Malicious actors accessed the private health information of more than 100 million people in February’s Change Healthcare breach – the largest healthcare data breach ever reported to federal regulators – the US rights office revealed civic events on October 22.

The hack, details of which were revealed in June, could affect up to a third Americans. It is one of the largest cyberattacks of the year and shows how ransomed data can lead to physical damage, such as late delivery of essential medicines.

SEE: Nation-state attackers can search Organizations “rich in targets, but cyber-poor” like public infrastructure or health care, said CISA advisor Nicole Perlroth.

What is the Change Healthcare cyberattack?

In February, UnitedHealth Group, the parent company of Change Healthcare, discovered that an attacker had introduced ransomware in Change Healthcare systems. The ALPHV group, sometimes called BlackCat, claimed responsibility for the breach.

In March, Change Healthcare determined that attackers accessed their systems between February 17 and 20. The company brought in “leading experts in cybersecurity and data analytics.” Mandiant among them, and obtained a copy of the stolen records, by analyzing the dataset. United Healthcare published a more detailed account of the incident in April.

In a Senate hearing on the issue in MayAndrew Witty, CEO of UnitedHealth Group, said the company paid a $22 million ransom in Bitcoin to release the stolen data.

Cybersecurity experts I do not recommend paying ransoms because it rewards threat actors, can cause significant financial harm to the company and does not guarantee data return. The US government has considered the controversial idea of prohibition ransom payments.

Change Healthcare said it could not specify what data was affected for each individual. Typically, the stolen data included:

• First and last name, address, date of birth, telephone number and e-mail.
• Health information such as diagnoses, medical record numbers, images and test results.
• Billing, Claims, and Payment Information
• Other personal information that may be associated with medical records, such as Social Security numbers, driver’s licenses or state identification numbers, or passport numbers.

Among the stolen data, no complete medical history or medical records were found.

The attack delayed the delivery of prescriptions and led to a business disruption impact of 705 million dollars. Overall, Change Healthcare’s financial outlook for next year is lower than expected.

Change Healthcare offers resources to affected customers

United Healthcare says its investigation into the attack is still ongoing, but is in its final stages.

The company continues to send notifications to affected individuals. Change Healthcare is offering two years of free credit monitoring and identity theft protection services from IDX to eligible customers. They provided “clinicians trained to provide emotional support services” through a dedicated call center. The call center cannot provide information on specific data that may have been exposed from individual accounts.

United Healthcare recommends that affected patients monitor their bank accounts and medical insurance statements. Any unusual activity should be reported to their financial institution or healthcare provider, if applicable.

Healthcare ransomware attacks have far-reaching consequences

Cyberattacks on healthcare data pose a perfect storm of potentially lucrative random opportunities for bad actors and increased distrust among affected customers. Patients may lose access to necessary medications and care may be delayed if operations are disrupted.

May ransomware attack on Ascension hospital system slowed care. Around the same time, the US Health Care Advanced Research Projects Agency announced his intention to invest more than $50 million in tools for hospital information technology professionals to improve their cybersecurity.