Several hundred million people's personal information was compromised in a hack of UnitedHealth's (UNH.N) tech unit Change in February, according to data published by the U.S. health department on its website. That makes it the largest healthcare data breach in American history.
The CEO of UnitedHealth, Andrew Witty, warned at a congressional hearing on May 12 that a third of all Americans' health records may have been breached as a result of the cyberattack.
As a result of a ransomware attack in February, Change Healthcare published a data breach notification warning that a "considerable quantity of information" about a "substantial proportion" of Americans was exposed by the February ransomware attack.
One of the most severe breaches of the American healthcare system has been UnitedHealth's report that hackers may have stolen a third of Americans' data in what is being called one of the worst attacks of its kind. In June, the company began notifying patients who were affected by the outbreak.
A statement released by the Health and Human Services Department this week, which accompanies the department's report, indicated that about a third of the medical data of Americans was exposed in a data breach that occurred in February. UnitedHealth made a statement back in April that the cyberattack had compromised sensitive data for "a substantial proportion of Americans". According to these findings, that statement is confirmed.
There was a cyberattack at the end of February by the ransomware group ALPHV, which is also known as "BlackCat," which targeted UnitedHealth subsidiary Change Healthcare, causing months of outages as well as disruptions in the filing of claims across UnitedHealth's entire healthcare system. The company Change Healthcare is one of the world's largest companies processing health payments and working with some of the world's largest insurance companies such as Aetna, Anthem, Blue Cross Blue Shield, and Cigna to provide payment processing services.
The ransomware attack and data breach that occurred at Change Healthcare stand out as one of the largest and most expensive data breaches in the history of the world, as well as the largest to hit healthcare records in the U.S.
Likely, the ramifications the theft of millions of Americans' confidential health information will have on their lives for the rest of their lives are likely to be equally devastating.
There was a notification program launched by UHG in late July that continued through October.
Different types of data were stolen by the individual, but Change previously stated that it includes personal information such as names, addresses, dates of birth, telephone numbers, and e-mail addresses, as well as government identification documents, such as Social Security numbers, driver's license numbers, and passport numbers, which are all logged into the system. In addition to this data, which has been stolen, there are also financial and banking details found in the claims and payment data, which are all part of the stolen health data, such as diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information.
There are many services in the healthcare industry that have developed over the years, but Change Healthcare has grown into one of the greatest handlers of health, medical data, and patient records as it processes patient insurance and billing across thousands of hospitals, pharmacies, and practices across the United States. This means that Change has the privilege of handling enormous amounts of health and medical information relating to about one-third of the people in this country, the chief executive Andrew Witty revealed in May to lawmakers.
A cyber attack was launched on February 21 as Change Healthcare pulled much of its network offline to contain the intruders, which resulted in immediate outages throughout the U.S. healthcare sector, since Change helps handle patient insurance and billing for many companies.
UnitedHealth had suffered a data breach due to a ransomware attack on its subsidiary Change Healthcare in February, which resulted in widespread outages in the U.S. healthcare system as a result.
There was a disruption to the company's IT systems, preventing doctors and pharmacies from filing claims, as well as preventing pharmacies from accepting discount prescription cards, which forced patients to pay full price for their medication as a result of the disruption.
An attack was conducted on a company's Citrix remote access service using stolen credentials, which was not equipped with multi-factor authentication, by the BlackCat ransomware gang. This type of attack is commonly known as the ALPHV ransomware attack.
In a recent incident, UnitedHealth Group disclosed that a cyberattack on Change Healthcare resulted in the theft of approximately 6 terabytes of sensitive data and the encryption of computers within the company's network. This breach, described as the largest healthcare data breach in U.S. history, forced the organization to shut down its IT systems to contain the spread of the ransomware. The attack affected more than 100 million individuals, exposing personal health information and creating widespread security concerns.
The perpetrators behind the breach, linked to the BlackCat ransomware group, demanded a ransom for the decryption of the data and the deletion of the stolen files. UnitedHealth Group confirmed that it paid a $22 million ransom to the attackers to recover the data and prevent further dissemination of sensitive information. However, a dispute arose regarding the division of the ransom payment. The affiliate responsible for executing the attack was supposed to share the ransom proceeds with the broader ransomware operation. Instead, BlackCat orchestrated an exit scam, shutting down abruptly and keeping the entire payment.
The hack highlighted critical vulnerabilities in Change Healthcare's cybersecurity measures, particularly the lack of multi-factor authentication (MFA), which allowed attackers to gain unauthorized access. However, industry analysts and lawmakers emphasized that the primary motivation for the attack was the extensive and valuable troves of sensitive data that Change Healthcare collects and stores.
The company's significant data holdings made it an attractive target for cybercriminals, given the potential for monetizing personal and medical information.
Change Healthcare, a prominent player in the healthcare technology and data solutions industry became part of UnitedHealth Group through a $7.8 billion acquisition in 2022. This merger integrated Change Healthcare with Optum, a U.S. healthcare provider owned by UnitedHealth that offers services including physician groups, technology solutions, and data analytics to insurance companies and healthcare providers. The acquisition provided Optum with extensive access to patient records and data maintained by Change Healthcare, strengthening UnitedHealth's position in the industry.
The merger between Change Healthcare and Optum faced considerable regulatory scrutiny from federal antitrust authorities in the United States. The Department of Justice (DOJ) opposed the acquisition, arguing that UnitedHealth's control over Change Healthcare would provide an unfair competitive edge by allowing access to a substantial portion of Americans' healthcare data. According to the DOJ, around half of all U.S. health insurance claims pass through Change Healthcare annually.
Despite these concerns, the merger was approved by a federal judge, enabling UnitedHealth Group to expand its influence in the healthcare sector.
UnitedHealth Group's latest financial reports reveal that it serves over 53 million customers in the United States and an additional 5 million internationally through various benefit plans. Optum, meanwhile, provides services to approximately 103 million U.S. consumers. In 2023, UnitedHealth reported $22 billion in profit on revenues of $371 billion, with CEO Andrew Witty receiving $23.5 million in total compensation for the year.
The recent breach spotlighted cybersecurity gaps and reignited discussions about UnitedHealth's market power.
Reports indicate that before the Change Healthcare hack, the Justice Department had been intensifying its investigation into potential anticompetitive practices by UnitedHealth Group, raising questions about the company's consolidation strategies and their impact on the U.S. healthcare landscape.
The incident underscores the urgent need for robust cybersecurity measures in the healthcare industry, especially for organizations handling vast quantities of sensitive data. As investigations continue, stakeholders are likely to push for stricter regulatory frameworks to protect patient information and maintain fair competition in the healthcare market.