HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

UnitedHealth confirms scope of Change Healthcare attack

Written by Caitlin Anthoney | Jun 25, 2024 12:43:43 AM

UnitedHealth has confirmed the types of medical and patient data stolen in the massive Change Healthcare ransomware attack, stating that data breach notifications will be mailed starting at the end of July.

 

What happened

The BlackCat (ALPHV) ransomware group executed a sophisticated attack on Change Healthcare, compromising as much as one-third of all Americans' health data. The stolen information comprises health insurance details, medical records, billing information, and personal identifiers. 

Change Healthcare plans to commence mailing notifications to affected individuals in late July, following the completion of quality assurance procedures.

 

The backstory

The BlackCat cyber counteroffensive, a series of coordinated cyberattacks on healthcare organizations, began after U.S. law enforcement seized the group's darknet website and infrastructure in December. 

In retaliation, the Russia-based ransomware group intensified their attacks, targeting healthcare organizations worldwide, including the U.S. military's Tricare healthcare program, Medicare, CVS Caremark, MetLife, and Health Net. The attack on Change Healthcare resulted in the theft of 6 TB of data and caused widespread outages in the U.S. healthcare system.

 

Going deeper

BlackCat uses various tactics, including double-extortion, where data is first exfiltrated and then encrypted. Thereafter, victims are pressured to meet ransom demands to prevent the release of stolen data. 

The attackers used stolen credentials to access Change Healthcare’s Citrix remote access service, which lacked multi-factor authentication, further complicating detection and prevention efforts. 

Read also: Going deeper: The Change Healthcare attack

 

What was said

According to their press release on June 21, 2024, Change Healthcarecannot confirm exactly what data has been affected for each impacted individual, information involved for affected individuals may have included contact information (such as first and last name, address, date of birth, phone number, and email) and one or more of the following:

  • Health insurance information (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
  • Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
  • Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
  • Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.”

However, the specific information affected varies for each impacted individual. So far, no complete medical histories have been found in the data review. Additionally, some information might pertain to guarantors who paid bills for healthcare services.

 

The bottom line

Protecting patient data is not just about compliance. It is also about ensuring trust, continuity of care, and the integrity of healthcare services. 

Additionally, those potentially impacted by the Change Healthcare breach should take advantage of the free credit monitoring services offered and remain vigilant for signs of identity theft.