A UnitedHealth hack exposed the personal information and health data of more than 100M Americans – the first time the company has put a specific number on the security breach.
A ransomware attack was made on Change Healthcare back in February, but it was only yesterday that the company revealed its “unprecedented magnitude” …
UnitedHealth hack
Bleeping Computer reports the revelation has been a slow burn.
UnitedHealth has confirmed for the first time that over 100 million people had their personal information and healthcare data stolen in the Change Healthcare ransomware attack, marking this as the largest healthcare data breach in recent years.
In May, UnitedHealth CEO Andrew Witty warned during a congressional hearing that “maybe a third” of all American’s health data was exposed in the attack.
A month later, Change Healthcare published a data breach notification warning that the February ransomware attack on Change Healthcare exposed a “substantial quantity of data” for a “substantial proportion of people in America.”
Today, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal updated the total number of impacted people to 100 million, making it the first time UnitedHealth, the parent company of Change Healthcare, put an official number to the breach.
The sensitivity of the information compromised was every bit as concerning as the scale:
- Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
- Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
- Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.
The actual data exposed may vary by individual.
Unbelievably, the attack was made possible using stolen credentials because the company’s Citrix remote access service didn’t have two-factor authentication enabled.
A massive 6TB of data was extracted before the company’s computers were encrypted, causing chaos for doctors and patients alike. The company admitted to paying a ransom for the decryption key, reportedly handing over $22M.
To make matters worse, the attack was carried out by an ‘affiliate’ of the BlackCat organized crime group, and the group reportedly stiffed the affiliate by keeping 100% of the ransom money. The affiliate then demanded a new ransom in return for not making the data public, and there is evidence to suggest that UnitedHealth paid this second ransom also.
Photo by National Cancer Institute on Unsplash
FTC: We use income earning auto affiliate links. More.