UnitedHealth has showed for the primary time that over 100 million folks had their private knowledge and healthcare knowledge stolen within the Exchange Healthcare ransomware assault, marking this as the most important healthcare knowledge breach lately.
In Might, UnitedHealth CEO Andrew Witty warned all the way through a congressional listening to that “perhaps a 3rd” of all American’s well being knowledge was once uncovered within the assault.
A month later, Exchange Healthcare revealed an information breach notification caution that the February ransomware assault on Exchange Healthcare uncovered a “considerable amount of knowledge” for a “considerable share of folks in The united states.”
These days, the U.S. Division of Well being and Human Services and products Place of work for Civil Rights knowledge breach portal up to date the entire selection of impacted folks to 100 million, making it the primary time UnitedHealth, the dad or mum corporate of Exchange Healthcare, put an professional quantity to the breach.
“On October 22, 2024, Exchange Healthcare notified OCR that roughly 100 million particular person notices were despatched referring to this breach,” reads an up to date FAQ at the OCR web site.
Up to date selection of folks impacted by means of the Exchange Healthcare knowledge breach
Supply: HHS
Information breach notifications despatched by means of Exchange Healthcare since June state {that a} huge quantity of delicate knowledge was once stolen all the way through the February ransomware assault, together with:
Medical health insurance knowledge (equivalent to number one, secondary or different well being plans/insurance policies, insurance coverage corporations, member/team ID numbers, and Medicaid-Medicare-government payor ID numbers);
Well being knowledge (equivalent to scientific file numbers, suppliers, diagnoses, drugs, check effects, photographs, care and remedy);
Billing, claims and cost knowledge (equivalent to declare numbers, account numbers, billing codes, cost playing cards, monetary and banking knowledge, bills made, and steadiness due); and/or
Different private knowledge equivalent to Social Safety numbers, motive force’s licenses or state ID numbers, or passport numbers.
The guidelines is also other for each and every particular person, and now not everybody’s scientific historical past was once uncovered.
The Exchange Healthcare ransomware assault
This knowledge breach was once led to by means of a February ransomware assault on UnitedHealth subsidiary Exchange Healthcare, which ended in fashionable outages within the U.S. healthcare gadget.
The disruption to the corporate’s IT methods avoided docs and pharmacies from submitting claims and avoided pharmacies from accepting bargain prescription playing cards, inflicting sufferers to pay complete worth for drugs.
The BlackCat ransomware gang, aka ALPHV, performed the assault, the use of stolen credentials to breach the corporate’s Citrix far off get admission to carrier, which failed to have multi-factor authentication enabled.
Right through the assault, the danger actors stole 6 TB of knowledge and in the end encrypted computer systems at the community, inflicting the corporate to close down IT methods to forestall the unfold of the assault.
The UnitedHealth Staff admitted to paying a ransom call for to obtain a decryptor and for the danger actors to delete the stolen knowledge. The ransom cost was once allegedly $22 million, in keeping with the BlackCat ransomware associate who performed the assault.
This ransom cost was once intended to be break up between the associate and the ransomware operation, however the BlackCat all of sudden close down, stealing all of the cost for themselves and pulling an go out rip-off.
Then again, this wasn’t the tip of Exchange Healthcare’s issues, because the associate claimed they nonetheless had the corporate’s knowledge and didn’t delete it as promised. The associate partnered with a brand new ransomware operation named RansomHub and started leaking one of the vital stolen knowledge, tough an extra cost for the information to not be launched.
The access for Exchange Healthcare access on RansomHub’s knowledge leak website mysteriously disappeared a couple of days later, most likely indicating that United Well being paid a 2nd ransom call for.
UnitedHealth stated in April that the Exchange Healthcare ransomware assault led to $872 million in losses, which larger as a part of the Q3 2024 income to an anticipated $2.45 billion for the 9 months to September 30, 2024,