Change Healthcare, a UnitedHealth Group subsidiary, processes around 40% of global medical bills—about 15 billion invoices and claims. Now, this large company has experienced a Ransomware attack, and the consequences are emerging.
In late February 2024, the ALPHV/BlackCat Ransomware group hacked Change Healthcare, a part of UnitedHealth Group. They disrupted operations and stole up to 6TB of data, including personal details, payment info, insurance records, and other sensitive data. A ransom payment of $22 million was reportedly made, but it’s not confirmed.
Only in October 2024, Change Healthcare reported that about 100 million people had their personal, financial, and medical data exposed in a breach.1
This is now the largest healthcare data breach reported to federal regulators, surpassing the previous record set by Anthem’s 2015 breach, which affected 78.8 million people.2
Change Healthcare Breach Triggers OCR Investigation
Change Healthcare initially notified the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) of a Cyberattack using a placeholder estimate of 500 affected individuals, as the investigation was still ongoing when the report was submitted on July 19, 2024.
Recently, Change Healthcare updated OCR, confirming that approximately 100 million individuals have been notified of the breach. At this time, neither Change Healthcare nor UnitedHealth Group (UHG) has confirmed if the file review is complete.
OCR has launched an investigation to assess Change Healthcare’s HIPAA compliance before the attack. Due to the unprecedented scale, this inquiry may take months or even years.
However, a Ransomware attack and data theft do not automatically indicate Health Insurance Portability and Accountability Act (HIPAA) noncompliance. However, if noncompliance is found, a financial penalty may be imposed.
Out of 3,400 breaches of 500+ records listed in OCR’s portal, only 149 resulted in financial penalties for noncompliance. The maximum penalty for a HIPAA violation under the Health Information Technology for Economic and Clinical Health (HITECH) Act is $1.5 million, or just over $2.1 million when adjusted for inflation, applied per violation per year, according to a post by Steve Adler, editor of The HIPAA Journal.
Change Healthcare Cyberattack Timeline
Below is a detailed timeline of the events surrounding the Cyberattack.
- Feb 21, 2024: Change Healthcare detects a Cyberattack and takes systems offline.
- Feb 22, 2024: Disruptions reported by hospitals, health systems, and pharmacies.
- Feb 26, 2024: BlackCat Ransomware group claims responsibility.
- Feb 29, 2024: BlackCat claims to have stolen 6TB of sensitive data, including patient and military info.
- Mar 1, 2024: Optum introduces temporary financial assistance for providers.
- Mar 3, 2024: BlackCat receives an unverified $22M Bitcoin ransom.
- Mar 4, 2024: AHA criticizes assistance program; hospitals lose over $100M daily.
- Mar 6, 2024: Five federal lawsuits filed against UnitedHealth Group.
- Mar 8, 2024: AHA estimates recovery will take weeks to months.
- Mar 13, 2024: HHS investigates HIPAA compliance.
- Mar 15, 2024: Change Healthcare resumes electronic payments; 94% of hospitals face financial fallout.
- Mar 18, 2024: UnitedHealth reports $2B disbursed to providers and 99% pharmacy service recovery.
- Mar 22, 2024: Senator Warner introduces a Cybersecurity bill for Medicare payments during Cyberattacks.
- Apr 4, 2024: Change Healthcare asks for consolidation of class actions.
- Apr 8, 2024: Senators demand answers from UnitedHealth’s CEO.
- Apr 16, 2024: RansomHub demands payment for the stolen data, threatening to sell it.
- June 2024: Over 50 lawsuits consolidated into one case in Minnesota.
- June 11, 2024: HITRUST lobbies Congress for improved Cybersecurity controls.
- July 2024: The breach response cost rises to $2.3-2.45 billion, including $9 billion in advanced payments.
- July 19, 2024: Change Healthcare reports a breach affecting 500 individuals.
- July 31, 2024: HHS officially notified about the breach.
- Sept 19, 2024: Change Healthcare moves to centralize lawsuits related to the breach.
- Oct 17, 2024: Total cost of the attack reaches $2.457 billion.
- Oct 30, 2024: New CISO hired as part of the restructuring.
What The Change Healthcare Breach Means For You
In this data breach, a wide range of personal information may have been exposed, including:
- Personal Details: Names, billing addresses, Social Security numbers, birth dates, and ID numbers (driver’s licenses, state IDs, and passports).
- Insurance Information: Health plans, policy details, insurance member/group IDs, Medicaid, and Medicare ID numbers.
- Billing Information: Billing codes, account numbers, and potentially credit card information.
- Medical Records: Sensitive medical data, including diagnoses, test results, provider information, appointment dates, and prescription history.
The exposure of medical records may be the most troubling aspect of this breach. Unlike credit cards or addresses, your medical history and biometric data are permanent, which makes them highly valuable on the dark web.
Cybercriminals use this data for identity theft, extortion, and fraudulent medical or insurance applications. Unlike other personal data, stolen medical information has a long shelf life for misuse, presenting ongoing risks for those affected.
Survey Reveals Widespread Impact of Change Healthcare Breach
The American Medical Association (AMA) conducted a survey that shows the extensive disruption caused by the Change Healthcare breach:
- 36% of practices had claims payments suspended
- 32% couldn’t submit claims
- 39% lacked access to electronic remittance advice
- 77% experienced service disruptions
- 80% lost revenue from unpaid claims
- 78% lost revenue from unsubmitted claims
- 55% used personal funds to cover expenses
Nearly half of respondents had to work with costly new clearinghouses for electronic transactions. While some practices received advance payments and temporary assistance, issues remain. The survey also included feedback from affected physician practices. UnitedHealth Group reported paying over $2B to help affected providers.
Protection Measures Amidst Fallout of Change Healthcare Breach
If your information was compromised by the Change Healthcare breach, it’s important to take immediate action to protect your identity. Start by enrolling in credit monitoring services, which can help detect any fraudulent activity. Change Healthcare is offering these services, but you may also consider additional tools.
Update your passwords, especially for sensitive accounts like banking and healthcare, and enable multi-factor authentication (MFA) where possible. The Change Healthcare Cyberattack was caused by the lack of MFA on a legacy server. Notify your financial institutions of the breach, and monitor your accounts for any unusual transactions.
FAQ
What Happened In The Change Healthcare Cyberattack?
In the Change Healthcare Cyberattack, hackers gained access to sensitive data due to a lack of proper security measures on an old server. This led to disruptions in healthcare services, stolen personal information, and financial losses for many providers. The attack affected hospitals and healthcare organizations across the country, including 100 million individuals.
Who Targeted Change Healthcare?
The Change Healthcare cyberattack was carried out by the ALPHV/BlackCat Ransomware group. This group uses malicious software to steal data and demand ransom payments. They targeted Change Healthcare’s systems to access personal information and disrupt healthcare services, causing widespread issues across hospitals and healthcare providers.
What Are The Consequences Of Cyberattacks In Healthcare?
Cyberattacks in healthcare can lead to stolen personal data, service disruptions, and financial losses. They can also damage a healthcare organization’s reputation and trust. To prevent this, the 2Secure team recommends using MFA to strengthen login security, regular backups and recovery plans to protect data, and endpoint protection to defend against threats on all devices. Since the Change Healthcare systems suffered from a Ransomware attack, it would be ideal to also set up an attack simulation to prevent such incidents.
Source:
- Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next | The United States Senate Committee on Finance. (n.d.). Www.finance.senate.gov. https://www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next
- California Department of Insurance. (2015). Consumer information on Anthem Blue Cross data breach. Www.insurance.ca.gov. https://www.insurance.ca.gov/0400-news/0100-press-releases/anthemCyberattack.cfm