Introduction

In February 2024 [2] [3] [5] [6] [7] [9], a significant ransomware attack attributed to the ALPHV group [6], also known as “BlackCat,” targeted Change Healthcare [7] [11], a subsidiary of UnitedHealth Group (UHG) [2] [11]. This incident is recognized as the largest healthcare data breach in history [3], affecting the personal and healthcare data of approximately 100 million individuals, nearly one-third of the US population [4]. The breach underscores the vulnerabilities in healthcare cybersecurity and has prompted extensive investigations and responses.

Description

In February 2024 [2] [3] [5] [6] [7] [9], a massive ransomware attack attributed to the ALPHV group [6], also known as “BlackCat,” targeted Change Healthcare [7] [11], a subsidiary of UnitedHealth Group (UHG) and one of the largest health payment processing companies globally [11]. This cyberattack has been classified as the largest healthcare data breach in history [10], compromising the personal information and healthcare data of approximately 100 million individuals [11], which represents nearly one-third of the US population [10]. UnitedHealth’s CEO [1] [2] [4] [11], Andrew Witty [1] [2] [4] [10] [11], indicated that the breach could potentially affect a third of all American health data [1], underscoring the severity of the incident. The US Department of Health and Human Services (HHS) confirmed that the breach affected data from more individuals than any previous incident, surpassing the 2015 Anthem breach that impacted 78.8 million Americans.

Change Healthcare disclosed that the breach may have compromised various types of sensitive personal [5], financial [1] [5] [6], and health data [1] [5] [8] [11], including:

  • Contact information: first and last name [5], address [5] [9], date of birth [5] [9], phone number [5] [9], and email [5].
  • Health insurance information: details of health plans/policies, insurance companies [5] [8], member/group ID numbers [5], and Medicaid-Medicare-government payor ID numbers [5].
  • Billing, claims [1] [2] [3] [4] [5] [7] [8] [9] [11], and payment information: claim numbers [5], account numbers [5], billing codes [5], payment cards [5], financial and banking information [1] [5], payments made [5], and balance due [5].
  • Other personal information: Social Security numbers, driver’s licenses or state ID numbers [5], passport numbers [1] [5] [8], patient diagnoses [8], treatment plans [6], medications [9], test results [1] [9], and medical records [1] [6].

Change Healthcare became aware of the incident on February 21, 2024 [6], reporting that data was exfiltrated between February 17 and February 20, 2024 [6]. The breach was facilitated by the theft of an employee’s login credentials [8], which allowed hackers to exploit vulnerabilities in the company’s Citrix remote access service that lacked multifactor authentication (MFA). Following the initial access [3], the attackers moved laterally within the system and exfiltrated sensitive data before deploying ransomware [3]. This attack caused significant disruptions across the US healthcare sector [6] [9], hindering doctors and pharmacies from filing claims and accepting discount cards [7], and leading to weeks of outages affecting claims processing, payment platforms [8], and pharmacy networks [8]. The HHS Office for Civil Rights (OCR) has initiated investigations into the breach [2], focusing on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the impact on patient care and privacy [2]. Following the attack [2] [3] [9] [10], Change Healthcare filed a breach report identifying a minimum of 500 affected individuals [2], although the actual number is believed to be much higher [2]. In 2023, large breaches affected approximately 140 million people [2], a significant increase from 51 million in 2022 [2], with projections for 2024 indicating further escalation [2].

In response to the breach [7], UHG reportedly paid a $22 million ransom to regain access to the stolen data [9], which allowed them to identify and notify affected individuals [9]. However, there is no evidence that the cybercriminals deleted the stolen data as agreed [9]. The attack incurred costs exceeding $872 million for UHG [6], which included incident response efforts [6], system rebuilds [6], and financial support for affected providers [6]. Overall, the total cost of the attack is projected to surpass $1 billion when factoring in revenue loss [6]. The US government has been unsuccessful in capturing the ALPHV/BlackCat hackers [9], and the reward for information leading to their capture has been increased to $10 million [9].

Affected individuals can access support through a dedicated website for credit monitoring and identity theft protection [2]. Change Healthcare is offering IDX identity theft protection for up to two years and has provided guidance for individuals to protect their identities [8], including checking healthcare policies for errors [8], monitoring credit reports and bank accounts [8], freezing credit reports [8], and considering ongoing identity theft services [8]. The investigation into the attack is still in its final stages [5], and UHG has since mandated MFA to enhance security following the incident. The timeline for restoring all systems remains uncertain [10], as indicated by CEO Andrew Witty during a testimony to a House subcommittee [10]. Notifications to affected individuals were not sent until June 2024 [1], prompting widespread concerns about cybersecurity in the healthcare sector [1]. On October 22, 2024 [7], Change Healthcare notified the Office for Civil Rights that around 100 million individual notices had been sent regarding the breach [7].

Conclusion

The ALPHV/BlackCat ransomware attack on Change Healthcare has had profound impacts on the US healthcare sector, highlighting significant cybersecurity vulnerabilities. The breach has led to substantial financial costs, disruptions in healthcare services, and increased scrutiny on data protection practices. In response, UHG has implemented stronger security measures, including mandatory multifactor authentication, to prevent future incidents. The ongoing investigation and the delayed notification to affected individuals have raised concerns about the adequacy of current cybersecurity protocols in the healthcare industry. As the sector continues to face escalating threats, there is a pressing need for enhanced security measures and robust incident response strategies to safeguard sensitive health data.

References

[1] https://www.darkreading.com/cyberattacks-data-breaches/unitedhealth-reveals-100m-compromised-change-healthcare-breach
[2] https://www.malwarebytes.com/blog/news/2024/10/100-million-us-citizens-officially-impacted-by-change-healthcare-data-breach
[3] https://www.theverge.com/2024/10/25/24279288/unitedhealth-change-breach-100-million-leak
[4] https://www.healthcaredive.com/news/change-healthcare-data-breach-affects-100-million/723493/
[5] https://www.infosecurity-magazine.com/news/change-healthcare-breach-americans/
[6] https://www.csoonline.com/article/3588766/change-healthcare-data-breach-exposed-only-100-million-us-health-records.html
[7] https://www.techradar.com/pro/security/united-health-confirms-largest-ever-us-healthcare-data-breach-says-100-million-users-had-info-stolen
[8] https://www.cnet.com/personal-finance/massive-change-healthcare-data-breach-impacted-100-million-people-what-to-know/
[9] https://techcrunch.com/2024/10/24/unitedhealth-change-healthcare-hacked-millions-health-records-ransomware/
[10] https://kffhealthnews.org/morning-breakout/change-healthcare-data-hack-deemed-largest-health-care-breach-in-history/
[11] https://www.tomsguide.com/computing/online-security/change-healthcares-massive-hack-exposed-data-of-100-million-people-what-to-know