirm exactly" what data was taken about each individual and that the information may vary from person to person. Change says it was posting the notice on its website, as it "may not have sufficient addresses for all affected individuals.".
It was so massive and intricate that it drew the attention of the United States Department of Health and Human Services, which ordered affected healthcare providers-whose patients are at the end line to be affected by the same- can request UnitedHealth to send notifications across to affected patients on their behalf, an effort viewed at alleviating the burden on smaller providers whose finances were hurt as the outage continued.
July 29, 2024
Change Healthcare begins writing known affected parties
The health tech giant said late in June that it would begin notice letters to those whose healthcare information had been taken in its ransomware attack on a rolling basis. That process began at the end of July.
Letters sent out to affected parties will likely originate from Change Healthcare, at minimum from the specific healthcare provider that was hacked at Change. The letter confirms what types of data was compromised, including medical data and health insurance information and claims and payment information, which Change said includes financial and banking information.
October 24, 2024 UnitedHealth confirms at least 100 million people affected by data breach
It took the health insurance giant more than eight months to announce, but it has confirmed that the data breach affects more than 100 million individuals. The number of affected individuals will likely increase since some have received data breach notifications as recently as October. The U.S. Department of Health and Human Services reported the updated number on its data breach portal on October 24.
Change healthcare records breach is now the largest digital theft of US medical records, and one of the biggest data breaches in living history, as it stands.