UnitedHealth Group has confirmed that a ransomware attack earlier this year has compromised the private data of over 100 million individuals, making it the largest healthcare data breach reported by the U.S. Department of Health and Human Services.
The breach was detailed in the Office for Civil Rights (OCR) Breach Report, released Thursday. The attack, attributed to the hacker group Blackcat (also known as ALPHV), occurred in February when they targeted Change Healthcare, causing significant disruptions for healthcare providers as they struggled to process bills, claims, payroll, and prescriptions for weeks.
Change Healthcare notified the OCR on October 22 that it had sent approximately 100 million individual notices regarding the breach.
The stolen data may include health insurance details, such as policy numbers and government payor IDs, as well as sensitive health information like medical records and treatment history. The breach also involved billing information and other personal data, including Social Security numbers and driver’s license information.
According to testimony from UnitedHealth CEO Andrew Witty, the attackers gained access by exploiting stolen credentials for a Citrix remote access service that lacked multifactor authentication.
Following the breach, UnitedHealth reportedly paid a $22 million ransom to the hackers, but there were indications that further data leaks could lead to additional ransom demands.
Peoplesmind
