Latest Medical Data Breach Leaves More Than 100 Million People Exposed
Data leaks and breaches are an unfortunate reality of modern life as they occur with relative frequency . The latest high-profile incident affected customers of UnitedHealth Group, whose subsidiary Change Healthcare was reportedly hit by a ransomware attack that compromised the data of more than 100 million people. In short: it’s not good.
What happened to Change Healthcare?
As TechCrunch reported on Thursday , attackers attacked Change Healthcare back in February, causing disruptions and downtime for the company for several months. Eight months later, parent company UnitedHealth Group shared for the first time the number of customers affected: More than 100 million users had their data stolen as a result of the event. This is the largest theft of digital health records in the United States that we are aware of.
The implications here are staggering. Change Healthcare is responsible for a number of medical records, data and processes: If you have worked with UnitedHealthcare, you trust Change Healthcare with your medical records, billing and insurance information. In fact, UnitedHealth Group CEO Andrew Whitty claims that about a third of US citizens were affected by this hack , demonstrating the significant number of customers the company retains.
The attackers attacked the company on February 12. Change Healthcare subsequently shut down its networks in an attempt to stop attackers from causing further damage. (Some Change Healthcare networks remain down to this day.) UnitedHealth Group says the culprit was ALPHV/BlackCat, a Russian ransomware group that has since claimed responsibility. The company paid a $22 million ransom, which the ALPHV/BlackCat leaders then kept for themselves, leaving the real hackers (who were apparently contractors) behind. These hackers, after refusing part of the ransom, then took the Change Healthcare data they had stolen and attacked UnitedHealth Group again : they published some of the stolen data and, in the process, managed to obtain their own payment from UnitedHealth Group.
As part of the ransom payment, Change Healthcare was able to see the stolen data, allowing them to contact affected customers.
How did the hackers get in?
During the same congressional hearing in which Whitty spoke about the number of Americans affected by the hack, the CEO also spoke about how the hackers got inside.
In February, attackers were able to hack Change Healthcare using stolen credentials to log into a server that did not use multi-factor authentication (MFA). MFA ensures that even if you have the correct username and password, you must additionally authenticate with another security method, such as a trusted device or authenticator app . Thus, in this situation, there was no backup authentication, which allowed hackers to break into the system and launch ransomware.
What can you do in the future
As with most data breaches, there is little you can do to protect the compromised information. Unfortunately, any stolen data is already in the hands of hackers.
However, what you can do is be proactive about your personal safety. First, keep an eye on communications from UnitedHealth Group as the company has been reaching out to all affected users since July. They will let you know if your data has been breached and will likely have their own advice that you can follow.
Then consider subscribing to an identity theft protection service. While these services may not help you recover stolen medical records, these services can prevent criminals from misusing your personal information to steal your identity. Our sister site PCMag has a list of their favorite services , so check it out if you’re affected by this breach.
While these services can potentially prevent identity theft and fraud, they may not stop other types of misuse of your information. Fraudsters may try to use your medical records to commit medical fraud by making false claims against your insurance. So keep a close eye on your insurance records and note any claims you didn’t file yourself.
Also, be careful with any emails or messages you receive: your information is public, which means scammers could contact you via email, text, or phone to try to trick you into providing more data or even financial information. Don’t click on strange links or share data with people you don’t know. When in doubt, ignore calls and send emails to spam. It is better to contact an organization or individual yourself than to continue a phone call or respond to an email when you are not 100% sure who is on the other end.