U.S. Health Care Company Confirms Theft of Patient Data
Patient information was stolen as part of a cyberattack against health care services company Change Healthcare. Parent company UnitedHealth Group has now confirmed the data breach.
The attack occurred in February. As UnitedHealth Group said in a statement posted on Monday, “protected health information” and “personally identifiable information” were also stolen. The company has not yet said how many people were affected. Patients whose data was compromised could however represent “a substantial proportion of people in America.”
So far there is no evidence that “materials such as doctors’ charts and full medical histories” were stolen, the statement continues. The investigation is ongoing, however. UnitedHealth Group expects it to take several months before it is able to conclude the data review – and notify those impacted by the attack.
Change Healthcare provides services for the U.S. health care system. Pharmacies use Change Healthcare services to calculate medication costs covered by health insurance companies or check whether patients have been prescribed a particular drug. According to Reuters, the company processes roughly half of all medical claims in the U.S.
Pharmacies Unable to Process Prescriptions
U.S. media are describing the attack as one of the largest cyberattacks ever directed at the health care system. One consequence of the attack in February was that many U.S. pharmacies were unable to calculate the portion of prescription costs covered by insurance. Patients had to decide whether to pay the full cost of their medications themselves or go without.
Pharmacies inside the United States weren’t the only ones affected. U.S. military hospitals and pharmacies around the world experienced disruptions as a consequence of the attack. According to UnitedHealth Group, these problems have largely been resolved by this point: 99 percent of impacted pharmacies are now able to process insurance claims again.
The company also stated that it was working with “leading external industry experts” and “continues to monitor the internet and dark web to determine if data has been published.” To date 22 screenshots have surfaced that purported to show stolen data.
According to U.S. media reports, Change Healthcare is thought to have been a victim of a ransomware attack. Criminals typically use ransomware to encrypt data – and then demand a ransom to restore access. Another tactic attackers use is to steal data and threaten to publish it if their demands for payment aren’t met. Paying the ransom however does not guarantee that the blackmailers won’t go through with publication or actually restore encrypted data.
This is clearly evident in the present case: UnitedHealth Group has confirmed to several U.S. media outlets that it paid a ransom to prevent the publication of patient data. According to Wired magazine, the blackmailers received roughly 22 million U.S. dollars. Nevertheless, there is still a risk that patient data will be published. Wired reports that cybersecurity experts now fear that the attack’s success “will lead ransomware gangs to further target healthcare companies.”
According to media reports, a group known as AlphV or BlackCat was behind the blackmail campaign. The U.S. State Department has offered a 10 million dollar reward “for information leading to the identification or location” of any of the group’s members. According to the State Department, the group develops ransomware and works with affiliates to deploy it.
Targeting Health Information
Last year there were several cybersecurity incidents within the health care system in the United States. In late October the Department of Health and Human Services reported that more than 88 million people had been affected by data leaks in 2023.
In May 2023 for example the social security numbers and personal health information of millions of insurance holders were stolen. The information stolen included medical records like x-rays and prescription details.
In December criminals gained access to sensitive data belonging to millions of people in an attack on a hospital network.
And late last year a company that operates 30 hospitals in six states had to divert patients from its own emergency rooms to other hospitals. The hospitals’ network had been taken offline after ransomware was discovered. (js)