Cyberattack on UnitedHealth Group's Change Healthcare: Largest Health Data Breach in U.S. History

It has now been over two months since UnitedHealth Group first disclosed a cyberattack on its Change Healthcare subsidiary in late February. In the weeks since, more troubling details about the scope of the breach have slowly come to light. On Monday, UnitedHealth Group revealed that a "substantial portion" of the American population was likely impacted, with experts predicting this breach could end up surpassing the Anthem hack of 2015 as the largest health data breach on record.

Change Healthcare is a major player in the healthcare transaction processing space, handling an estimated 15 billion transactions annually and interacting with around one-third of patients in the U.S. According to the latest Census data, that puts the potential number of individuals affected by this breach in the hundreds of millions. Lawyers advising healthcare clients have stated covered entities should be on high alert, closely monitoring any reports from UnitedHealth Group to regulators as well as keeping an eye out for potential exposure of patient data online. Proactive risk assessments will also be crucial for organizations to document their compliance efforts in the aftermath of such a massive incident.

Details about how the initial intrusion occurred have also started to trickle out. Reports indicate the attackers first gained access to Change Healthcare's internal network nine days before deploying ransomware through compromised credentials on a remote access application. Relying on stolen log-in information is a increasingly common tactic for cybercriminals seeking an easy way in. Once inside the network, the hackers had ample time to explore for valuable data to extract and demand ransom for.

Experts note the remote access tool used, speculated by some to be ConnectWise ScreenConnect, was vulnerable at the time to exploitation. Had the product been properly patched, it may have blocked this initial entry vector. The long period of undetected activity before the ransomware execution also suggests weaknesses in the victim's monitoring capabilities. Hackers often leverage holidays or weekends when staffing is lower to maximize the window of opportunity. All organizations can learn from this that credential security, vulnerability management and network monitoring are core pillars of defense that when neglected, leave the door wide open for opportunistic cyberthreats.

In another troubling development, screenshots of files allegedly stolen in the attack were briefly posted online last week before being removed. UnitedHealth Group confirmed "no further publication" has occurred so far. However, the exposure of any protected health information represents a serious risk to patients. It remains unknown how much data the criminals were able to walk away with during their nine days inside Change Healthcare's systems.

Ransom demands have also muddied the waters, with UnitedHealth Group acknowledging paying attackers but not specifying the amount. Reports put the sum at $22 million, which a ransomware group affiliate now claims to have been cheated out of their share. The posting and subsequent removal of files from a leak site last week fueled theories UnitedHealth paid a second ransom as well. While ransom payments remain a controversial issue, most experts agree they only incentivize further criminal behavior and do little to ensure stolen data is destroyed.

As the largest breach in healthcare looms on the horizon, all entities who entrust their patient data to Change Healthcare would be wise to carefully review their own risk exposure. Proactive steps like contacting the company for information, documenting impact assessments, and monitoring for signs of leaked data can help satisfy compliance obligations. But this incident is also an important reminder of the inherent vulnerabilities in our digital systems. Even massive organizations with considerable security resources are not immune to the evolving tactics of motivated cyberthreats. Constant adaptation will be needed by all players to keep one step ahead in what has become an endless cat-and-mouse game of protecting sensitive information in our interconnected world.

Ensuring Data Security and Protection

Impacted individuals should take immediate action to protect their personal information and minimize the potential damage caused by the data breach. Here are some steps that affected individuals can take:

1. Monitor financial accounts: Keep a close eye on bank accounts, credit card statements, and other financial accounts for any suspicious activity. If any unauthorized transactions are detected, contact the financial institution immediately to report the issue and take appropriate action.

2. Change passwords: It is crucial to change passwords for all online accounts, especially those that may have been compromised in the breach. Use strong, unique passwords that are not easily guessable and consider using a password manager to securely store and manage passwords.

3. Enable two-factor authentication: Two-factor authentication adds an extra layer of security by requiring an additional verification step, such as a unique code sent to a mobile device, when logging into an account. Enable this feature wherever possible to enhance the security of online accounts.

4. Be cautious of phishing attempts: Cybercriminals may try to exploit the data breach by sending phishing emails or making phone calls posing as UnitedHealth Group or other legitimate organizations. Be wary of any unsolicited communications and avoid clicking on suspicious links or providing personal information over the phone unless you can verify the legitimacy of the request.

5. Consider credit monitoring services: In cases where sensitive personal information, such as Social Security numbers or financial details, may have been compromised, affected individuals may want to consider enrolling in credit monitoring services. These services can help detect any suspicious activity related to credit and alert individuals to potential identity theft.

6. Stay informed: Regularly check for updates and guidance provided by UnitedHealth Group regarding the breach. The company will likely provide further instructions on how affected individuals can protect themselves and what additional resources or support may be available.

While it is unfortunate that the data breach has occurred, taking these precautionary measures can help affected individuals minimize the potential risks and protect their personal information. It is important to remain vigilant and proactive in safeguarding personal data in an increasingly digital world.