The Change Healthcare ransomware assault has impacted the private info of 100 million US residents, up to date figures from the US Division of Well being and Human Providers (HHS) have revealed.
The determine means the assault, which started in February 2024, is the most important identified information breach of US healthcare data ever recorded.
The HHS Workplace for Civil Rights (OCR) stated that Change Healthcare knowledgeable it on October 22 that roughly 100 million particular person information breach notices have been despatched concerning the incident.
The healthcare cost supplier started sending notification letters to impacted sufferers in July.
In an announcement, Change Healthcare proprietor UnitedHealth Group stated it was persevering with to inform doubtlessly impacted people as rapidly as attainable, on a rolling foundation.
“Given the quantity and complexity of the information concerned, the investigation remains to be in its closing phases,” the corporate famous.
In June 2024, Change Healthcare offered particulars of the private, monetary and well being information which will have been breached within the assault.
This was:
Contact info, together with first and final title, handle, date of start, telephone quantity and e mail
Medical insurance info, similar to major, secondary or different well being plans/insurance policies, insurance coverage corporations, member/group ID numbers and Medicaid-Medicare-government payor ID numbers
Billing, claims and cost info, together with declare numbers, account numbers, billing codes, cost playing cards, monetary and banking info, funds made and steadiness due
Different private info, similar to Social Safety numbers, driver’s licenses or state ID numbers, or passport numbers
Learn now: 14 Million Sufferers Impacted by US Healthcare Knowledge Breaches in 2024
Change Healthcare Assault Underneath Investigation
In March 2024, the OCR stated it can examine the ransomware assault to find out whether or not protected healthcare info was breached and if the agency complied with its regulatory duties.
Along with the breach of delicate info, the assault brought on vital disruption to healthcare companies throughout the US, together with prescription delays.
UnitedHealth admitted that it paid a $22m ransom to the BlackCat ransomware gang to revive its techniques. The group reportedly engaged in an ‘exit rip-off’ after receiving the cost.
In Might, UnitedHealth CEO Andrew Witty offered a written testimony earlier than a Congressional listening to, which revealed that the hackers used compromised credentials to remotely entry a Change Healthcare Citrix portal, an software used to allow distant entry to desktops. The portal didn’t have multifactor authentication (MFA).
This allowed the attackers to maneuver laterally inside Change Healthcare techniques and exfiltrate affected person information.
Picture credit score: Pavel Kapysh / Shutterstock.com