United Healthcare: Largest healthcare data breach in U.S. history

Incident Overview

In February 2024, UnitedHealth Group's subsidiary, Change Healthcare, experienced a significant ransomware attack executed by the cybercriminal group ALPHV, also known as BlackCat. Initially, the breach was reported to have compromised the personal information of over 100 million individuals, but recent estimates have increased this number to approximately 190 million people, making it the largest healthcare data breach in U.S. history.

Details of the Breach

Date of Attack: February 21, 2024.
Method of Entry: Attackers used compromised credentials to access a Citrix remote access portal lacking multifactor authentication. Once inside, they moved laterally within the system, exfiltrated data, and deployed ransomware nine days later.
Compromised Information: The stolen data includes health insurance details, medical records, billing and payment information, and personal identifiers such as Social Security numbers and driver's license numbers.

Impact

Operational Disruptions: The attack caused widespread disruptions in claims processing, affecting patients and healthcare providers nationwide. Electronic payments and medical claims were halted, forcing patients to pay out-of-pocket for medications and services. Healthcare providers reported significant revenue losses, with some estimating up to $100 million per day, threatening their financial stability.
Financial Costs: UnitedHealth Group estimates direct costs and business interruption losses of approximately $3.09 billion due to the breach.

Response

Ransom Payment: UnitedHealth Group paid a ransom of $22 million to the attackers in an attempt to recover the stolen data. Despite this payment, there were subsequent threats of further data leaks, indicating potential additional ransom demands.
Support for Affected Individuals: Change Healthcare is offering support to those concerned about their personal data, including free credit monitoring services. Affected individuals are encouraged to register online with IDX for these services.

Regulatory and Legal Actions

Investigations: The U.S. Department of Health and Human Services has initiated a civil rights investigation concerning patient privacy violations resulting from the breach. Additionally, the Department of Justice has launched an antitrust and Medicare overcharging probe into UnitedHealth Group.

This breach underscores the critical importance of robust cybersecurity measures in the healthcare sector, including the implementation of multifactor authentication and comprehensive incident response strategies, to protect sensitive patient information and maintain operational integrity.