Analysis Summary

As the biggest healthcare data breach in recent years, UnitedHealth has announced that for the first time, the Change Healthcare ransomware attack resulted in the theft of over 100 million people's personal information and medical records.

The CEO of UnitedHealth cautioned during a congressional hearing in May that the attack may have exposed up to one-third of all Americans' health information. The February ransomware attack on Change Healthcare compromised a significant amount of data for a significant number of Americans, according to a data breach notification released by Change Healthcare a month later.

The number of affected individuals was updated to 100 million by the U.S. Department of Health and Human Services Office for Civil Rights data breach portal. This is the first time UnitedHealth, Change Healthcare's parent company, has officially assigned a number to the incident.

The updated FAQ reads, “On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach.”

According to Change Healthcare's data breach reports since June, the February ransomware attack resulted in the theft of a significant quantity of private data, including:

• Health insurance details (include insurance companies, member/group ID numbers, Medicaid/Medicare-government payer ID numbers, and primary, secondary, or additional health plans/policies)
• Medical records, providers, diagnoses, medications, test results, pictures, care, and treatment, among other health-related data
• Information about billing, claims, and payments (such as account numbers, billing codes, payment cards, claim numbers, and balances owed)
• Other personal data like passport numbers, driver's license numbers, Social Security numbers, and state ID numbers

Each person may have different information, and not everyone's medical history was made public. The February ransomware attack on Change Healthcare, a UnitedHealth subsidiary, resulted in this data breach and caused major disruptions in the U.S. healthcare system. Patients were forced to pay full price for prescription drugs because the company's IT systems were disrupted, making it impossible for physicians and pharmacists to submit claims or accept discount prescription cards.

The company's Citrix remote access service, which lacked multi-factor authentication, was breached by the BlackCat ransomware group, also known as ALPHV, using credentials that were obtained. The corporation locked down its IT infrastructure to stop the attack from spreading after the threat actors encrypted systems on the network and stole 6 TB of data.

In order to obtain a decryptor and have the threat actors remove the stolen material, UnitedHealth Group acknowledged paying a ransom demand. The BlackCat ransomware branch that carried out the attack claims that the ransom payment was $22 million. The affiliate and the ransomware operation were meant to divide the ransom payment, but BlackCat abruptly shut down, took the full amount for themselves, and pulled an exit fraud.

The affiliate claimed to still have the company's data and failed to destroy it as promised, thus Change Healthcare's issues did not end there. The affiliate joined forces with RansomHub, a recently formed ransomware gang, and started disclosing some of the stolen material while requesting further payment to prevent its release.

A few days later, the Change Healthcare entry on RansomHub's data leak website vanished for no apparent reason, which would mean that United Health paid a second ransom demand. In April, UnitedHealth said that the Change Healthcare ransomware attack had cost them $872 million. This figure rose to an estimated $2.45 billion for the nine months ending September 30, 2024, as part of the company's Q3 2024 earnings.

Impact

• Operational Disruption
• Sensitive Data Theft
• Financial Loss
• Reputational Damage

Remediation

• Use strong, unique passwords for sensitive accounts. Regularly change passwords for all accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.
• Improve communication with customers by providing timely and transparent updates about data breaches, including what information was compromised and the steps being taken to mitigate the impact.
• Ensure that all vendors and third-party partners adhere to stringent security protocols and regularly assess their cybersecurity practices to minimize the risk of data breaches originating from external sources.
• Provide affected customers with comprehensive support, including credit monitoring services, identity theft detection, and resolution assistance, to help mitigate the potential consequences of the breach.