Share this article on:
The US healthcare organisation is finally notifying victims of an ALPHV ransomware attack that affected millions and cost nearly a billion in losses.
Change Healthcare is finally beginning the process of notifying the victims of a February ransomware attack that is thought to have impacted one-third of all Americans.
The US healthcare organisation said in an update to its FAQ page on the incident that the notification process began on 29 July.
“Change Healthcare has begun mailing written notices to individuals affected by the February cyber security incident, in line with the process we announced in June. Because we are mailing on a rolling basis, we do not have a date when specific sets of individuals will receive notification, but the mailing will begin July 29,” Change said.
“Change Healthcare is committed to notifying potentially impacted individuals as quickly as possible, given the volume and complexity of the data involved.”
Change did note, however, that it may not have addresses for all affected individuals. It also takes responsibility for notifying customers and patients of organisations impacted by the attack.
“Change Healthcare is proceeding as the delegate on behalf of HIPAA customers who have been notified by Change Healthcare that they were impacted and who have not opted out of Change Healthcare’s notification process,” Change said in its FAQ.
The ALPHV ransomware gang made targeting healthcare organisations a priority after its operation was taken down by law enforcement in 2023.
“Because of their [law enforcement] actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS [Commonwealth of Independent States], you can now block hospitals, nuclear power plants, anything and anywhere,” ALPHV said in December 2023.
ALPHV’s 12 February ransomware attack crippled Change Healthcare, which is a subsidiary of the US’ largest healthcare organisation, UnitedHealth. Change’s systems only started to come back online in mid-March, when the US government joined the investigation into the incident.
It was thought at the time that a nation-state threat actor could be behind the attack, operating as an affiliate of ALPHV – however, ALPHV later scammed the affiliate out of a US$22 million ransom payment, before later claiming to put its malware code up for sale for a sum of US$5 million.
In April, a second ransomware group, RansomHub, also claimed to have access to Change Healthcare’s data.
Given the complexity of the data and its sheer scale, Change Healthcare was only able to determine what had been stolen in June. The impacted data included patient health records, insurance information, payment details, and Social Security numbers.
The US State Department has offered a reward of US10 million for information on the hackers behind the attack.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.