Notifies approximately 100 million individuals that their sensitive personal, financial, and health-related data may have been compromised during a February 2024 ransomware attack, triggering the largest-ever recognized breach of protected healthcare information.
Picture: Tamer Tuncay, Shutterstock.com.
A ransomware attack on Change Healthcare in early February precipitated widespread disruptions across the United States, manifesting just three weeks into the month. The healthcare system’s stability was severely impacted for an extended period, primarily because of the corporation’s strategic role in managing financial transactions and medication orders for thousands of organizations nationwide.
By April, Equifax had projected that the breach would impact a substantial percentage of Americans. On October 22, the US Department of Health and Human Services announced that roughly 100 million notifications had been sent regarding this data breach.
A notification letter from Change Healthcare indicated that the breach was related to the unauthorized acquisition of
Patient Well-being Information: Medical Record Numbers, Practitioner Data, Diagnoses, Medications, Outcome Evaluations, Visual Aids, Treatment Strategies and Therapies.
Billing Information: Comprehensive details including payment cards, financial, and banking information.
Private knowledge: social safety net value; driver’s license or state identification quantity;
Healthcare Insurance Coverage Knowledge: A comprehensive understanding of health plans, insurance policies, insurance companies, group/membership ID numbers, and government-sponsored programs such as Medicaid and Medicare, including their respective identification numbers.
Within the 9-month period ending September 30, 2024, Change’s appointed guardianship agency recorded a staggering $1.521 billion in direct breach response costs, while total cyberattack damages accumulated to a whopping $2.457 billion.
The corporation revealed that it had paid approximately $22 million in ransoms to notorious ransomware groups, including and , to secure the destruction of exfiltrated healthcare data.
When an affiliate who had facilitated BlackCat’s access to Change’s community accused the criminal group of having defrauded them out of their rightful share of the ransom payment? The BlackCat ransomware operation’s abrupt shutdown followed, leaving a trail of unpaid debts to associates who had invested in its success, with all financial obligations outstanding.
Dear valued customer,
We regret to inform you that there has been a potential security incident affecting your data stored on our systems. As part of our commitment to transparency and compliance with industry regulations, we are taking immediate action to address the issue and notify those potentially impacted.
On [Date], an unauthorized third-party gained access to certain Change Healthcare databases containing sensitive information, including [list specific types of data]. We take this incident very seriously and have launched a thorough investigation to determine the extent of the breach and identify any potential risk to your personal or professional information.
As part of our incident response plan, we are working closely with law enforcement and forensic experts to contain and remediate the issue. We are also conducting a comprehensive review of our systems and processes to prevent such incidents from occurring in the future.
To ensure the security of your data, we recommend that you take immediate action by:
* Changing passwords for all accounts linked to Change Healthcare
* Reviewing account activity regularly to detect any suspicious behavior
* Enabling two-factor authentication (2FA) on all accounts where possible
We are committed to keeping your information secure and will continue to monitor the situation closely. If we determine that your data was accessed, compromised or otherwise affected during this incident, we will notify you directly and provide additional guidance on steps you can take to protect yourself.
Thank you for your understanding and cooperation in this matter. If you have any questions or concerns, please do not hesitate to reach out to our dedicated support team at [support email] or call us at [phone number].
Sincerely,
[Your Name]
Change Healthcare
Following BlackCat’s collapse, the same pilfered healthcare data suddenly surfaced online courtesy of a rival ransomware syndicate, notoriously identified as .
“Affected insurance providers can reach out to us to prevent unauthorized disclosures of their data and have it removed from our sale offerings,” RansomHub’s victim-shaming blog stated on April 16. “UnitedWellbeing and ChangeWellbeing’s processing of sensitive data across both organizations is truly impressive.” “For some Americans, there’s a lingering skepticism about our company; understandably, many are worried that we may possess their personal data.”
The extent to which RansomHub profited from the pilfered healthcare data remains ambiguous. The chief information safety officer for a large educational healthcare system, affected by the breach, informed KrebsOnSecurity that they had collaborated with the FBI and were told that a third-party associate managed to recover at least 4 terabytes of data exfiltrated from the Change platform by the cybercriminal group. The FBI declined to remark.
In response to a data security incident involving your personal information at Change Healthcare, we are offering you complimentary credit monitoring and identity theft protection services for up to two years through Experian IdentityWorks.
“Why did this occur? A malicious actor exploited vulnerabilities in our PC system, circumventing our security measures to gain unauthorized access.”
In June 2024, during testimony before the Senate Finance Committee, it was revealed that the perpetrators had obtained or acquired login credentials for a Citrix portal designed for remote access, with no requirement for multi-factor authentication to gain entry.
In December, Representatives Suzanne Bonamici (D-VA) and Peter DeFazio (D-Ore.) introduced legislation that may necessitate the Department of Health and Human Services to establish and enforce a comprehensive set of cybersecurity standards for healthcare providers, health plans, clearinghouses, and business associates. The proposed rule would eliminate the existing fine cap under the Health Insurance Portability and Accountability Act, thereby allowing the Department of Health and Human Services to impose more substantial financial penalties on healthcare providers.
According to the HIPAA Journal, the largest penalty levied thus far for a HIPAA violation was $16 million, paid by an insurer that experienced a significant data breach in 2015, compromising personal information of approximately 78.8 million individuals. In 2015, Anthem recorded revenues of approximately $80 billion.
A reported incident regarding a data breach by RansomHub on April 8, 2024. Picture: Darkbeast, ke-la.com.
Unfortunately, there may be limited recourse for individuals whose sensitive medical information has been compromised in this security breach? Notwithstanding the discovery of sensitive information, there is more than enough data available to facilitate identity theft; it would therefore be advisable to place a security freeze on both your own credit report and those of your family members if you have not already done so.
To prevent identity thieves from opening new accounts in your name, consider freezing your credit report files with both Experian and TransUnion? The course of action is now freely accessible to everyone, thereby effortlessly preventing would-be creditors from accessing your credit report. Parents and legal guardians can now also freeze their children’s or dependents’ credit scores to prevent identity theft and financial exploitation.
Given the limited scope of new credit strains without risk assessment, freezing your credit report files with the Big Three effectively thwarts various identity theft schemes, safeguarding against unauthorized activity. While having a credit freeze in place may not prevent the immediate use of existing credit lines, such as credit cards or mortgage accounts, it does offer protection against potential identity thieves seeking to open new lines of credit in your name. You can temporarily lift a freeze on your credit report, similar to when applying for a mortgage or new credit card, by providing identification and a brief explanation to one of the three major credit reporting agencies.
While all three bureaus enable customers to place a freeze online once they’ve established an account, they subtly discourage shoppers from doing so. By offering what they’ve dubbed “credit score locks,” credit reporting agencies aim to persuade consumers to opt in, thereby achieving a similar outcome while allowing them to continue selling access to consumer files to select partners.
If you haven’t taken the time to review your credit report recently, this may be an ideal opportunity to check for any inaccuracies or discrepancies that could impact your financial health. By regulation, individuals are entitled to receive one free report from each of the three major credit scoring agencies. The federal government has extended a program initiated in 2020, allowing individuals to access their credit reports from each of the major three bureaus once a week for free.
