Change Healthcare parent company UnitedHealth Group has revealed that the personal information of 100 million individuals was compromised in the February 2024 ransomware attack.
Disclosed on February 21, the attack resulted in widespread network disruptions that impacted over 100 Change Healthcare applications across clinical, dental, medical record, patient engagement, pharmacy, and payment services. Thousands of pharmacies and healthcare providers were affected.
The attackers used leaked credentials to access a Citrix portal account that was not protected with multi-factor authentication, and lurked in Change Healthcare’s network for nine days, moving laterally and exfiltrating data before deploying file-encrypting ransomware.
Previously, UnitedHealth said the incident might have affected the information of on- third of Americans, but an updated entry on the US Department of Health and Human Services Office for Civil Rights (OCR) website now shows that 100 million individuals were affected.
“Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach,” OCR notes in an updated incident FAQ.
Roughly one week after the attack, the Alphv/BlackCat ransomware gang added Change Healthcare to its Tor-based leak site. The group reportedly received a $22 million ransom payment from UnitedHealth, but the RansomHub group attempted to extort the company a second time one month later.
In April, UnitedHealth confirmed that personally identifiable information (PII) and protected health information (PHI) was stolen in the data breach.
While it had no evidence that doctors’ charts or full medical histories were taken, the company said that names, addresses, dates of birth, phone numbers, driver’s license or state ID numbers, Social Security numbers, diagnosis and treatment information, medical record numbers, billing codes, insurance member IDs, and other types of information, was likely compromised.
UnitedHealth, which incurred over $1.1 billion in total costs from the cyberattack, started sending notification letters to the potentially affected individuals in July, offering them free identity protection services.
Related: Omni Family Health Data Breach Impacts 470,000 Individuals
Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders
Related: Cerebral Informing 3.1 Million Individuals of Inadvertent Data Exposure
Related: UnitedHealth Says It Has Made Progress on Recovering From Massive Cyberattack
