Change Healthcare has confirmed that it has informed approximately 100 million Americans of a potential data breach related to a ransomware attack that occurred in February 2024. This incident represents the largest recorded breach of protected health information in the country. It has affected wide segments of the U.S. healthcare system, disrupting payment and prescription processing across numerous organizations due to Change Healthcare’s significant role in these activities.
In its communication to the U.S. Department of Health and Human Services (HHS) on October 22, Change Healthcare disclosed that the breach is expected to impact a “substantial proportion” of the American population. The notification letter elaborated on the nature of the compromised data, which includes sensitive health information such as medical records, billing details, and personal identifiers like Social Security numbers, driver’s licenses, and insurance policies.
The ramifications of the attack have been profound, leading to direct response costs that Change Healthcare’s parent company, United Health Group, estimates to be $1.521 billion over nine months, with total costs related to cyberattacks reported at $2.457 billion. Among these costs, the organization acknowledged a payment of $22 million to the ransomware group BlackCat, also known as ALPHV, under the assumption they would delete the stolen data. However, the payment’s effectiveness was compromised when an affiliate of BlackCat claimed they had been cheated out of their share, leading to the collapse of the ransomware operation.
Days following the turmoil with BlackCat, another ransomware group, RansomHub, began offering the stolen healthcare data for sale. Their public communications indicated that other insurance providers could contact them to prevent further data leaks, capitalizing on the chaos created by Change Healthcare’s security failures. While it remains unclear whether RansomHub managed to sell this data, reports from an affected academic healthcare system suggest that significant amounts of data—up to four terabytes—were successfully exfiltrated by cybercriminals.
In light of the breach, Change Healthcare has offered affected individuals two years of credit monitoring and identity theft protection services through IDX. However, in an incident report provided during a Senate Finance Committee testimony, it was revealed that the attackers had exploited unprotected credentials for a Citrix remote access portal, which lacked multi-factor authentication safeguards, highlighting significant lapses in cybersecurity protocols.
In August 2024, a bipartisan bill introduced in the Senate aims to improve cybersecurity standards for healthcare providers, seeking to mandate robust minimum requirements and remove existing caps on fines associated with HIPAA violations. This legislative push follows a growing recognition that accountability for data breaches remains alarmingly lenient—evidenced by the previous maximum fine of $16 million imposed on Anthem after a breach affecting nearly 80 million individuals.
Businesses and individuals impacted by this breach are advised to take proactive measures, including placing security freezes on their credit files to mitigate the risk of identity theft, as the leaked data is sufficient to enable identity thieves. Freezing credit files is now a no-cost process, ensuring that potential lenders cannot access credit reports without permission, significantly reducing the risk of fraudulent accounts being opened.
As a final note, this breach highlights the critical importance of comprehensive cybersecurity strategies in healthcare settings, where the stakes are particularly high given the sensitive nature of the data involved. The incident serves as a reminder of the vulnerabilities that persist within even the largest and most established organizations in the healthcare sector—a vivid illustration of the need for increased vigilance and enhanced protective measures. Business owners should closely monitor similar incidents and reassess their cybersecurity posture in response to this evolving threat landscape.
