Change Healthcare has confirmed a February ransomware attack on its systems, which brought widespread disruption to the U.S. healthcare system for weeks, resulted in the theft of medical records affecting a “substantial proportion of people in America.”
In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack.
The health tech giant, owned by U.S. insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, the company has access to massive amounts of health information on about a third of all Americans.
The cyberattack prompted the company to shut down its systems, resulting in outages and delays to thousands of healthcare providers who rely on Change, and affecting countless patients who could not obtain prescriptions or had medical care or procedures delayed.
Change said in its latest statement that it “cannot confirm exactly” what data was stolen about each individual, and that the information may vary from person to person.
The affected information includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identity documents, such as Social Security numbers, driver’s licenses and passport numbers.
The data also includes medical records and health information, such as diagnoses, medications, test results, medications, imaging, and care and treatment plans, said Change. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said includes financial and banking information.
Change said it was still in the “late stages” of its review of the stolen data to determine what was taken and that more affected individuals may be identified. Some of the stolen information may relate to guarantors who paid healthcare bills for someone else, the company said.
The company added that affected individuals should receive notice by mail beginning late July.
The ransomware attack on Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records. While the full impact of this data breach remains unclear, the ramifications for the millions of Americans whose private medical information was irretrievably compromised are likely incalculable.
Change said it secured a copy of the stolen dataset in March to review for identifying and notifying affected individuals, which TechCrunch previously reported was obtained in exchange for paying a ransom demand.
UnitedHealth confirmed it paid at least one ransom demand to the cybercriminal group behind the ransomware attack, known as ALPHV, in an effort to prevent the publication of the stolen files. Another hacking group called RansomHub demanded an additional payment from UnitedHealth after claiming ALPHV made off with the first ransom payment but left the stolen data with one of its affiliates — essentially a contractor — who broke in and deployed the ransomware on Change’s systems.
RansomHub subsequently published several files on its dark web leak site and threatened to sell the data to the highest bidder if another ransom wasn’t paid.
According to UnitedHealth chief executive Andrew Witty, the hackers broke into Change Healthcare’s network using a set of stolen credentials to an internal system that was not protected with multi-factor authentication, a security feature that makes it more difficult for malicious hackers to misuse stolen passwords.
The ransomware attack cost UnitedHealth around $870 million in the first three months of the year, during which the company made $100 billion in revenue, according to the company’s earnings report. UnitedHealth is expected to report its most recent earnings in mid-July.