Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.
A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.
In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”
A notification letter from Change Healthcare said the breach involved the theft of:
-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.
Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.
That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.
A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.
“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”
It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI declined to comment.
Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”
But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.
Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.
According to the HIPAA Journal, the biggest penalty imposed to date for a HIPAA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.
There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.
The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.
Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.
All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.
If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.
Wasn’t this caused by an employee using their personal account on a work computer, thus syncing their data across devices and their personal device was compromised?
Or was that another breach that happened this year?
I would say the bigger risk here is not credit fraud but extortion/blackmail using threat of public disclosure of personal medical history/records. I’m sure that is extremely sensitive information for a lot of people and something not many would want to have exposed to friends/family/coworkers.
Agree, and think of the chilling effect this could have on people’s willingness to seek therapy, counseling,etc. due to the perfectly reasonable fear that the medical system can’t keep their records safe.
I received a letter for each member of my family. I didn’t know until this article that United Health Care was the company behind the leak. I had no idea who Change Healthcare was.
Thanks Brian for this update.
Sadly, the most that will happen is a slap on the wrist.
If you go to https://www.annualcreditreport.com/index.action, it says this:
—
Free weekly online credit reports are available from Equifax, Experian and TransUnion. Credit reports play an important role in your financial life and we encourage you to regularly check your credit history.
—
Is that actually true? Free WEEKLY credit reports?
Yes, as the article above says, that is actually true:
https://consumer.ftc.gov/consumer-alerts/2023/10/you-now-have-permanent-access-free-weekly-credit-reports
There are actually four reporting credit agency’s. Innovis is the 4th and few realize this.
Actually, Brain knows this. It must be an oversight.
10 yrs of federal prison are needed for the entire BoD and C-Suite people who allowed this to be possible. Probably 50+ people need to be tried and put into jail. Otherwise “industry standard security practices” will continue, which is clearly NOT SUFFICIENT.
The thought of appropriate legal recourse, and following through on any type of punishment for actions of large corporations doing damage and death to victims is not ever forthcoming. Just give PG&E headquarters a call, they’re still laughing about killing thousands of people due to their negligence and disregard for human life. They even made their customers pay the fines due to excessive rate increases, so there is no such thing as big corps paying any kind of penalty.
I got a letter from them that my info was part of the breech – and I have no idea how I’m part of their network!
A little transparency as to how providers are related would be really nice.
Brian – I suggest you add a link to your ‘Why & Where You Should Plant Your Flag’ posting every time you post about a data breach such as this one. https://krebsonsecurity.com/2020/08/why-where-you-should-you-plant-your-flag/
I worked as a general IT guy for a behavioral health/addiction clinic. I started as a consultant but finally moved to part-time on call worker so I could be protected by their liability insurance rather than having to cover myself. Plus I was worried if there was a breach I would be inside the corporate wall rather than outside.
I had big problems with vendors. The first EMR company we had, I broke down and yelled at them for the first time in my career. I saw a note asking the receptionist to gather up everyone’s password so the vendor could update their client software. When I told them that was a violation of basic network security nevermind HIPAA regulations, they said “well it’s just easier that way”. I told my boss and I finally decided to quit when I realized the clinic needed that software more than they needed me. I wasn’t around enough to keep tabs on them and I didn’t want to deal with any fallout from their shoddy security practices. Other vendors were either asking to install software on our network or open ports in the firewall so they could remotely access their devices.
That was a small practice without even a full time IT person, these big companies that can afford good cybersecurity teams and equipment have no excuse.
One thing that shocks me is how many people claim to be security conscious, but do not encrypt their e-mail whenever and wherever available. Also, they never digitally sign their e-mail.
Other than my own e-mails between computers, in the past thirty years, the only times I have ever received digitally signed e-mail was on a certain, now-defunct anti-spam list and the only time I have ever received encrypted e-mails were more out of testing than anything else.
For my own e-mail, my various servers send certain logs to my ProtonMail account. Often, but not right now, I encrypt the e-mails with the logs.
Until I see people encrypting and digitally signing their e-mail, I’m not going to take their claims seriously of them being above average in their security consciousness.
The most interesting part, at least to me, was about an affiliate providing them access and then getting stiffed on their “share” of the payout. In other words, they are promising to pay employees or affiliates for giving them their access to the network? That would likely make it really tough to defend against.
I wonder if a hardware key might help against such methods. If the attacker had to have a physical access device to get in, the crooked affiliate should be limited unless he was wiling to give up his access permanently.
I am shocked that you’re missing the elephants in the room. HIPAA and PCI regulations require this data to be encrypted for just this reason. Was it or was it not? I’ve been trying to find out for weeks and this company refuses to respond. And frankly you’re making this out to mainly be the problem for the consumer not the incredible dereliction of duty by this vendor. Do you have the slightest idea the level of effort to even partially protect yourself against this disaster? And all they are offering is minor compensation? Why not urge a class action lawsuit, calling your congress critters, or anything else to hold these people responsible? Or are you afraid to drop some uncomfortable truths on these malefactors?
So, was the sensitive data encrypted or just stored in plain text?
I am genuinely curious.