The recent ransomware attack on Change Healthcare has sent shockwaves through the healthcare industry, impacting the personal information of a staggering 100 million US citizens. According to the latest updates from the US Department of Health and Human Services (HHS), this attack, which commenced in February 2024, stands as the largest data breach of US healthcare records ever recorded.
The magnitude of this breach is truly unprecedented, with the HHS Office for Civil Rights (OCR) confirming that Change Healthcare has sent out approximately 100 million individual data breach notices in response to the incident. This breach has prompted Change Healthcare, a prominent healthcare payment provider, to begin notifying affected patients since July.
In an official statement, Change Healthcare’s parent company, UnitedHealth Group, reassured the public that they are diligently notifying potentially impacted individuals on a rolling basis as the investigation progresses. The company emphasized the complexity of the data involved and noted that the investigation is still ongoing, even as of the latest update in June 2024.
The breached data includes a wide array of personal, financial, and health information, such as contact details, health insurance information, billing and payment data, as well as sensitive personal identifiers like Social Security numbers and driver’s license numbers.
The breach has triggered a thorough investigation by the OCR to assess the extent of the data breach and evaluate Change Healthcare’s compliance with regulatory obligations. Apart from the compromised information, the ransomware attack has resulted in widespread disruptions to healthcare services, including prescription delays, across the US.
UnitedHealth Group’s decision to pay a $22 million ransom to the BlackCat ransomware gang to regain control over its systems raised eyebrows. The hackers allegedly initiated an ‘exit scam’ following the payment. Moreover, CEO Andrew Witty’s testimony before a Congressional hearing shed light on the tactics employed by the hackers, including the use of compromised credentials to access the Change Healthcare Citrix portal without multi-factor authentication (MFA).
As the healthcare industry grapples with the aftermath of this massive breach, it serves as a stark reminder of the pressing need for robust cybersecurity measures to safeguard sensitive patient information. The repercussions of this breach are far-reaching and underscore the importance of proactive measures to prevent such incidents in the future.
By Pavel Kapysh via Shutterstock.