A substantial proportion of people in America have had personal information exposed as a result of the Change Healthcare hack.
UnitedHealth Group, owners of Change, provided an update on ongoing review of impacted patient data on April 22, 2024.
The company said that based on initial targeted data sampling to date, it has found files containing protected health information (PHI) or personally identifiable information (PII).
However, there has been no evidence of exfiltration of materials such as doctors’ charts or full medical histories.
In a statement, Andrew Witty, CEO of UnitedHealth said: “We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it.”
The data review is likely to take several more months due to the ongoing nature and complexity, the company stated.
The company, along with leading external industry experts, continues to monitor the internet and dark web to determine if data has been published.
There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time the company said.
Ransom Paid by Change Healthcare Owners
According to a statement sent to some news outlets on April 22, UnitedHealth did pay a ransom to the hackers as part of the company’s commitment to protect patient data from disclosure.
The amount paid has not been disclosed, however some reports suggest it was $22m.
The debate surrounding whether ransom payments should or should not be made continues in the cybersecurity world.
Trevor Dearing, Director of Critical Infrastructure at cybersecurity firm Illumio explained: “Attackers want to put decision makers in a morally impossible situation so that they have no choice but to pay ransoms in order to get their services back up and running.”
“The situation is heightened even more in the healthcare sector when they’re choosing between sometimes life and death patient care scenarios and paying ransom demands,” Dearing added.
Mayur Upadhyaya, CEO at APIContext, noted that ransom payments don't guarantee data security and that collaborating with cybersecurity experts is crucial to ensure network resilience against evolving cyber threats.
Finally, Erich Kron, Security Awareness Advocate at KnowBe4 said that organizations must consider ransomware in their incident response plans, regardless of the industry they are in.
“This means considering if ransom payments are an option at all, and understanding the impact an outage may have on the organization, and how much that would be worth,” Kron noted.
On the Path to Restoration
The attack, orchestrated by the ALPHV/BlackCat ransomware gang in February, severely disrupted healthcare operations across the US.
The company said that 99% of pre-incident pharmacies are now able to process claims, a service severely interrupted because of the cyber-attack.
Payment processing by Change Healthcare, which represents approximately 6% of all payments in the US healthcare system, is at approximately 86% of pre-incident levels.
The US government is investigating the Change Healthcare ransomware attack to determine whether PHI was breached and if the firm complied with its regulatory duties.