Data leaks and breaches are an unfortunate reality of modern life, as they seem to be occurring with relative frequency. The latest high-profile incident impacts customers of UnitedHealth Group, whose subsidiary, Change Healthcare, reportedly suffered a ransomware attack, resulting in the breach of over 100 million individuals’ data. In short: It’s not good.
What happened with Change Healthcare?
As reported by TechCrunch on Thursday, threat actors attacked Change Healthcare back in February, which caused disruptions and outages for the company for months. Eight months later, parent company UnitedHealth Group shared the number of impacted customers for the first time: More than 100 million users had their data stolen in this event. That makes this the largest digital theft of medical records in the United States that we know of.
The implications here are staggering. Change Healthcare is responsible for a number of medical records, data, and processes: If you’ve worked with UnitedHealthcare, you’ve trusted Change Healthcare with your medical records, as well as your billing and insurance information. In fact, UnitedHealth Group’s CEO, Andrew Witty, claims about a third of U.S. citizens were affected by this hack, demonstrating the significant number of customers the company retains.
Bad actors attacked the company on Feb. 12. Subsequently, Change Healthcare shut down its networks in an attempt to stop the attackers from doing more damage. (Some of Change Healthcare’s network is down to this day.) UnitedHealth Group says the perpetrator was ALPHV/BlackCat, a Russian-based ransomware group that has since claimed responsibility. The company paid the $22 million ransom, which ALPHV/BlackCat leaders then kept for themselves, leaving the actual hackers (who were, apparently, contractors) in the dust. Those hackers, denied their cut of the ransom, then took the Change Healthcare data they stole and attacked UnitedHealth Group again: They published some of the stolen data, and managed to get their own payment from UnitedHealth Group in the process.
As part of the ransom payment, Change Healthcare was able to see the data that was stolen, which enabled them to reach out to affected customers.
How did hackers break in?
During the same Congressional hearing where Witty shared the number of Americans affected by the hack, the CEO also gave insights into how the hackers got in.
Actors were able to hack into Change Healthcare in February by utilizing stolen login credentials on a server that did not employ multi-factor authentication (MFA). MFA ensures that, even if you have the correct username and password, you must further authenticate yourself with another security method, such as with a trusted device, or an authenticator app. As such, there was no backup authentication in this situation, allowing hackers to break in and run ransomware.
What you can do going forward
As with most data breach situations, there’s not much you can do to protect your compromised information. Any data that was stolen is, unfortunately, already in the hands of hackers.
What you can do, however, is be proactive about your personal security. First, look out for communications from UnitedHealth Group, as the company has been reaching out to all affected users since July. They will inform you whether your data was leaked, and will likely have advice of their own you can follow.
Next, consider subscribing to a identity theft protection service. While it might not help you recover your stolen medical records, these services may prevent actors from abusing your personal information to steal your identity. Our sister site PCMag has a list of their favorite services, so check it out if you’ve been impacted by this breach.
While these services can potentially prevent identity theft and fraud, they might not stop other types of misuse of your information. Bad actors may try to use your medical records for medical fraud, making false claims to your insurance. As such, keep a close eye on your insurance records, and flag any claims that you didn’t make yourself.
In addition, exercise caution with any emails or messages you receive: Your info is out there, which means scammers may contact you via email, text, or phone to try to trick you into giving over more data, or even financial information. Don’t click strange links, and don’t share data with individuals you don’t know. When in doubt, ignore the calls, and move the emails to spam. It’s better to contact an organization or individual yourself, rather than continue the phone call or respond to the email when you aren’t 100% sure who’s on the other end.
