iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Change Healthcare (CHC) has at long last revealed what data was exfiltrated by threat actors in the ransomware attack it suffered earlier this year.
Four months after its systems were taken offline after it detected the presence of cyber criminals, the UnitedHealth subsidiary has published a breach notification revealing that a “substantial quantity of data” was stolen in the attack, affecting a “substantial proportion of people in America”, echoing statements made by the company CEO Andrew Witty earlier in the year, who later said that “maybe a third” of all Americans were affected.
“While CHC cannot confirm exactly what data has been affected for each impacted individual, information involved for affected individuals may have included contact information (such as first and last name, address, date of birth, phone number, and email),” CHC said.
Additionally, data exfiltrated could include health insurance information such as insurance plans and companies and Medicaid-Medicare-government payor ID numbers, health information such as test results, diagnoses, medical record numbers and more, billing and claims information such as financial or banking information, balance and payments due, account numbers and more, as well as other personal data such as driver’s licenses and social security numbers.
“The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review,” CHC said.
“Also, some of this information may have related to guarantors who paid bills for healthcare services. A guarantor is the person who paid the bill for healthcare services.”
CHC said that from 20 June, it has begun notifying its affected customers of its findings, and it will provide a link to the substitute notice for its other customers to inform them of what happened.
“The review of personal information potentially involved in this incident is in its late stages,” CHC said.
“CHC is providing this notice now to help individuals understand what happened, let them know that their information may have been impacted, and give them information on steps they can take to protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if they believe that their information may have been impacted.”
The notification comes four months after the breach, despite US law stating that individual patients must be notified of a data breach within 60 days of discovery.
The attack on Change Healthcare was originally believed to have been by a Chinese state-sponsored actor but was then claimed by the now-defunct ALPHV (BlackCat).
UnitedHealth paid ALPHV US$22 million in ransom payments. However, ALPHV pocketed the money and went dark, leaving the ransomware affiliate behind the breach stranded without pay but with the stolen UnitedHealth data.
As a result, UnitedHealth was still in trouble, particularly when a second ransomware gang, RansomHub, claimed to have the data and threatened to publish it if it did not receive a ransomware payment. Not long after, the group published some data claiming the entirety of it was now for sale to the highest bidder.
Be the first to hear the latest developments in the cyber industry.
