UnitedHealth has confirmed, for the first time, that the data of 100 million American citizens were compromised in the hack earlier in the year.
The February cyberattack targeted UnitedHealth’s Change Healthcare unit. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) was notified by Change Healthcare that “approximately 100 million individual notices have been sent regarding this breach,” according to an Oct. 24 update on the federal agency’s website with its data breach portal reflecting the revised numbers.
In May, during a House Oversight and Investigations Subcommittee hearing on the hacking incident, UnitedHealth CEO Sir Andrew Witty told lawmakers that the breach impacted a third of Americans, who could have had their sensitive health information leaked to the dark web. The 100-million mark makes the incident the largest-ever health care data breach in the country.
The total yearly estimated costs of the cyberattack are $2.87 billion, based on UnitedHealth Group’s Q3 report, published this month—up from the $2.45 billion estimated in July. Revenues for the corporation went up nearly $8.5 billion to $100.8 billion in the third quarter, with commercial domestic customers increasing by 2.4 million yearly.
According to Change Healthcare (CHC), the data breach could be different for each impacted individual, with information such as first and last name, address, date of birth, phone number, and email falling into the hands of malicious actors.
Other than basic identification, hackers would have acquired health insurance information, including primary, secondary, or other health plans/policies, insurance companies, and Medicaid-Medicare-government payor ID numbers, as well as medical record numbers, providers, diagnoses, medicines, test results, images, care, and treatment.
Other breached information includes billing, claims, and payment information such as payment cards, financial and banking information, Social Security numbers, driver’s licenses or state ID numbers, and passport numbers. This information could be related to patients or guarantors who paid bills for health care services.
“The attack occurred because UnitedHealth wasn’t using multifactor authentication [MFA], which is an industry standard practice, to secure one of their most critical systems,” according to an Oversight and Investigations Subcommittee report published in May.
Twenty-two million dollars in Bitcoin were paid in ransom, and CEO Witty confirmed that the hackers did not make copies of protected or personal data or upload it to the Internet.
“Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition,” Witty said. “But for some reason, which we continue to investigate, this particular server did not have MFA on it.”
Based in Minneapolis, Minnesota, UnitedHealth is the largest single health carrier in the United States, providing services to 149 million individuals through nearly 400,000 employees nationwide.
Cyber Risks in Health Care Sector
The Change Healthcare cyber attack had a massive impact on the sector, given that the firm completes 15 billion health care transactions every year and has one in three American patient records passing through its system.According to a survey released by the American Medical Association in late April, a vast majority of respondents faced major challenges in the aftermath of the breach, including issues with verifying patient eligibility, barriers with claim submissions, and disruptions in claim payments. The respondents faced these issues despite UnitedHealth claiming that services were restored.
A Sept. 17 report from Check Point Research found that the healthcare industry is the third most common target of cyber attacks.
Between January and September 2024, the weekly average number of attacks per health care entity was 2,018, up 32 percent from the same period last year.
“Hospitals and patients are frequently targeted by well-coordinated ransomware attacks. Ransomware groups provide encryption tools and infrastructure to collaborators, and stolen sensitive data is often posted online to pressure victims into paying,” the report said.
“This tactic leverages the fear of hefty fines for privacy violations and the risk to patient safety or hospital operations.”
The American Hospital Association (AHA) noted in a post that health care entities are “particularly vulnerable and targeted” by cyber attacks as they possess large quantities of information that have high intelligence or monetary value to those who steal them.
Stolen health records may be sold at up to 10 times the price compared to stolen credit card numbers, it noted. As for health care organizations, the expenditure incurred to deal with these security incidents can be massive.
“The cost to remediate a breach in health care is almost three times that of other industries, averaging $408 per stolen health care record versus $148 per stolen non-health record,” AHA stated.