100 Million Affected in Largest Medical Data Leak in History - Medical Information, SSN, etc.

100 Million Affected in Largest Medical Data Leak in History - Medical Information, SSN, etc.

More than 100 million people had their personal and medical data stolen in a massive UnitedHealth ransomware attack earlier this year, making it the largest healthcare data breach in the country.

After completing an investigation into the February data breach, the U.S. Department of Health and Human Services announced this week that the attack exposed roughly one-third of all Americans' health data. The findings corroborate an April statement by UnitedHealth that the attack exposed sensitive data on “a significant percentage of the American population.”

In February, ransomware hacking group ALPHV, also known as “BlackCat,” launched a cyberattack on Change Healthcare, a subsidiary of UnitedHealth, causing months of unprecedented outages and claims Change Healthcare is one of the largest healthcare payment processors in the world and works with major insurance companies including Aetna, Anthem, Blue Cross Blue Shield, and Cigna.

“On October 22, 2024, Change Healthcare notified [HHS's Office for Civil Rights] that approximately 100 million individuals have been notified regarding this breach,” the FAQ on the HHS website states.

According to the company's June public notice, the stolen data includes billing, claims, and payment information; medical information, including diagnoses, test results, and chart numbers; health insurance information, including member/group ID numbers; Social Security numbers; and personal information, including driver license and state ID numbers.

UnitedHealth first reported the breach on February 21; Change Healthcare alerted users to the data breach the following month; in June, the company issued a public notice as part of its obligation to notify the one-third of the country estimated to have been affected by the ransomware attack The company said it was not aware of the breach. The federal investigation is still in its final stages, and the company will continue to notify individuals who may have been affected as quickly as possible, UnitedHealth said in a statement.

At a congressional hearing in May, UnitedHealth CEO Andrew Witty testified that a group of hackers used stolen employee login credentials to break into the company's Citrix Remote Access service. Importantly, multi-factor authentication (MFA) was not turned on in the Citrix profile, opening the gate for hackers to gain remote access to the company's network. Witty told lawmakers that the company updated its internal policies to require MFA in response to the cyberattack. UnitedHealth confirmed to Congress that it paid a $22 million ransom demand to receive the decryptor with the agreement that the hackers would delete the stolen data, but the data was not deleted. After receiving payment, BlackCat committed termination fraud and shut down its servers.

Categories