A significant data breach involving Change Healthcare, a UnitedHealth Group subsidiary, has exposed sensitive information of approximately 190 million individuals across the United States. The breach, perpetrated by the ALPHV ransomware gang, a notorious Russian-language cybercrime group, stems from a ransomware attack in February 2024. Initially, estimates suggested 100 million people were affected, but UnitedHealth Group later confirmed the staggering figure.
The ransomware attack on Change Healthcare, one of the largest handlers of medical data and healthcare claims in the U.S., resulted from compromised account credentials lacking multi-factor authentication. This security gap enabled hackers to infiltrate the company’s systems, causing widespread outages across the healthcare sector for months. UnitedHealth Group's CEO, Andrew Witty, testified to lawmakers about the breach's cause, emphasizing the vulnerability exploited by the attackers.
Change Healthcare's response involved paying at least two ransoms to the perpetrators to prevent further dissemination of the stolen data. The breach, which now stands as the largest medical data breach in U.S. history, has been reported to the Office for Civil Rights under the U.S. Department of Health and Human Services, which is responsible for investigating such incidents.
The stolen data includes a range of personal information such as names, addresses, dates of birth, phone numbers, email addresses, and critical government identity documents. These documents encompass Social Security numbers, driver's license numbers, and passport numbers. The gravity of this breach highlights significant security concerns within healthcare data management and protection.
“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” stated Tyler Mason, a spokesperson for UnitedHealth Group.
“The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date,” Mason added.
Change Healthcare's position as a major processor of healthcare claims underscores the widespread impact this breach has on both healthcare providers and patients nationwide. The breach exposed vulnerabilities within the health tech giant’s systems, raising questions about the adequacy of cybersecurity measures in place within such critical infrastructure.
Leave a Reply