Digital padlocks showing Change Healthcare data breach

UnitedHealth Confirms Change Healthcare Data Breach Impacted 100 Million Americans

UnitedHealth Group (UHG) has confirmed that the February 2024 Change Healthcare data breach leaked the sensitive personal information of 100 million people, making it the worst healthcare leak in history.

UnitedHealth acquired Optum in 2022 and merged it with Change Healthcare in a $7.8 billion deal. Optum brought in over 100 million customers in addition to UHG’s existing 53 million, making the company one of the world’s largest health insurers.

In an SEC Form 8-K regulatory filing, the health insurer said it proactively isolated some IT systems after discovering that a “suspected nation-state” threat actor had accessed certain Change Healthcare systems.

The shutdown disrupted certain operations, including claims processing, impacting individual patients and service providers across the United States, prompting a Congressional hearing.

Nearly a third of Americans impacted by the Change Healthcare data breach

In May 2024, UnitedHealth CEO Andrew Witty told the Congressional Committee that the Change Healthcare data breach likely affected a third of Americans and the amount of data involved was likely “going to be substantial.”

A new listing on the U.S. Department of Health and Human Services Office for Civil Rights website confirms that the Change Healthcare data breach affected 100 million people.

According to a HIPAA substitute notice, the ransomware attack leaked the victims’ personally identifiable information such as names, addresses, dates of birth, phone numbers, email addresses, Social Security Numbers, driver’s license numbers, state ID, and passport numbers.

The Change Healthcare data breach also exposed health insurance information such as health plans, insurance companies, member/group ID numbers, and payor ID numbers.

Billing, claims, and payment information such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due were also accessed.

The threat actors also accessed protected health information such as diagnoses, prescriptions, test results, images, and care and treatment information. However, the information varied by individual, and the Change Healthcare data breach did not expose all data fields.

The health insurer started notifying impacted individuals in June 2024 and promised to continue doing so on a rolling basis given the number of victims involved.

“On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach,” HHS OCR stated.

Ransom payment to prevent publishing of data

The ALPHV or BlackCat ransomware group claimed responsibility for the cyber attack and allegedly stole 6 terabytes of data. The threat actor gained access using compromised login credentials of an old server without multi-factor authentication and traversed laterally to other parts of the company’s network. Since then, the healthcare insurer has implemented a new MFA system to protect its IT systems from unauthorized access.

Change Healthcare parent company UnitedHealth paid a $22 million ransom to prevent the threat actors from publishing the stolen information.

However, ALPHV gang leaders stiffed their affiliates, forcing them to partner with RansomHub and demand another ransom. It was unclear if Change Healthcare paid the second ransom but the RansomHub listing mysteriously disappeared.

Additionally, the disruption of operations cost UnitedHealth approximately $705 million and forced the company to extend billions of dollars in loans to support providers affected by the Change Healthcare data breach.

The health insurer also risks regulatory non-compliance and data breach lawsuits which could cost the company millions of dollars.

“It is never too easy on the enterprise that is breached, especially those that have grown at a fast pace,” explained Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens. “Having said that, very long durations to determine the extent of a breach does indicate lower standards of data governance and lack of internal control.”

The Change Healthcare data breach followed a December 2023 joint cybersecurity advisory on the BlackCat ransomware gang targeting healthcare organizations.

Meanwhile, the U.S. Department of State is offering up to $10 million for information to identify or locate BlackCat gang leaders.