Change Healthcare has confirmed a February ransomware assault on its techniques, which introduced widespread disruption to the U.S. healthcare system for weeks, resulted within the theft of medical information affecting a “substantial proportion of individuals in America.”
In an announcement Thursday, Change Healthcare mentioned it has begun the method of notifying affected people whose data was stolen throughout the cyberattack.
The well being tech big, owned by U.S. insurance coverage conglomerate UnitedHealth Group, processes affected person insurance coverage and billing for 1000’s of hospitals, pharmacies and medical practices throughout the U.S. healthcare sector. As such, the corporate has entry to large quantities of well being data on a few third of all Individuals.
The cyberattack prompted the corporate to close down its techniques, leading to outages and delays to 1000’s of healthcare suppliers who depend on Change, and affecting numerous sufferers who couldn’t receive prescriptions or had medical care or procedures delayed.
Change mentioned in its newest assertion that it “can not affirm precisely” what knowledge was stolen about every particular person, and that the data could fluctuate from individual to individual.
The affected data consists of private data, equivalent to names and addresses, dates of beginning, cellphone numbers and electronic mail addresses, in addition to authorities identification paperwork, equivalent to Social Safety numbers, driver’s licenses and passport numbers.
The information additionally consists of medical information and well being data, equivalent to diagnoses, drugs, check outcomes, drugs, imaging, and care and therapy plans, mentioned Change. The hackers stole medical health insurance data, together with plan and coverage particulars, in addition to billing, claims and cost data, which Change mentioned consists of monetary and banking data.
Change mentioned it was nonetheless within the “late levels” of its assessment of the stolen knowledge to find out what was taken and that extra affected people could also be recognized. A number of the stolen data could relate to guarantors who paid healthcare payments for another person, the corporate mentioned.
The corporate added that affected people ought to obtain discover by mail starting late July.
The ransomware assault on Change Healthcare stands as one of many largest-ever identified digital thefts of U.S. medical information. Whereas the total affect of this knowledge breach stays unclear, the ramifications for the tens of millions of Individuals whose non-public medical data was irretrievably compromised are probably incalculable.
Change mentioned it secured a replica of the stolen dataset in March to assessment for figuring out and notifying affected people, which TechCrunch beforehand reported was obtained in alternate for paying a ransom demand.
UnitedHealth confirmed it paid a minimum of one ransom demand to the cybercriminal group behind the ransomware assault, generally known as ALPHV, in an effort to stop the publication of the stolen recordsdata. One other hacking group known as RansomHub demanded a further cost from UnitedHealth after claiming ALPHV made off with the primary ransom cost however left the stolen knowledge with one in every of its associates — basically a contractor — who broke in and deployed the ransomware on Change’s techniques.
RansomHub subsequently revealed a number of recordsdata on its darkish internet leak web site and threatened to promote the info to the very best bidder if one other ransom wasn’t paid.
In keeping with UnitedHealth chief govt Andrew Witty, the hackers broke into Change Healthcare’s community utilizing a set of stolen credentials to an inside system that was not protected with multi-factor authentication, a safety function that makes it tougher for malicious hackers to misuse stolen passwords.
The ransomware assault value UnitedHealth round $870 million within the first three months of the yr, throughout which the corporate made $100 billion in income, in accordance with the corporate’s earnings report. UnitedHealth is predicted to report its most up-to-date earnings in mid-July.