UnitedHealth Group Discloses Protected Health Information Compromised for “Substantial Portion of People in America” in Recent Cyberattack

UnitedHealth Group published a statement this week confirming that protected patient health information was compromised in the recent Change Healthcare ransomware attack that has hobbled patient care, insurance, and billing for the better part of the past eight weeks.

As Change Healthcare is responsible for processing insurance and billing for an estimated 50% of all medical claims in the U.S. and handles 15 billion transactions per year, it’s not surprising that their statement confirms “a substantial proportion of people in America” have been impacted by this incident:

Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.

This data exfiltration occurred despite, Change Healthcare making a $22 million dollar ransom payment to ALPHV/Blackcat. The company was targeted again by RansomHub, who claimed that ALPHV stole the original payment and threatened to sell the data to the highest bidder.

The staggering scale of data compromised in this breach is matched by the profound financial consequences. The Healthcare Financial Management Association reported last week that during a Q1 financial results investor call, the company leaders said the Change Healthcare cyberattack had a roughly $870 million impact on UnitedHealth Group (UHG) through March. The company projects that direct costs for the full year will be between $1 billion and $1.15 billion, with revenue loss at $350-450 million.

“The effect of the attack in the period is one of keeping all the lights brightly burning at full readiness to resume services while revenue production was essentially suspended,” UGH president and CFO John Rex said.

Some might see this incident as an argument against ever paying a ransom (which all law enforcement and government agencies advise against) but it’s also easy to see how Change Healthcare could have decided to fork over $22 million as a shot in the dark at restoring their systems and preventing data leak and revenue loss.

UnitedHealth Group reports that pharmacy services are back to 99% of normal levels and that medical claims across the U.S. health system are “flowing at near-normal levels.” Payment processing is at approximately 86% of pre-incident levels. The company said it expects “full restoration of other systems to be completed in the coming weeks.”

Change Healthcare Reportedly Compromised Through Lack of Multi-Factor Authentication on an Application for Remotely Accessing Systems#

A source familiar with the investigation told the Wall Street Journal that Change Healthcare was compromised through a lack of multi-factor authentication (MFA) on an application that gives staff remote access to systems. This happened nine days before the company knew about the breach, giving ALPHV ample time to exfiltrate data.

In March, the U.S. Department of Health and Human Services’s Office for Civil Rights issued a letter and opened an investigation into the Change Healthcare incident due to “the unprecedented magnitude of this cyberattack,” which precipitated a massive disruption in health care and billing.

The preface of the letter cites ransomware and hacking as the health care industry’s chief cyber threats over the past five years:

Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

This incident painfully demonstrates that ransomware payments don’t guarantee data security or prevent future attacks. Market consolidation, combined with legacy technologies used in health care systems, makes the industry ripe for ransomware attacks. These types of centralized systems that handle sensitive data remain prime targets, and a single breach can expose the protected health information of millions.