The Change Healthcare ransomware assault has impacted the private data of 100 million US residents, up to date figures from the US Division of Well being and Human Providers (HHS) have revealed.
The determine means the assault, which started in February 2024, is the biggest identified knowledge breach of US healthcare data ever recorded.
The HHS Workplace for Civil Rights (OCR) mentioned that Change Healthcare knowledgeable it on October 22 that roughly 100 million particular person knowledge breach notices have been despatched relating to the incident.
The healthcare cost supplier started sending notification letters to impacted sufferers in July.
In an announcement, Change Healthcare proprietor UnitedHealth Group mentioned it was persevering with to inform doubtlessly impacted people as rapidly as potential, on a rolling foundation.
“Given the amount and complexity of the information concerned, the investigation remains to be in its remaining phases,” the corporate famous.
In June 2024, Change Healthcare offered particulars of the private, monetary and well being knowledge which will have been breached within the assault.
This was:
- Contact data, together with first and final identify, tackle, date of beginning, cellphone quantity and electronic mail
- Medical health insurance data, equivalent to main, secondary or different well being plans/insurance policies, insurance coverage firms, member/group ID numbers and Medicaid-Medicare-government payor ID numbers
- Billing, claims and cost data, together with declare numbers, account numbers, billing codes, cost playing cards, monetary and banking data, funds made and stability due
- Different private data, equivalent to Social Safety numbers, driver’s licenses or state ID numbers, or passport numbers
Learn now: 14 Million Sufferers Impacted by US Healthcare Information Breaches in 2024
Change Healthcare Assault Underneath Investigation
In March 2024, the OCR mentioned it’ll examine the ransomware assault to find out whether or not protected healthcare data was breached and if the agency complied with its regulatory duties.
Along with the breach of delicate data, the assault induced important disruption to healthcare providers throughout the US, together with prescription delays.
UnitedHealth admitted that it paid a $22m ransom to the BlackCat ransomware gang to revive its programs. The group reportedly engaged in an ‘exit rip-off’ after receiving the cost.
In Could, UnitedHealth CEO Andrew Witty offered a written testimony earlier than a Congressional listening to, which revealed that the hackers used compromised credentials to remotely entry a Change Healthcare Citrix portal, an software used to allow distant entry to desktops. The portal didn’t have multifactor authentication (MFA).
This allowed the attackers to maneuver laterally inside Change Healthcare programs and exfiltrate affected person knowledge.
Picture credit score: Pavel Kapysh / Shutterstock.com
