Affected data includes social security numbers, bank details, payment cards and medical diagnoses.
US health insurance giant UnitedHealth Group has revealed that 100m people had their personal information and healthcare data stolen in the February ransomware attack on its Change Healthcare business.
On 22 October, Change Healthcare informed the US Office for Civil Rights (OCR) that approximately 100m people were affected in the attack, and yesterday (24 October), the OCR’s data breach portal updated the total number impacted in the breach, making it the largest by tens of millions in the US department’s list of more than 800 breaches currently under investigation.
Change Healthcare came under a ransomware attack on 12 February this year, leading to widespread outages in the US healthcare system, disrupting IT services and causing massive losses to both the company and to patients who were unable to access discounts on their healthcare services.
The company revealed that the impacted data included sensitive health information such as medical record numbers and diagnoses, banking information such as account numbers and payment cards, and other personal information such as social security numbers, driver’s licenses and passport numbers, among much more.
Following an analysis, the company confirmed in April that the impact could have affected a “substantial proportion of people in America”.
Later, at a congressional hearing in May, UnitedHealth CEO Andrew Witty said that “maybe a third” of all Americans’ protected healthcare data was stolen, adding that AlphV, a cybercriminal gang was behind the attack.
The group demanded a ransom of $22m in bitcoin which the company paid, however, the stolen data was up for sale still after this. According to a BleepingComputer report, UnitedHealth may have paid a second ransom to try to keep the date from being leaked.
In April, the company reported that the attack, which continues to have a lingering impact, cost UnitedHealth $872m in the first quarter of 2024, with an estimated impact of between $0.30 to $0.40 per share for the full year.
The World Economic Forum said that the healthcare industry has become a “prime target” for cybercriminals costing an average of $10.93m per breach in 2023.
While yesterday, a PwC global survey showed that only 28pc of Irish companies have implemented robust cybersecurity across their organisations.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.