Summary: Change Healthcare is notifying millions of individuals about a significant data breach resulting from a cyberattack that occurred over five months ago, affecting sensitive health information. The company is providing free credit monitoring and identity theft protection to those potentially impacted while navigating the complexities of the breach notification process.
Threat Actor: BlackCat (AlphV) | BlackCat
Victim: Change Healthcare | Change Healthcare
Key Point :
- Change Healthcare began sending breach notification letters to affected individuals on July 29, 2024.
- The cyberattack, which occurred on February 21, resulted in the theft of approximately 4 terabytes of patient data and a ransom payment of $22 million.
- The breach is expected to be the largest health data breach notification event in U.S. history, potentially affecting over 100 million individuals.
- HHS OCR is investigating the breach and the compliance of Change Healthcare and its parent company, UnitedHealth Group.
- Impacted data may include personal information such as names, addresses, health insurance details, and sensitive health records.
Breach Notification
,
Fraud Management & Cybercrime
,
Healthcare
IT Services Vendor Is Sending Individual Letters to Victims on a Rolling Basis
Millions of Americans will soon receive a breach notification letter from Change Healthcare, which said on Monday that it has started the process of notifying victims of the massive cyberattack and data theft first detected more than five months ago.
See Also: Effective Communication Is Key to Successful Cybersecurity
The company in an updated frequently asked questions section about the cyber incident posted on its website on Monday said it does not have a date when specific sets of individuals will receive notifications but that the mailing began on July 29.
“Change Healthcare is committed to notifying potentially impacted individuals as quickly as possible, given the volume and complexity of the data involved. Please note, we may not have sufficient addresses for all affected individuals,” the company said.
As of Monday, Change Healthcare had not posted breach reports related to the hacking incident on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website that lists health data breaches affecting 500 or more individuals (see: Ascension Files Placeholder Breach Report for May Hack).
HHS’ Office for Civil Rights has previously said that reports are posted on the public website after they have been vetted by the agency – a process that usually takes one or two weeks.
“The data review is in its final stages, but we have analyzed a sufficient amount of data to start notifying,” a Change Healthcare spokesman told Information Security Media Group. “Change Healthcare is committed to notifying potentially impacted individuals as quickly as possible given the volume and complexity of the data involved.”
“Rather than waiting until the end of our data review, Change Healthcare is continuing to offer free credit monitoring and identity theft protection to anyone concerned their data may have been impacted.”
HHS OCR did not immediately respond to ISMG’s request for comment on Change Healthcare’s breach notification.
On June 20, Change Healthcare posted a substitute HIPAA breach notice on its website for organizations and individuals affected by the hacking incident, saying that it expected to send written notifications in late July. Change Healthcare last month began notifying clients whose data was affected in the incident (see: Change Healthcare Begins to Notify Clients Affected by Hack).
Change Healthcare on Monday advised affected clients to prominently post the company’s substitute HIPAA breach notice on the home page of their websites for at least 90 consecutive days. “This substitute notice contains the information Change Healthcare can provide at this time while Change Healthcare is in its late stages of data review to identify affected individuals.”
Historic Breach
Five months have passed since the massive Feb. 21 cyberattack on Change Healthcare shut down more than 100 IT services for weeks, disrupting business and clinical processes of thousands of doctors, pharmacies and medical practices.
Russian-speaking ransomware cybercriminals BlackCat, aka AlphV, claimed responsibility for the attack, and the company admits that it paid the attackers a $22 million ransom. BlackCat claimed on the dark web to have stolen 4 terabytes of patient data (see: A Second Gang Shakes Down UnitedHealth Group for Ransom).
Change Healthcare has offered to handle breach notification for clients affected by the incident, so it is unclear how many individuals breach reports will be filed to HHS OCR related to the incident.
HHS OCR previously issued updated guidance regarding the Change Healthcare incident and breach reporting (see: Feds Say Change Healthcare Can Handle Breach Notification).
UHG CEO Andrew Witty testified in May to two congressional committees that the incident was estimated to have affected the protected health information of up to one-third of the American population – or more than 100 million people (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).
In an unusual move, HHS OCR in March announced that it was already investigating the Change Healthcare data breach and the HIPAA compliance of Change Healthcare and its parent company, UnitedHealth Group (see: Feds Launch Investigation Into Change Healthcare Attack).
Typically, HHS OCR does not begin a breach investigation until a HIPAA breach or complaint has been filed. HHS OCR Director Melanie Fontes Rainer during an ISMG Healthcare Cybersecurity Summit fireside chat in New York on July 18 told attendees that the historic nature of the Change Healthcare cyberattack warranted the agency’s earlier regulatory action. The incident by far is expected to result in the nation’s largest health data breach notification event to date.
Change Healthcare on its website said that while the company’s data analysis is ongoing, affected information involved may include information such as name, address, birthdate, phone number and email, and health insurance information such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
Also affected was health information, such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment, billing, and claims and payment information, such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made and balance due.
Other personal information – such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers - is also potentially affected. Not all individuals have the same variety of information compromised, the company said.