UnitedHealth has admitted that the health data of more than 100 million Americans was exposed in a hack. This is the first time the multinational health insurance and services company, has attributed a specific number to the cyberattack that took place earlier this year.
UnitedHealth Group (UHG) acquired Change Healthcare in 2022. The two companies are now part of the same healthcare organization under the UnitedHealth brand.
In February this year, Change Healthcare suffered a massive data breach. However, the company did not mention the number of individuals whose data was exposed.
In May, UnitedHealth CEO Andrew Witty indicated that "maybe a third" of all American's health data was exposed in the attack. A month later, Change Healthcare published a data breach notification, wherein the company merely stated that the ransomware attack exposed a "substantial quantity of data" for a "substantial proportion of people in America."
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has updated the "Data Breach" portal. The column for Change Healthcare hack reportedly mentions that 100 million individuals are affected.
The FAQ section on the OCR website now mentions "On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach."
Needless to say, with 100 million American citizens impacted, the ransomware attack could be one of the largest in recent years. What's even more concerning apart from the number of civilians, is how the data breach was handled.
According to Bleeping Computer, threat actors stole 6TB of data from Change Healthcare. The attackers then encrypted computers on the network. As a remedial measure, the UnitedHealth subsidiary shut down its IT systems. This led to widespread outages in the U.S. healthcare system.
The BlackCat ransomware group, which conducted the attack, may have received about $22 million from UnitedHealth Group. The company allegedly paid to receive a decryption key and ensure the ransomware group deleted the stolen data.
The affiliate that worked with the ransomware group didn't delete the data immediately. However, the entry for Change Healthcare has mysteriously disappeared from the affiliate's website. This suggests UnitedHealth may have paid a second ransom demand.
It is not clear how UnitedHealth will be penalized. T-Mobile recently paid a paltry fine of $31.5 million for multiple data breaches. The carrier will get half the money to invest in tech to improve cybersecurity.