After concluding an investigation into the data breach that occurred in February involving Change Healthcare, the US Department of Health and Human Services reported yesterday that approximately 100 million individuals were affected. This incident ranks as one of the most significant breaches of medical and health data in the United States, as outlined by a report from Reuters.
Change Healthcare, which operates as a subsidiary of UnitedHealth, offers an integrated platform for health insurance technology, covering aspects such as payments and claims processing. The breach was attributed to a cyberattack executed by the ransomware group known as ALPHV, also referred to as “BlackCat.”
The ramifications of this breach extend beyond merely UnitedHealth subscribers; Change Healthcare collaborates with numerous health insurance providers, including Aetna, Anthem, Blue Cross Blue Shield, and Cigna. Consequently, it has access to a vast array of sensitive health data belonging to millions of users within the healthcare system.
In April, UnitedHealth indicated that the breach likely affected a significant portion of the American populace. By May, CEO Andrew Witty testified before Congress, revealing that attackers gained access through an employee’s compromised login credentials. The cybercriminals leveraged these credentials to enter an application that allowed them to remotely control desktops—this application, alarmingly, lacked multifactor authentication, raising serious security concerns.
During the same congressional hearing, Witty cautioned that the breach may have exposed data pertaining to about one-third of the American population, underscoring the extensive reach and impact of this attack. The breach disrupted medical services nationwide, affecting processes like claims handling, payment systems, and pharmacy network operations.
While UnitedHealth cannot detail the exact data compromised for each individual, a notice on its website specifies that affected information could include Social Security numbers, passport information, medical diagnoses, medical records, billing data, and health insurance details. Since July, UnitedHealth Group has begun notifying the affected individuals, reaching out to 100 million people whose data may have been compromised. Those who received notifications should consider their information at risk and can seek further assistance by calling 1-866-262-5342.
For individuals who have not received notifications, Change Healthcare’s notice indicates that due to the ongoing complexities of the data review, specific details about the impacted data are currently unavailable.
In light of this significant breach, individuals whose information may have been compromised should adopt proactive measures to safeguard their identities. Change Healthcare has established a FAQ support page and is providing IDX identity theft protection for up to two years. Enrollment can be completed online or by calling 1-888-846-4705.
If affected by this breach, it is advisable to scrutinize healthcare policies for discrepancies, regularly check credit reports for unauthorized applications, monitor bank account statements for unusual activity, and consider freezing credit reports with the three major bureaus: Equifax, Experian, and TransUnion. Additionally, once the two-year IDX coverage concludes, individuals may wish to sign up for ongoing identity theft protection services that provide monitoring and alerts for any suspicious activities related to their data.
This breach serves as a stark reminder for businesses and individuals alike regarding the vulnerabilities inherent in data management within the healthcare industry. Effective strategies rooted in the MITRE ATT&CK framework, including addressing initial access points and ensuring rigorous authentication processes, are critical in mitigating such risks in the future.
