The Change Healthcare ransomware attack has impacted the personal information of 100 million US citizens, updated figures from the US Department of Health and Human Services (HHS) have revealed.
The figure means the attack, which began in February 2024, is the largest known data breach of US healthcare records ever recorded.
The HHS Office for Civil Rights (OCR) said that Change Healthcare informed it on October 22 that approximately 100 million individual data breach notices have been sent regarding the incident.
The healthcare payment provider began sending notification letters to impacted patients in July.
In a statement, Change Healthcare owner UnitedHealth Group said it was continuing to notify potentially impacted individuals as quickly as possible, on a rolling basis.
“Given the volume and complexity of the data involved, the investigation is still in its final stages,” the company noted.
In June 2024, Change Healthcare provided details of the personal, financial and health data that may have been breached in the attack.
This was:
- Contact information, including first and last name, address, date of birth, phone number and email
- Health insurance information, such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers and Medicaid-Medicare-government payor ID numbers
- Billing, claims and payment information, including claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made and balance due
- Other personal information, such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers
Read now: 14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Change Healthcare Attack Under Investigation
In March 2024, the OCR said it will investigate the ransomware attack to determine whether protected healthcare information was breached and if the firm complied with its regulatory duties.
In addition to the breach of sensitive information, the attack caused significant disruption to healthcare services across the US, including prescription delays.
UnitedHealth admitted that it paid a $22m ransom to the BlackCat ransomware gang to restore its systems. The group reportedly engaged in an ‘exit scam’ after receiving the payment.
In May, UnitedHealth CEO Andrew Witty provided a written testimony before a Congressional hearing, which revealed that the hackers used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multifactor authentication (MFA).
This allowed the attackers to move laterally within Change Healthcare systems and exfiltrate patient data.
Image credit: Pavel Kapysh / Shutterstock.com