Breach Notification , Healthcare , Incident & Breach Response

UnitedHealth Group Previews Massive Change Healthcare Breach

Breach 'Could Cover a Substantial Proportion of People in America,' Company Warns
UnitedHealth Group Previews Massive Change Healthcare Breach
Image: Change Healthcare

Hackers who hit Change Healthcare stole sensitive personal and medical details that may pertain to tens of millions of Americans, the company has warned.

See Also: Reducing Complexity in Healthcare IT

UnitedHealth Group on Monday said the February ransomware attack against its Change Healthcare unit included a data breach "which could cover a substantial proportion of people in America."

The company, which is continuing to probe the attack, said attackers stole both protected health information and personally identifiable information. So far it lacks a full accounting of what got stolen.

"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals," it said. "While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will do appropriate notifications when we can confirm the information involved."

UnitedHealth Group has launched a dedicated website and call center to support breach victims, and promised to provide "free credit monitoring and identity theft protections for two years" to all victims.

The attack has caused major disruptions for U.S. healthcare providers and patients, in part because it's disrupted medical care reimbursements and for some, the ability to obtain pharmacy prescriptions. Change Healthcare handles about 6% of all U.S healthcare system payments.

The company first confirmed last week that the security incident resulted in the breach of sensitive health information. That admission triggered a regulatory countdown clock for public disclosures and individual notification.

Company Paid a Ransom

The company on Monday confirmed for the first time that it paid a ransom to attackers. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," a UnitedHealth spokesman told TechCrunch.

Security experts recommend never paying ransomware groups for a promise to delete stolen data, saying there is no evidence in history a cybercrime group has honored such a guarantee (see: Ransomware Groups: Trust Us. Uh, Don't.).

A Western affiliate of the BlackCat, aka Alphv, ransomware group who claimed to behind the February attack said UnitedHealth Group paid BlackCat a $22 million ransom over the attack.

The affiliate claimed BlackCat kept the entirety of that massive ransom payment, rather than sharing the affiliate's cut, which would typically be 70% or 80% of the total ransom paid (see: BlackCat Ransomware Group 'Seizure' Appears to Be Exit Scam).

Subsequently, the affiliate - or someone else in possession of the stolen data - appeared to begin working with cybercrime group RansomHub. On its leak site, RansomHub last week posted allegedly stolen UnitedHealth Group data, including several screenshots supposedly showing samples of data exfiltrated in the attack. The group claimed to possess 4 terabytes of "highly selective data" pertaining to "all" Change Healthcare clients, which include Tricare, Medicare, CVS Caremark, MetLife, Loomis, Davis Vision, Health Net, Teachers Health Trusts "and tens of insurance and other companies."

On Monday, RansomHub deleted its listing for Change Healthcare, reported Brett Callow, a security analyst at Emsisoft. One reason a group deletes a victim's listing is because the victim has paid a ransom.

UnitedHealth Group didn't respond to requests for comment about how much it paid attackers, or if it has paid multiple ransoms - for example, first to BlackCat and then to RansomHub.

The Wall Street Journal reported that someone with knowledge of the company's investigation said hackers first appeared to breach Change Healthcare's systems on Feb. 12, or nine days before they unleashed ransomware.

Probes and Lawsuits Mount as Restoration Continues

UnitedHealth Group said it's continuing to restore processing capabilities that it took offline following the attack against Change Healthcare - part of its Optum business unit - and that its functionality has returned to approximately 86% of pre-attack levels.

The attack also disrupted the company's eligibility software and analytical tools. "To date, approximately 80% of Change functionality has been restored on the major platforms and products," UnitedHealth Group said. The company didn't say precisely when it expected to restore all systems, promising only that it would occur sometime "in the coming weeks."

"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," said Andrew Witty, CEO of UnitedHealth Group.

Witty was a no-show at a House Committee on Energy and Commerce hearing on April 16 titled "Examining Health Sector Cybersecurity In The Wake Of The Change Healthcare Attack" (see: Congress Asks What Went Wrong in Change Healthcare Attack).

"I'm disappointed that UnitedHealthcare chose not to make anyone available to testify today so that the committee and the American people could hear directly from them about how the specific cyberattack occurred," said Cathy McMorris, R-Wash., the committee's chair, in her opening comments.

The committee on Friday announced that Witty is now set to testify on May 1.

"Americans are still dealing with the fallout of the Change Healthcare hack," McMorris and her fellow committee chair Morgan Griffith, R-Va., said in a statement. "Individuals and smaller providers, in particular, have struggled financially following the cyberattack, threatening critical access for patients."

Earlier this month, UnitedHealth Group on its website said that it has so far advanced nearly $4.7 billion in temporary financial assistance to in-need providers during its recovery.

Last month, the Department of Health and Human Services' Office for Civil Rights launched an investigation into the cybersecurity incident, saying it would focus on "Change Healthcare's and UHG's compliance with the HIPAA Rules."

The company also faces at least 11 lawsuits filed by individuals alleging they face the prospect of identity theft and fraud due to their personal information being compromised by the incident. Those lawsuits were filed even before the company confirmed the data breach.

UnitedHealth Group recently estimated that its total costs as a result of the attack could reach $1.6 billion.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.