UnitedHealth Group (UHG), the U.S. health insurance provider that owns Change Healthcare, has now quantified the number of affected individuals, previously expecting the breach to impact a substantial proportion of people in America. UHG spokesperson Tyler Mason stated, “We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved. The investigation is still in its final stages.” The data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, with ramifications that are likely to be life-lasting for millions of Americans.
The stolen data varies by individual and includes names, addresses, dates of birth, phone numbers, email addresses, and government identity documents, such as Social Security numbers, driver’s license numbers, and passport numbers. Additionally, the breached health data encompasses diagnoses, medications, test results, imaging and care plans, health insurance information, and financial information related to claims and payments. Change Healthcare is one of the largest handlers of health and medical data, processing patient insurance and billing across the U.S. healthcare sector, including thousands of hospitals, pharmacies, and medical practices.
The cyberattack led Change Healthcare to pull much of its network offline to contain the intruders, resulting in immediate outages for U.S. healthcare providers relying on Change for their operations. UHG attributed the breach to a Russian-speaking ransomware gang, which later vanished with a $22 million ransom paid by the health insurance giant. The gang’s contractors, who carried out the hacking, were left stiffed and subsequently formed a new group, extorting a second ransom from UHG while publishing stolen data.
There is no evidence that the cybercriminals deleted the data, raising ongoing concerns about privacy and security. Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, a notorious ransomware gang, have thus far been unsuccessful.
UnitedHealth breach impacts medical records
Months after the data breach, the U.S. increased the reward for information on the gang to $10 million. Despite the scale of the breach, portions of Change Healthcare’s network remain offline as the company continues its recovery efforts. Lawmakers are investigating the breach and its impact on millions of Americans.
During a House hearing in April, UHG CEO Andrew Witty confirmed the cybercriminals leveraged a stolen password to break into Change Healthcare’s network, exploiting the lack of Multi-Factor Authentication (MFA) on a critical internal system. It remains unclear why the system wasn’t protected with MFA, a security measure that can help prevent unauthorized access. This oversight is likely to be a focal point of ongoing investigations by lawmakers and the government.
Following the cyberattack, Witty affirmed that UHG has taken steps to enhance its cybersecurity measures. UnitedHealth Group, which made $22 billion in profit on revenues of $371 billion in 2023, has faced criticism for its cybersecurity failings. In 2022, Change Healthcare merged with U.S. healthcare provider Optum in a $7.8 billion deal that granted UnitedHealth significant access to patient records handled by Change.
This merger faced scrutiny by federal antitrust authorities over concerns of unfair competitive advantage, though it was ultimately approved by a judge. The Justice Department reportedly began investigating UnitedHealth’s practices in the months prior to the Change Healthcare hack, signaling ongoing scrutiny of the company’s operations and security practices.
