Change Healthcare has confirmed a February ransomware assault on its techniques, which introduced widespread disruption to the U.S. healthcare system for weeks, resulted within the theft of medical information affecting a “substantial proportion of individuals in America.”
In an announcement Thursday, Change Healthcare mentioned it has begun the method of notifying affected people whose data was stolen through the cyberattack.
The well being tech large, owned by U.S. insurance coverage conglomerate UnitedHealth Group, processes affected person insurance coverage and billing for 1000’s of hospitals, pharmacies and medical practices throughout the U.S. healthcare sector. As such, the corporate has entry to large quantities of well being data on a few third of all Individuals.
The cyberattack prompted the corporate to close down its techniques, leading to outages and delays to 1000’s of healthcare suppliers who depend on Change, and affecting numerous sufferers who couldn’t get hold of prescriptions or had medical care or procedures delayed.
Change mentioned in its newest assertion that it “can’t affirm precisely” what information was stolen about every particular person, and that the knowledge might differ from individual to individual.
The affected data contains private data, corresponding to names and addresses, dates of delivery, cellphone numbers and electronic mail addresses, in addition to authorities id paperwork, corresponding to Social Safety numbers, driver’s licenses and passport numbers.
The info additionally contains medical information and well being data, corresponding to diagnoses, medicines, check outcomes, medicines, imaging, and care and therapy plans, mentioned Change. The hackers stole medical health insurance data, together with plan and coverage particulars, in addition to billing, claims and fee data, which Change mentioned contains monetary and banking data.
Change mentioned it was nonetheless within the “late phases” of its assessment of the stolen information to find out what was taken and that extra affected people could also be recognized. A few of the stolen data might relate to guarantors who paid healthcare payments for another person, the corporate mentioned.
The corporate added that affected people ought to obtain discover by mail starting late July.
The ransomware assault on Change Healthcare stands as one of many largest-ever identified digital thefts of U.S. medical information. Whereas the complete affect of this information breach stays unclear, the ramifications for the tens of millions of Individuals whose non-public medical data was irretrievably compromised are possible incalculable.
Change mentioned it secured a duplicate of the stolen dataset in March to assessment for figuring out and notifying affected people, which TechCrunch beforehand reported was obtained in alternate for paying a ransom demand.
UnitedHealth confirmed it paid a minimum of one ransom demand to the cybercriminal group behind the ransomware assault, generally known as ALPHV, in an effort to stop the publication of the stolen recordsdata. One other hacking group known as RansomHub demanded an extra fee from UnitedHealth after claiming ALPHV made off with the primary ransom fee however left the stolen information with one in all its associates — basically a contractor — who broke in and deployed the ransomware on Change’s techniques.
RansomHub subsequently printed a number of recordsdata on its darkish internet leak website and threatened to promote the information to the very best bidder if one other ransom wasn’t paid.
In keeping with UnitedHealth chief govt Andrew Witty, the hackers broke into Change Healthcare’s community utilizing a set of stolen credentials to an inside system that was not protected with multi-factor authentication, a safety characteristic that makes it tougher for malicious hackers to misuse stolen passwords.
The ransomware assault price UnitedHealth round $870 million within the first three months of the yr, throughout which the corporate made $100 billion in income, in line with the corporate’s earnings report. UnitedHealth is predicted to report its most up-to-date earnings in mid-July.