Threat actors gained access to the private health information of more than 100 million people in the February breach of Change Healthcare – the largest healthcare data breach ever reported to federal regulators – the US Office for Civil Rights disclosed on October 22.

The hack, as information about which was revealed in June, can affect up to one third of Americans. It has proven to be one of the most significant cyberattacks of the year and shows how ransom data can lead to physical harm such as delayed delivery of essential medicine.

SEE: Nation-state attackers can search for “target-rich, cyber-poor” organizations like public infrastructure or health care, said CISA advisor Nicole Perlroth.

What was Change Healthcare’s cyber attack?

In February, UnitedHealth Group, the parent company of Change Healthcare, found out about it that an attacker had introduced ransomware into Change Healthcare’s system. The group ALPHV, sometimes called BlackCat, claimed responsibility for the breach.

In March, Change Healthcare had determined that attackers had access to their systems from February 17 to 20. The company brought in “leading experts in cybersecurity and data analytics,” Mandiant staff among them, and received a copy of the stolen documents, analyzed the data set. United Healthcare released a more thorough account of the incident in April.

In one Senate hearing on the issue in MayUnitedHealth Group CEO Andrew Witty said the company had paid a ransom of $22 million in Bitcoin to release the stolen data.

Cyber ​​security experts do not recommend paying ransoms because it rewards threat actors, can cause significant financial damage to the business, and does not guarantee the return of data. The US government has considered the controversial idea of prohibition ransom amount.

Change Healthcare said it cannot specify what data has been affected for each individual. Generally, the stolen data included:

• First and last name, address, date of birth, telephone number and e-mail.
• Health information such as diagnoses, medical record numbers, images and test results.
• Billing, claims and payment information
• Other personal information that may be associated with medical records, such as social security numbers, driver’s license or government ID numbers, or passport numbers.

Complete medical history or doctors’ charts have not been found among the stolen records.

The attack delayed prescription deliveries and led to a business disruption effect of 705 million dollars. Overall, Change Healthcare’s financial outlook for next year is lower than expected.

Change Healthcare offers resources for affected customers

United Healthcare says its investigation into the attack is still ongoing but in its final stages.

The company is still sending messages to those affected. Change Healthcare offers two years of free credit monitoring and identity theft protection from IDX to eligible customers. They provided “trained physicians to provide emotional support services” through a dedicated call center. The call center cannot provide information about what specific data may have been exposed from individual accounts.

United Healthcare recommends that affected patients monitor their bank accounts and health insurance statements. Unusual activity should be reported to their financial institution or healthcare provider as appropriate.

Ransomware attacks on healthcare have far-reaching consequences

Cyberattacks on healthcare data are a perfect storm of potentially lucrative random opportunities for threat actors and increased mistrust among affected customers. Patients may lose access to necessary medications and care may be delayed if operations are disrupted.

In May, a ransomware attack against the Ascension hospital system slowed care. Around the same time, the US agency Advanced Research Projects Agency for Health announced their intention to invest more than $50 million in tools for hospital IT staff to improve their cybersecurity.