Threat Actor: Unknown | unknown
Victim: Change Healthcare | Change Healthcare
Price: $2.87 billion
Exfiltrated Data Type: Protected Health Information (PHI)
Key Points :
- The cyberattack occurred on February 21, 2024, compromising the medical records of over 100 million individuals.
- This incident is the largest breach of protected health information among HIPAA-regulated entities, exceeding the Anthem Inc. breach in 2015.
- The U.S. Office for Civil Rights (OCR) has initiated a separate investigation due to the scale of the breach.
- Senator Ron Wyden criticized Change Healthcare for lacking multi-factor authentication, which facilitated the attack.
- UnitedHealth Group, the parent company, reported cyberattack-related losses of $2.87 billion as of Q3 2024.
- More than 50 lawsuits have been filed against Change Healthcare, accusing them of inadequate data protection.
- 60% of healthcare providers are still struggling with operational issues months after the attack.
- The incident has prompted agencies to develop new cybersecurity standards for the healthcare sector.
Change Healthcare has officially confirmed that a cyberattack on February 21, 2024, compromised the medical records of over 100 million individuals. This incident represents the largest breach of protected health information (PHI) among HIPAA-regulated entities, surpassing the record-breaking data breach of Anthem Inc. in 2015, which affected 78.8 million people.
Due to the scale of the breach, the U.S. Office for Civil Rights (OCR) initiated a separate investigation. At the time of the initial report in July, the company cited 500 affected individuals, as the analysis was ongoing. Now, Change Healthcare has provided updated figures, estimating approximately 100 million affected individuals, though the verification process remains incomplete, and the number may fluctuate.
Senator Ron Wyden criticized the company’s approach to cybersecurity, highlighting the lack of multi-factor authentication on one of the servers, which enabled attackers to gain access and inflict widespread damage. He called for reforms mandating stricter accountability for security breaches and increased penalties for HIPAA non-compliance.
UnitedHealth Group, the owner of Change Healthcare, has faced enormous financial repercussions from the incident. As of Q3 2024, cyberattack-related losses amounted to $2.87 billion. System restoration is ongoing, yet some operations and transactions have yet to return to pre-attack levels.
The cyberattack has sparked a wave of lawsuits. More than 50 suits filed by patients and healthcare institutions have been consolidated for trial in Minnesota. Plaintiffs accuse the company of inadequate data protection and seek compensation for the breach of personal information.
The incident has also raised concerns over the potential recurrence of similar attacks. A report from the American Medical Association (AMA) indicates that 60% of healthcare providers continue to struggle with verifying insurance information and submitting payment claims several months after the attack.
The Change Healthcare scandal serves as a stark warning for the industry, underscoring the need to reassess cybersecurity priorities. Agencies like the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have begun developing new standards for critical sectors, including healthcare.
Related Posts:
Original Source: https://securityonline.info/data-of-over-100-million-individuals-exposed-in-change-healthcare-cyberattack/