United Healthcare, the parent company of Change Healthcare, has admitted that data of over 100 million people was breached in a February cyberattack, which makes it the biggest breach in the US healthcare industry. Here, we’ll look at the timeline of the incident and what lies ahead for those impacted by that breach.
Change Healthcare, which United Health acquired for $13 billion in 2022, processes nearly half of all medical claims in the US and works with around 5,500 hospitals, 900,000 physicians, 33,000 pharmacies, and 600 laboratories.
A Brief Timeline of Change Healthcare Data Breach
On February 21, Change Healthcare was struck by a cyberattack that led to chaos in the US healthcare system. Healthcare providers were temporarily unable to fill medications and could not get reimbursement for their services from health insurance companies, leading to massive inconveniences for all concerned, including patients.
United Healthcare officially admitted the cyberattack on February 29 and in early March it paid a ransom to hackers. On April 15, a new extortion racket named RansomHub was formed which demanded another bounty from United Healthcare. A week later, United Healthcare talked about the scale of the cyberattack for the first time and said, it impacted a “substantial proportion of people in America.”
We got more details about the data breach during the testimony of United Health CEO Andrew Witty on May 1 where he said that the hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.”
The fact that the portal did not have multifactor authentication only made their job easier. Since multifactor authentication (MFA) is the norm these days (an is often the bare minimum) for any company that cares about the data credentials of its users, the lack of MFA on the said portal is quite perplexing and rather terrifying. The fact that the company, worth over half a trillion dollars, handles the incredibly sensitive data of so many people makes it even worse.
Over the next two months, United Healthcare started notifying affected medical establishments and patients.
United Healthcare Admits the Cyberattack Was the Largest in US History
During his testimony, Witty admitted that data of around a third of Americans might have been stolen in that attack which meant that it was among the biggest US healthcare breaches. Now, the company has officially admitted that data of over 100 million users has indeed been breached which makes it the biggest ever US healthcare breach ahead of Anthem’s 2015 breach that affected 78.8 million of its members.
In his statement, United Healthcare spokesperson Tyler Mason said “We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages.”
The February hack at UnitedHealth's Change affected the personal information of 100 million people, the U.S. health department's website showed, making it the largest healthcare data breach in the country.https://t.co/0ePhX2oE57
— Ian Weissman, DO (@DrIanWeissman) October 25, 2024
What Data Was Affected in the Change Healthcare Breach?
In its release, Change Healthcare said that it “cannot confirm exactly what data has been affected for each impacted individual.” However, it said that the data may include contact details like name, phone number, email, and address. In addition, information related to health, health insurance, billing and payment information, and other personal information like social security and other personal identification IDs might have been breached.
That data is likely already being misused by bad actors for serious crimes like fraud (often using convincing fake bills), identity theft, and even blackmail. The data can also be misused by adverse foreign powers.
Importantly, we still don’t have any concrete proof that even after getting the ransom the cybercriminals involved in the Change Healthcare breach have deleted the data. In the past, there have been instances of cybercriminals not deleting the data despite claiming to do so after getting the ransom. And why would it? The group has likely already committed plenty of crimes to obtain the data and extract a ransom so going back on its word wouldn’t exactly be surprising.
UnitedHealth Has Suffered a Massive Financial Blow Due to the Breach
UnitedHealth too suffered a heavy price for the Change Healthcare breach and paid a $22 million ransom to BlackCat in the form of Bitcoin – a decision Witty said was his. However, there are other costs associated with the attack and during their Q3 2024 earnings call, United Healthcare raised the estimate to $2.46 billion.
That doesn’t even include any indirect costs which are certain to become a problem. We also need to account for the damage to the brand and credibility of the company. Stock markets have also taken note of the breach and with a YTD gain of a mere 6%, United Healthcare stock is underperforming the markets by a wide margin.
Finally, United Healthcare could be liable for not securing private information well enough and consumers and healthcare companies have already filed at least 49 class action lawsuits so far. The company could be on the hook for much more money that it has already lost given the scale of the hack (and its lack of basic security features).
What Should United Healthcare Customers Do?
United Health customers haven’t yet been able to inform all the impacted customers due to the sheer amount of people who have been hit due to the breach. The company advises that Change Healthcare customers should regularly monitor the benefits statements from their health plan and healthcare providers for any suspicious activity. It also calls upon customers to similarly check their financial statements.
It advises customers to approach the relevant institution to report any unfamiliar activity in their account. Finally, if a customer believes that they were defrauded, they should approach local law enforcement agencies.
United Healthcare is providing two-year free credit monitoring and identity theft protections to those customers who believe they may have been impacted by the breach. The company’s dedicated call center will have trained clinicians who will also provide emotional support services if needed.
What Should You Do To Protect Yourself From Breaches?
Data breaches are a growing menace but there is not much that users can do to totally protect themselves from incidents like the Change Healthcare data breach as customers trust such credible companies to protect their data from getting hacked and it is their responsibility to keep it secure.
However, users must follow some basic hygiene online to reduce the risk of their data getting breached and minimize their impact.
Having an identity threat protection service might also be helpful as it helps you figure out whether you have been part of a breach. Finally, if you discover that you were part of a breach, try changing the passwords for your accounts that were part of the breach and remain attentive to any suspicious activity in your accounts.