A ransomware attack last year on Change Healthcare, a subsidiary of UnitedHealth Group, compromised the personal and healthcare data of 190 million individuals, it has emerged, making it one of the largest healthcare data breaches in US history. The breach, which occurred in February 2024, disrupted essential healthcare operations and resulted in the theft of a significant amount of sensitive data.
Attributed to the BlackCat ransomware group, also known as ALPHV, the attack also caused significant disruption within the US healthcare system and to Change Healthcare itself. The firm, one of the largest processors of health claims in the country, experienced widespread system outages as well as the interruption of its claims processing network, leading to delays and difficulties in processing prescriptions. Pharmacies were additionally impacted, with some forced to charge patients full prices for medications instead of allowing them to use discount prescription cards.
The ransomware group exploited a vulnerability in Change Healthcare’s Citrix remote access service, which lacked multi-factor authentication. Once inside, the hackers stole approximately 6 terabytes of sensitive data, encrypting systems in the process and forcing the company to shut down its IT infrastructure.
Data compromised in the attack
The stolen data includes a broad range of sensitive personal and healthcare information. Among the data compromised were health insurance member IDs, patient medical records, billing information, and personal identifiers such as social security numbers, phone numbers, and addresses.
Initially, Change Healthcare reported that the breach impacted 100 million individuals, a figure disclosed to the US Department of Health and Human Services (HHS) in October 2024. However, UnitedHealth later revised the number of affected individuals upward to 190 million in a statement to TechCrunch, nearly doubling the earlier estimate. According to the former’s spokesperson Tyler Mason, the final number will be confirmed and filed with the US Department of Health and Human Services’ Office for Civil Rights at a later date.
In response to the ransomware, UnitedHealth paid a ransom of $22m in an effort to recover the stolen data and prevent it from being leaked. However, the BlackCat ransomware group executed an exit scam, seizing the ransom payment for themselves before partnering with another ransomware group, RansomHub. Some of the stolen data has also been leaked online. The BlackCat group continues to demand additional payments for the remaining stolen data. There are no indications that the compromised information has been misused at this stage, but the sheer scale of the breach raises concerns about potential misuse in the future.
“UnitedHealth also has suffered an estimated $2 billion in losses following the attack, which also makes it one of the costliest cyber incidents,” said Simon Phillips, chief technology officer at SecureAck, “despite the company apparently paying the ransom demand, twice. This should act as a warning to other organisations. Paying a ransom demand doesn’t equal exemption from the other costs and reputational damage associated with attacks.”
Read more: Hackers leak data from Rhode Island’s RIBridges social services system after cyberattack
