Change Healthcare confirmed a February ransomware attack on its systems that caused widespread disruption to the US healthcare system for weeks and resulted in the theft of medical records affecting a “significant percentage of people in America”.
In statement on ThursdayChange Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack.
The health technology giant, owned by US insurer UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the US healthcare sector. As such, the company has access to vast amounts of health information about about a third of all Americans.
The cyberattack prompted the company to shut down its systems, causing disruptions and delays to thousands of healthcare providers that rely on Change and affecting countless patients who were unable to get prescriptions or had delays in medical care or procedures.
Change said in its latest statement that it “cannot confirm exactly” what data has been stolen for each individual and that the information may vary from person to person.
Affected information includes personal information such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identification documents such as social security numbers, driver’s licenses and passport numbers.
The data also includes medical records and health information such as diagnoses, medications, test results, imaging and care and treatment plans, Change said. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change says includes financial and banking information.
Change said it was still in the “final stages” of reviewing the stolen data to determine what was taken and that more people affected may be identified. Some of the stolen information may relate to guarantors who paid health care bills for someone else, the company said.
The company added that affected people should receive a notification by mail starting in late July.
The Change Healthcare ransomware attack is one of the largest known digital thefts of medical records in the US. While the full impact of this data breach remains unclear, the consequences for the millions of Americans whose private medical information was irretrievably compromised are likely incalculable.
Change said it secured a copy of the stolen data set in March for review to identify and notify affected individuals, which TechCrunch previously reported was obtained in exchange for paying a ransom demand.
UnitedHealth has confirmed that it has paid at least one ransom demand to the cybercriminal group behind the ransomware attack, known as ALPHV, in an effort to prevent the stolen files from being published. Another hacking group called RansomHub demanded an additional payment from UnitedHealth after it claimed that ALPHV was done with the first ransom payment but left the stolen data to one of its affiliates — essentially a contractor — who broke into and deployed the ransomware on the systems of Change.
RansomHub then posted several files on its leaked dark web site and threatened to sell the data to the highest bidder if no more ransom was paid.
According to UnitedHealth CEO Andrew Witty, the hackers broke into Change Healthcare’s network using a set of stolen credentials on an internal system that was not protected with multi-factor authentication, a security feature that makes it more difficult for malicious hackers to misuse of stolen passwords; .
The ransomware attack cost UnitedHealth about $870 million in the first three months of the year, during which the company had $100 billion in revenue, according to the company’s earnings report. UnitedHealth is expected to report its latest earnings in mid-July.
