Threat actors accessed the private health information of more than 100 million people in the February breach of Change Healthcare – the largest healthcare data breach ever reported to federal regulators – the US Office for Civil Rights revealed on October 22 .

The hack, which was disclosed in June, could affect up to a third of the Americans. It turned out to be one of the most significant cyber attacks of the year and shows how ransomed data can lead to physical harm, such as the delayed delivery of essential medicines.

SEE: Nation-state attackers can search “target-rich, cyber-poor” organizations. such as public infrastructure or health care, said CISA advisor Nicole Perlroth.

What was the Change Healthcare cyber attack?

In February, UnitedHealth Group, the parent company of Change Healthcare, FOUND which an attacker had introduced ransomware in Change Healthcare systems. The group ALPHV, sometimes called BlackCat, claimed responsibility for the breach.

By March, Change Healthcare had determined that attackers accessed its systems between February 17 and 20. The company brought in “leading experts in cybersecurity and data analytics.” Mandiant personal among them and obtained a copy of the stolen records by analyzing the data set. United Healthcare published a more detailed account of the incident in April.

One Senate hearing on this issue in MayUnitedHealth Group CEO Andrew Witty said the company paid a ransom of $22 million in Bitcoin to release the stolen data.

Cyber ​​Security Experts we don’t recommend paying ransoms because it rewards threat actors, can cause significant financial damage to the business, and does not guarantee the return of data. The US government considered the controversial idea of ban redemption payments.

Change Healthcare said it could not specify what data was affected for each individual. In general, the stolen data included:

• First and last name, address, date of birth, telephone number and email.
• Health information such as diagnoses, medical record numbers, images and test results.
• Billing, Complaints and Payment Information
• Other personal information that may be associated with medical records, such as social security numbers, driver’s licenses or state identification numbers, or passport numbers.

No complete medical history or doctors’ records were found among the stolen data.

The attack delayed the delivery of prescriptions and led to a business interruption impact of 705 million dollars. Overall, Change Healthcare’s financial outlook for next year is lower than expected.

Change Healthcare provides resources for affected clients

United Healthcare says its investigation into the attack is still ongoing but in its final stages.

The company continues to send notifications to those affected. Change Healthcare offers two years of free credit monitoring and identity theft protection services from IDX to eligible customers. They provided “physicians trained to provide emotional support services” through a dedicated call center. The call center cannot provide information about what specific data may have been exposed from individual accounts.

United Healthcare advises affected patients to monitor their bank accounts and health insurance statements. Unusual activity should be reported to the financial institution or health care provider, as appropriate.

Ransomware attacks on health have far-reaching consequences

Cyberattacks on healthcare data present a perfect storm of potentially profitable random opportunities for threat actors and increased mistrust among affected customers. Patients may lose access to needed medications and care may be delayed if operations are interrupted.

In May, a ransomware attack on the Ascension hospital system slowed care. Around the same time, the US Agency for Advanced Research Projects in Health announced his intention to invest more than $50 million in tools for hospital information technology professionals to improve their cybersecurity.