Change Health Care says it notified nearly 100 million Americans that their personal, financial and health care records may have been stolen in a February 2024 ransomware attack that caused the largest-ever known data breach of protected health information.
Photo: Tamer Tuncay, Shutterstock.com.
The ransomware attack on Change Healthcare in the third week of February quickly caused disruptions in the US health care system that went back months, due to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.
In April, Change estimated that the breach would affect “a large portion of the American population.” On Oct. 22, the healthcare giant informed the US Department of Health and Labor (HHS) that “approximately 100 million notifications have been sent regarding these violations.”
A notice letter from Change Healthcare said the breach involved the theft of:
-Health Data: Medical records, doctors, diseases, medications, test results, images, care and treatment;
-Payment Records: Records including payment cards, financial records and bank records;
-Your Data: Social Security Number; driver’s license or state identification number;
-Insurance Data: Health plans/policies, insurance companies, member/group identification numbers, and government Medicaid-Medicare-payer identification numbers.
I HIPAA Journal reports that in the nine months ending September 30, 2024, Change’s parent company United Health Group they received $1.521 billion in breach response costs, and $2.457 billion in total cyberattack impacts.
Those costs include $22 million the company agreed to pay to the fraudsters — a ransomware group known as The BlackCat again ALPHV – for an offer to destroy stolen health care data.
That ransom payment went sideways when the affiliate that gave BlackCat access to Change’s network claimed the gang cheated them out of their share of the ransom. The entire BlackCat rescue operation was shut down after that, and it fled with all the money owed to the officials hired to install its ransomware.
Breach notice from Change Healthcare.
A few days after BlackCat was installed, the same stolen healthcare data was offered for sale by a competing ransomware group called. RansomHub.
“Affected insurers can contact us to avoid further leakage of their data [remove it] from the sale,” RansomHub’s victim-shaming blog announced on April 16. “To change health and United Health’s processing of sensitive data for all these companies is unbelievable. For many Americans who doubt us, we probably have your personal information. “
It is unclear whether RansomHub has ever sold stolen healthcare data. The chief information security officer of a large health care system affected by the breach told KrebsOnSecurity that they were on the phone with the FBI and were told that a colleague was able to obtain at least four terabytes of data released from Change by a group of cybercriminals. . The FBI did not respond to a request for comment.
Shintsha Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from the named company. IDX. In a section of the negative text titled “Why did this happen?,” Change only shared that “a hacker accessed our computer system without our permission.”
But in June 2024 testimony to the Senate Finance Committee, it emerged that attackers had stolen or purchased Citrix portal credentials used for remote access, and that there was no multi-factor authentication required for that account.
Last month, Feel for Mark Warner (D-Va.) and Ron Wyden (ID-Ore.) has introduced a bill that would require HHS to develop and enforce a set of strong cybersecurity standards for health care providers, health plans, health facilities and business associates. The move would also eliminate an existing penalty measure under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can impose on providers.
According to the HIPAA Journal, the largest fine imposed so far for a HIPPA violation was a small $16 million fine on an insurance company. Company Anthem Inc.experienced a data breach in 2015 affecting 78.8 million people. Anthem reported revenue of approximately $80 billion in 2015.
A post about the change decision breach from RansomHub on April 8, 2024. Photo: Darkbeast, ke-la.com.
There is little that victims of these breaches can do about having their health care records compromised. However, because exposed data includes more than enough information for thieves to do their thing, it would be wise to put security on your credit file and that of your family members if you haven’t already.
The best way to prevent identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, again TransUnion. This process is now free for all Americans, and it simply prevents potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files of their children or dependents.
Since very few creditors are willing to offer new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to prevent all forms of ID theft. Having a lien does nothing to prevent you from using lines of credit you may already have, such as credit cards, mortgages and bank accounts. When and if you ever need to allow access to your credit file – such as when you apply for a loan or a new credit card – you’ll need to raise or temporarily freeze it in advance with one or more agencies.
All three bureaus allow users to set up an electronic account after creating an account, but all try to prevent consumers from freezing it. Instead, bureas hope that buyers will choose their confusingly called “credit key” services, which achieve the same effect but allow bureas to continue selling access to your file to select partners.
If you haven’t done so in a while, now would be an excellent time to review your credit file for any inaccuracies or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the three major bureaus have indefinitely extended a program enacted in 2020 that allows you to check your credit report at each agency once a week for free.
Source link