Earlier this year, a ransomware attack targeted Change Healthcare, a health tech company owned by UnitedHealth, marking one of the most significant breaches of U.S. health and medical data in history.
Months after the breach occurred in February, a large number of Americans are receiving notification letters stating that their personal and health information was compromised during the cyberattack on Change Healthcare.
Change Healthcare plays a critical role in processing billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector. Consequently, the company stores an extensive amount of sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change Healthcare has grown into one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.
Key Events Following the Ransomware Attack:
- February 21, 2024: The first signs of trouble emerged when outages began affecting doctors' offices and healthcare practices, disrupting billing systems and insurance claims processing. Change Healthcare’s status page was inundated with outage notifications impacting all aspects of its business. The company later confirmed a "network interruption related to a cybersecurity issue," indicating a serious problem. In response, Change Healthcare activated its security protocols, shutting down its entire network to contain the intruders. This led to widespread disruptions across the U.S. healthcare sector. It was later revealed that the hackers had initially infiltrated the company’s systems on or around February 12.
- February 29, 2024: UnitedHealth disclosed that the cyberattack was carried out by a ransomware gang, rather than state-sponsored hackers as initially suspected. The ransomware group, identified as ALPHV/BlackCat, claimed responsibility for the attack, boasting that they had stolen sensitive health information from millions of Americans. ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service gang, whose affiliates break into victim networks and deploy malware developed by the gang's leaders. These affiliates then share the profits from the ransoms paid by victims to regain access to their data
- March 3-5, 2024: In early March, the ALPHV ransomware gang disappeared after collecting a $22 million ransom from UnitedHealth. The gang’s dark web site, which had claimed responsibility for the attack, was replaced with a notice suggesting that U.K. and U.S. law enforcement had taken it down, although both the FBI and U.K. authorities denied this. Signs pointed to ALPHV fleeing with the ransom in what appeared to be an "exit scam." The affiliate who executed the hack claimed that the ALPHV leadership had stolen the ransom and provided proof of a bitcoin transaction as evidence. Despite the ransom payment, the stolen data remained in the possession of the hackers.
- March 13, 2024: Weeks into the cyberattack, the healthcare sector continued to experience outages, causing significant disruption. Military health insurance provider TriCare reported that all military pharmacies worldwide were affected. The American Medical Association expressed concern over the lack of information from UnitedHealth and Change Healthcare regarding the ongoing issues. By March 13, Change Healthcare had secured a "safe" copy of the stolen data, enabling the company to begin identifying the individuals affected by the breach.
- March 28, 2024:The U.S. government increased its reward to $10 million for information leading to the capture of ALPHV/BlackCat leaders. The move was seen as an attempt to encourage insiders within the gang to turn on their leaders, as well as a response to the threat of having a significant portion of Americans' health information potentially published online.
- April 15, 2024: In mid-April, the affiliate responsible for the hack formed a new extortion group called RansomHub and demanded a second ransom from UnitedHealth. The group published a portion of the stolen health data to prove their threat. Ransomware gangs often use "double extortion," where they both encrypt and steal data, threatening to publish the data if the ransom is not paid. The situation raised concerns that UnitedHealth could face further extortion attempts.
- April 22, 2024: UnitedHealth confirmed that the data breach affected a "substantial proportion of people in America," though the company did not specify the exact number of individuals impacted. UnitedHealth also acknowledged paying a ransom for the data but did not disclose the total number of ransoms paid. The stolen data included highly sensitive information such as medical records, health information, diagnoses, medications, test results, imaging, care plans, and other personal details. Given that Change Healthcare processes data for about one-third of Americans, the breach is likely to have affected over 100 million people.
- May 1, 2024:UnitedHealth Group CEO Andrew Witty testified before lawmakers, revealing that the hackers gained access to Change Healthcare’s systems through a single user account that was not protected by multi-factor authentication, a basic security measure. The breach, which may have impacted one-third of Americans, was described as entirely preventable.
- June 20, 2024: On June 20, Change Healthcare began notifying affected hospitals and medical providers about the data that was stolen, as required by HIPAA. The sheer size of the stolen dataset likely contributed to the delay in notifications. Change Healthcare also disclosed the breach on its website, noting that it may not have sufficient contact information for all affected individuals. The U.S. Department of Health and Human Services intervened, allowing affected healthcare providers to request UnitedHealth to notify affected patients on their behalf.
- July 29, 2024: By late July, Change Healthcare had started sending letters to individuals whose healthcare data was compromised in the ransomware attack. These letters, sent by Change Healthcare or the specific healthcare provider affected by the breach, detailed the types of data that were stolen, including medical and health insurance information, as well as claims and payment details, which may include financial and banking information.