Change Healthcare reveals data stolen in ALPHV/RansomHub cyberattack
Change Healthcare (CHC) has finally revealed what data was exfiltrated by threat actors in the ransomware attack it suffered earlier this year.
Four months after its systems were taken offline following detection of cybercriminals, the UnitedHealth subsidiary published a breach notice revealing that a “substantial amount of data” was stolen in the attack, affecting a “proportion of people in the United States. , echoing statements made by the company’s CEO Andrew Witty earlier in the year, who later said that “maybe a third” of all Americans were affected.
“While CHC cannot confirm exactly what data has been affected for each affected individual, the information involved for affected individuals may have included contact information (such as first and last name, address, date of birth, telephone number and email ),” CHC said. .
Additionally, the extracted data could include health insurance information, such as insurance plans and companies, and Medicaid, Medicare, and government payer identification numbers, health information, such as test results, diagnoses, medical record numbers, and more. , billing and claims information, such as financial or banking information. , balance and payments due, account numbers and more, as well as other personal data such as driver’s licenses and social security numbers.
“The information that may have been involved will not be the same for all affected people. To date, we have yet to see complete medical histories appear in the data review,” CHC said.
“Additionally, some of this information may be related to guarantors who paid bills for healthcare services. A guarantor is the person who paid the bill for health services.”
CHC said that starting June 20 it began notifying its affected customers of its findings and will provide a link to the substitute notice for its other customers to inform them of what happened.
“The review of personal information potentially involved in this incident is in its final stages,” CHC said.
“CHC is providing this notice now to help people understand what happened, inform them that their information may have been affected, and provide them with information about steps they can take to protect their privacy, including signing up for two years of credit and identity monitoring.” courtesy. theft protection services if they believe their information may have been affected.”
The notification comes four months after the breach, despite US law stating that individual patients must be notified of a data breach within 60 days of discovery.
The attack on Change Healthcare was originally believed to have been committed by a Chinese state-sponsored actor, but was later claimed by the now-defunct ALPHV (BlackCat).
UnitedHealth paid ALPHV $22 million in ransom payments. However, ALPHV pocketed the money and disappeared, leaving the ransomware affiliate behind the breach stranded without payment but with data stolen from UnitedHealth.
As a result, UnitedHealth was still in trouble, particularly when a second ransomware gang, RansomHub, claimed to have the data and threatened to publish it if it did not receive a ransomware payment. Not long after, the group released some data claiming that it was now entirely up for sale to the highest bidder.