Change Healthcare ransomware attack exposes personal health information of over 100 million

Change Healthcare ransomware attack exposes personal health information of over 100 million

Over the past few months, we’ve seen a wave of data breaches affecting millions of people, from health care giants to government contractors and more. This latest incident is yet another in a long line of alarming breaches. Change Healthcare experienced a major data breach in February this year, causing widespread disruption across the U.S. health care sector. At the time, the company did not specify how many people were affected by the breach but hinted that it might impact well more than one-third of the U.S. population, marking one of the largest known digital thefts of medical records to date.

The owner of Change Healthcare, UnitedHealth Group (UHG), has now confirmed for the first time that more than 100 million people had their personal information and health care data stolen in what was a ransomware attack.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

Change Healthcare ransomware attack exposes personal health information of over 100 million

UnitedHealth Group confirmed for the first time that more than 100 million people had their personal information and health care data stolen. (Kurt “CyberGuy” Knutsson)

Timeline of the Change Healthcare cyberattack

The Change Healthcare cyberattack happened in February, with news going public on Feb. 21. To contain the breach, the company took its systems offline, which led to immediate disruptions across the U.S. health care sector that relies on Change’s services for claims processing, payments and data sharing. UHG CEO Andrew Witty told Congress in May that “maybe a third” of Americans’ health data was exposed in the attack.

A month later, Change Healthcare sent out a data breach notice confirming that the February ransomware attack exposed a “substantial quantity of data” affecting many Americans. UnitedHealth Group started notifying impacted individuals in late July, with notifications continuing through October, and the final tally of those affected was released this month.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) data breach portal updated the total number of impacted people to 100 million: “On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach,” reads an updated FAQ on the OCR website.

Change Healthcare ransomware attack exposes personal health information of over 100 million

The February ransomware attack exposed a “substantial quantity of data” affecting many Americans. (Kurt “CyberGuy” Knutsson)

THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION

What data got stolen?

There’s roughly a 30% chance your personal data was compromised in this breach. Change Healthcare is one of the largest handlers of health, medical data and patient records, and in 2022 it merged with U.S. health care provider Optum as part of a deal with UHG, bringing the two giants together under UHG’s umbrella.

This merger gave Optum – already managing physician groups and providing tech and data to insurers and health care services – broader access to the patient records handled by Change. Overall, UHG offers benefit plans to more than 53 million customers in the U.S. and another 5 million globally, while Optum serves about 103 million U.S. customers.

The stolen data varies by individual but includes personal information such as names, addresses, dates of birth, phone numbers, email addresses and government ID numbers, including Social Security, driver’s license and passport numbers. On top of that, hackers may also have accessed health data, including diagnoses, medications, test results, imaging, care and treatment plans and health insurance information. Financial and banking details found in claims and payment data are also reportedly compromised.

Change Healthcare ransomware attack exposes personal health information of over 100 million

Change Healthcare is one of the largest handlers of health, medical data and patient records. (Kurt “CyberGuy” Knutsson)

FROM TIKTOK TO TROUBLE: HOW YOUR ONLINE DATA CAN BE WEAPONIZED AGAINST YOU

What caused the data breach?

The Change Healthcare data breach was caused by a ransomware attack, a type of malware attack that blocks access to the victim’s personal data unless a “ransom” is paid. UHG said ALPHV/BlackCat was behind the attack, a Russian-speaking ransomware and extortion gang that later took credit for the cyberattack.

However, the attack was made possible because Change Healthcare wasn’t smart enough to protect its customers’ data with multifactor authentication. The company admitted this during a House hearing into the cyberattack in April. This raises an important question: how could a company that has billions of dollars in revenue and stores data for over 100 million Americans fail at basic cybersecurity?

UHG paid a ransom to get a decryptor and for the hackers to delete the stolen data. The ransom was said to be around $22 million and was supposed to be split between the affiliate and the ransomware operation. However, BlackCat kept it all for themselves and pulled an exit scam.

This complicated things for UHG because the affiliate claimed they still had the company’s data. They later joined forces with a new group called RansomHub, leaking some of the stolen data and extorting a second ransom from UHG.

6 ways to protect yourself from Change Healthcare data breach

1) Remove your personal information from the internet: While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. Check out my top picks for data removal services here.

2) Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions and security alerts.

3) Be cautious of phishing attempts: Be vigilant about emails, phone calls or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request. The best way to protect yourself from clicking malicious links that install malware is to have strong antivirus protection installed on all your devices. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

4) Monitor your accounts: Breaches of this magnitude will make it a necessity for you to start routinely reviewing your bank accounts, credit card statements and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company. 

5) Recognizing and reporting a Social Security scam: If there is a problem with a person’s Social Security number or record, Social Security will typically mail a letter. You can learn more about recognizing Social Security-related scams, including how to report a scam quickly and easily online to Social Security’s Office of the Inspector General, by reading more at www.ssa.gov/scams.

6) Invest in identity theft protection: Data breaches happen every day and most never make the headlines, but with an identity theft protection service, you’ll be notified if and when you are affected. Identity theft companies can monitor personal information like your Social Security number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. 

One of the best parts of using some services is that they might include identity theft insurance of up to $1 million to cover losses and legal fees and a white-glove fraud resolution team where a U.S.-based case manager helps you recover any lossesSee my tips and best picks on how to protect yourself from identity theft.

Kurt’s key takeaway

In just 2024, with over two months still to go, we’ve witnessed countless data breaches affecting millions of Americans. This highlights how valuable your data is and how little some companies are doing to protect it. Big firms with massive revenues are struggling to implement even the most basic cybersecurity measures, practically inviting cybercriminals to hack their systems. Change Healthcare fell into this trap by not implementing two-factor authentication, leaving everything from your financial details to health data in the hands of criminals.

Do you think these companies are doing enough to protect your data and is the government doing enough to catch those behind cyberattacks? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/NewsletterAsk Kurt a question or let us know what stories you’d like us to coverCyberGuy.com.