Healthcare Data of 100 Million Stolen in UnitedHealth Security Breach

UnitedHealth officially announced that threat actors stole the healthcare records of over 100 million individuals during a ransomware attack on its subsidiary, Change Healthcare. The incident is now considered one of the most significant breaches against the healthcare sector.

Scope of the Breach

The breach occurred in February 2024 and was orchestrated by the infamous BlackCat ransomware gang. The cybercrime syndicate also operated under the moniker ALPHV.

During the attack, threat actors leveraged stolen credentials to infiltrate the company’s network through a vulnerable remote access service that lacked multi-factor authentication (MFA).

Once inside, perpetrators exfiltrated over 6 terabytes of sensitive data before encrypting the company’s systems, leading to widespread disruption across the US healthcare sector.

Aftermath of BlackCat’s Ransomware Attack

The aftermath of the security incident is significant; during a congressional hearing in May, UnitedHealth CEO Andrew Witty stated that the attack exposed “maybe a third” of all American’s health data. Change Healthcare issued a separate statement, acknowledging that threat actors exfiltrated a “substantial quantity of data,” but without providing any precise figures.

As of October 22, the US Department of Health cleared the air with an update on its breach portal, confirming that the incident impacted 100 million individuals, thus reflecting the first official statement from UnitedHealth.

Numerous Sensitive Details Exposed by the Breach

Perpetrators exposed a plethora of deeply personal details during the breach. According to Change Healthcare’s notification, stolen information includes:

• Health Insurance Data – Information such as member IDs, government payer information such as Medicaid or Medicare, and insurance policy details
• Medical Records – Sensitive health records, including diagnoses, test results, medical record numbers, medications, and treatment histories
• Billing and Payment Information – Billing codes, payment cards, account numbers, claims, and other financial data
• Personal Identification Data – Threat actors stole even more sensitive data from many individuals, including their Social Security Numbers (SSNs), passport information and driver’s license numbers

It’s worth mentioning that the exact details stolen vary from one individual to another. Furthermore, not all victims had their entire medical history exposed.

Random Demands and Ramifications

BlackCat, the ransomware group that orchestrated the attack, demanded a ransom payment in exchange for a decryptor and the deletion of stolen data. Reportedly, UnitedHealth complied and issued the attackers a $22 million payment. However, the perpetrators suddenly pulled an exit scam, disappearing without a trace and leaving the company without any assurance that the stolen data had been deleted.

Subsequently, a former BlackCat affiliate claimed they still possessed Change Healthcare data, demanding additional ransom under a new malicious operation dubbed RansomHub.

Threat actors steadily leaked fragments of the stolen data on the RansomHub website. However, the data suddenly vanished from the ransomware platform, sparking theories that UnitedHealth may have folded a second time and paid a ransom to prevent further exposure.

Dealing With The Fallout of Data Breaches

Unfortunately, data breaches often occur regardless of companies' defense strategies against cyber attacks. Furthermore, customers or, in this case, patients of affected entities have no control over these unfortunate security incidents.

However, being prepared in the event disaster strikes is crucial in today's cyber landscape. Dedicated services like Bitdefender's Digital Identity Protection can help you stay one step ahead of attackers by always knowing what happens to your online data.

It features a comprehensive overview of your online data, including traces from no-longer-used services, notifies you instantly if your data has been leaked in a breach and provides you with quick, 1-click actions to patch holes in your digital footprint instantly.