UnitedHealth Says Change Healthcare Hack Affects Over 100 Million (techcrunch.com) 35
UnitedHealth Group said a ransomware attack in February resulted in more than 100 million individuals having their private health information stolen. The U.S. Department of Health and Human Services first reported the figure on Thursday. TechCrunch reports: The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, and one of the biggest data breaches in living history. The ramifications for the millions of Americans whose private medical information was irretrievably stolen are likely to be life lasting. UHG began notifying affected individuals in late July, which continued through October. The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver's license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information -- as well as financial and banking information found in claims and payment data taken by the criminals.
The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders, causing immediate outages across the U.S. healthcare sector that relied on Change for handling patient insurance and billing. UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack. The ransomware gang's leaders later vanished after absconding with a $22 million ransom paid by the health insurance giant, stiffing the group's contractors who carried out the hacking of Change Healthcare out of their new financial windfall. The contractors took the data they stole from Change Healthcare and formed a new group, which extorted a second ransom from UHG, while publishing a portion of the stolen files online in the process to prove their threat.
There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including LockBit, have been shown to hoard stolen data, even after the victim pays and the criminals claim to have deleted the data. In paying the ransom, Change obtained a copy of the stolen dataset, allowing the company to identify and notify the affected individuals whose information was found in the data. Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The gang bounced back following a takedown operation in 2023 to seize the gang's dark web leak site. Months after the Change Healthcare breach, the U.S. State Department upped its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.
The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders, causing immediate outages across the U.S. healthcare sector that relied on Change for handling patient insurance and billing. UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack. The ransomware gang's leaders later vanished after absconding with a $22 million ransom paid by the health insurance giant, stiffing the group's contractors who carried out the hacking of Change Healthcare out of their new financial windfall. The contractors took the data they stole from Change Healthcare and formed a new group, which extorted a second ransom from UHG, while publishing a portion of the stolen files online in the process to prove their threat.
There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including LockBit, have been shown to hoard stolen data, even after the victim pays and the criminals claim to have deleted the data. In paying the ransom, Change obtained a copy of the stolen dataset, allowing the company to identify and notify the affected individuals whose information was found in the data. Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The gang bounced back following a takedown operation in 2023 to seize the gang's dark web leak site. Months after the Change Healthcare breach, the U.S. State Department upped its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.
What has not been hacked yet? (Score:2)
Re: (Score:2, Flamebait)
Computer security is a joke.
The primary entry point for virtually ALL these "hacks" has been the idiot user engaging with the threat actor/s.
There is no software solution for idiots but I would welcome your superior solution based on your obviously extensive, detailed, knowledge in this space.
That being said, one unsecured account to rule them all is ... shockingly bad behaviour.... Sounds like their support engineers decided they didn't want to deal with PIM/PAM/etc.
Re: What has not been hacked yet? (Score:1)
Re: (Score:2)
That is exactly what it comes down to.
Good security isn't easy or cheap and the market has chosen cheap. Zero-Trust is a fine example. A lot of gum flapping to justify turning over a ton of infrastructure control to randos.
but but continuous identity assertions, posture and integrity analysis... blah blah
yes those are all good things to do as far as better security goes and very worth while - you know what would make them even more effective? Keeping control of the infrastructure, supply chain due diligen
Re: (Score:1)
I see Zero Trust Architecture (ZTA) differently than just lip service. If the company actually commits to it (and its associated cost, which is usually somewhat significant), it is a totally valid defense strategy. With traditional "primarily relying on perimeter defense", companies are effectively setting up a single point of failure for their everything. I have seen so many companies who relied mostly on perimeter defense, with services not requiring auth, or they used long lived API keys (often hardco
Re:What has not been hacked yet? (Score:4, Interesting)
Time to change the metrics.
I the CEO's get bonus on how much in sales. Sales goes up. Change it to how secure the information they hold.The security will go up.
Wells fargo already showed this. They told their employees that number of new open accounts establishes their bonus. So everyone opened up accounts illegally to up their numbers.
If they face prison time for breaches, The holes will be filled. They will weed out the people falling for social engineering. They will implement in depth protection within the network.
Simple solution.
The current system is why we have "identity theft" instead of bank fraud. Bank fraud falls on them magic wording "identity theft" leave the individual on the hook and they bank has no responsibility.
Re: (Score:2)
Computer security is a joke.
Maybe, but also:
Lawmakers homed in on how UHG handles so much data and generates so much revenue and failed at basic cybersecurity. According to its 2023 full-year earnings report, UHG made $22 billion in profit on revenues of $371 billion. Witty made $23.5 million in executive compensation the same year.
Imagine if they had put even 0.04% of those profits ($10 million) into additional security and training each year. But I wouldn't be surprised to learn they've actually been cutting security spending the last few years, and that some asshat MBAs got bonuses for doing it.
Jail (Score:5, Insightful)
First, they got hacked. For a company holding critical data, that's bad enough. But then they paid ransom , which the criminals just took and ran off with. So they have encouraged and funded future ransomware attacks.
Criminal charges. Board, CEO, CIO, all the way down the line. Whoever decided not to invest in security, and especially whoever decided to pay the ransom.
Re: (Score:3)
Re: (Score:3, Insightful)
> It's easy to blame Change Healthcare for having lax security, but anyone can get infected with malware when an employee clicks on a link in a fishing email.
True - that's why you have multi-layered security and you segregate your data. Then if multiple layers of protection all fail, all the attackers get is one chunk of data, not all 100 million records of it. In any sane world, if you're dealing with actual medical records, then you need to be sewn up tighter than fort knox.
You also need to have decent
Re: (Score:1)
> First, they got hacked. For a company holding critical data, that's bad enough.
Apparently not only did they get hacked, they lacked suitable disaster recovery and backups to recover from it. Further, they hadn't segregated their data, so probably had a database with 100 million rows, all protected with the exact same set of "security".
They should be entirely out of business by now, with various execs in jail (or at least in court). Instead, they're probably still bumbling along on their sweet handcuff
Re:Jail (Score:4, Interesting)
Congress will do nothing. The big health insurers and the Chamber of Commerce are too powerful. They'll stop any reform in its tracks.
What we have here is the result of merger after merger creating huge companies with way to much clout.
The proper fix (which is never going to happen, unless the whole system is burned to the ground):
1. There needs to be a maximum size a company can grow to before it must break itself into pieces.
2. Trade associations and entities which support general and industry-specific business causes should be heavily regulated.
This will force management to sweat and spend more time on finding unique ways to compete more efficiently.
3. The use of corporate veil piercing must be increased by the courts. Executives must fear going to prison if they expose their customers private information.
As usual (Score:1)
Our weekly (daily?) story about private industry doing it better than government. Next we'll have to suffer through the typical jargon of, "We take your privacy seriously", followed by the CEO getting a big reward for handling the situation as best he could under the circumstances. Needless to say, no one will be held accountable for any part of this.
Re:As usual (Score:5, Funny)
A case of critical punctuation.
"We take your privacy, seriously."
This is why we can't have nice things. (Score:4, Funny)
Come on, guys. Extortion only works if you release your leverage when paid. If you don't hold up your end of the bargain, you ruin it for all those well-intentioned blackmailers. Is that the world you want to live in? One where hacking skills, time, and effort no longer add up to a living wage?
Sad. Sad, and self centered.
Got letter 2 weeks ago,my info hacked for 4th time (Score:3)
Re: (Score:2)
Re:Got letter 2 weeks ago,my info hacked for 4th t (Score:5, Informative)
Yea, I got hacked also. I started the free credit monitoring service offered from UnitedHealth and Change Healthcare via IDX Services but No way. Strike 1: I go to their web site to register but it said the II had to disable my add blocker. Not going to do that. So I call the 1 888 number. I give some information to support and the send me a email link to finish the account setup process. They were very insistent that I check my spam folder and sure enough the email they sent went directly to spam, Strike 2. After I get registering the new account the password I created was never accepted. An "exception error" was generated. Then the support guy asked me if I was useing Chrome browser. I say "No, I'm using Firefox running Slackware Linux". He replied the I have to use Chrome. Strike 3 and you are OUT. So no credit monitoring for me.
Re: (Score:2)
Paying for the witch-hunt (Score:3)
Whose taxes are paying for the witch-hunt caused by UHG doing a shitty job? Until the US loses the 'too big to jail' meme, and and 'do whatever it takes' (to make a profit) meme, ordinary tax-payers will be over a proverbial barrel for all the costs and inconvenience.
Make it a crime (Score:3)
I know hacking in and stealing data is a crime. But make CEOs personally criminally liable for this sort of thing and we would start seeing changes.
My 10-year-old son got a letter in the mail from Charge Healthcare about stolen data! Our kids aren't even safe any more.
Jfc stop paying the ransoms! (Score:5, Insightful)
You got hacked, got it. These are criminals. They are not men of honor. If you pay them off they will still sell the data.
It should be a serious crime to pay them off. Like felony jail time for CEO. As long as they keep getting paid they'll keep attacking. If they never got a penny then most of this would stop because there'd be no incentive. There'd still be some attacks for pure maliciousness but far fewer overall.
Re: (Score:3)
You got hacked, got it. These are criminals. They are not men of honor. If you pay them off they will still sell the data.
It should be a serious crime to pay them off. Like felony jail time for CEO. As long as they keep getting paid they'll keep attacking. If they never got a penny then most of this would stop because there'd be no incentive. There'd still be some attacks for pure maliciousness but far fewer overall.
You know, I'm a person who enjoys theorizing on why people behave, on the surface, in completely irrational and stupendously stupid ways. What I've come up with where it comes to these ransom demands is this:
C-Suites and Boards of Directors have one thing that they all understand: The need to make bank. When they get these demands after a hack, they don't see criminals. Because if they saw criminality in someone demanding money for nothing, especially in the health insurance racket, they would never, ever b
Re: (Score:2)
I've never thought of it like that and I hope you're wrong but you're probably right. My stomach hurts now just thinking about it.
Re: (Score:2)
*NOT* smart enough to realize that they actually *ARE* dealing with their own kind
The ransomers are anonymous, they can't usually be brought to a court of law so no real contract can be made with them. CEOs, board members, and LEGAL should be on the hook for cause when having to deal with them. IANAL but it sounded good in my head.
Might as well say it again (Score:4, Interesting)
Massive leaks of "regular folks" private information will continue until the actual human beings at the top of the companies responsible are sentenced to lengthy prison sentences, and the companies fined so heavily that it can't be written off as just the cost of doing business.
It's not a big leap to imagine companies obtaining people's medical records and using them in any number of ways.
They already sell your data (Score:3)
Even without this hack, health insurance companies have been selling your data so you really have no privacy.
(The HIPAA rules don't protect your private data, they just establish how it can be sold by companies.)
Where are the write one devices? (Score:2)
It would seem that there is a big need for write once storage devices, just write daily/hourly/realtime and then play back when you're hacked.
That would make downtime == how long it takes to wipe every machine (which they need to do anyway) and pull from the storage.