UnitedHealth Group reported April 22 that “a substantial proportion of people in America” could have had their protected health information (PHI) or personally identifiable information (PII) exposed in the now-famous ransomware attack on Change Healthcare.
SC Media has reported that Change Healthcare, which is owned by UnitedHealth Group subsidiary Optum, suffered a cyberattack on Feb. 21, leading to widespread operational disruptions at hospitals and pharmacies across the United States. The case has led to an alleged $22 million ransom payment to BlackCat/ALPHV as well as news that a second threat group, RansomHub, had leaked a portion of stolen Change Healthcare data on the dark web.
In a public statement on Monday, UnitedHealth said it found 22 screenshots containing PHI and PII from exfiltrated files that were posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time, said UnitedHealth. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said Andrew Witty, chief executive officer of UnitedHealth Group.
UnitedHealth also said its disclosure was not an official breach notification. The company said it will reach out to stakeholders when they have sufficient information for additional notifications.
“We can expect to continue to get information in dribs and drabs,” said Toby Gouker, chief security officer at First Health Advisory, and an SC Media columnist. “And Change/UnitedHealth are not to be blamed for the slowness of discovery and disclosure. It not only looks like this has turned into a double extortion, but we have heard that the malicious actors were inside of their system a week in advance of the exploitation.”
Gouker explained that these malicious actors are experts at obfuscation. Once they gained access through the remote desktop application, they moved around covertly, hiding their tracks as they proceeded to escalate their privileged access to the system and drop payloads as they went, said Gouker.
“Only when the time is right they launch their exploit and all hell breaks loose,” said Gouker. “It will likely be several more months before the forensics teams can uncover all they touched in this attack.”
Offering credit monitoring 'worthless' when health records exposed
Steve Hahn, executive vice president of Americas at BullWall, added that the breach notification blitz of letters promising after-attack investigations and offering a year’s credit monitoring continues. Hahn said it’s the standard response from companies to give their customers a sense of protection but, frankly, “they are worthless.”
“If the threat actors have access to your healthcare records, they could do a lot more than open up a credit card in their name,” said Hahn. “We’ve seen horrific consequences from this stolen data. Breast cancer patients having their photographs leaked, in complete undress, for not paying a ransom. Imagine being hit with breast cancer and while you’re at [your] most vulnerable mental and physical state having these pictures permanently part of the internet. Horrific.”
Hahn added that while people need to understand that their Social Security numbers are already widely available on the dark web, the DNA and medical histories of the general public is a whole new level of data that the bad guys want dearly.
“It’s not been made public what this threat group got, but if they did get patients Social Security numbers, names, and full medication history, this needs to be known,” said Hahn. “Criminal groups will use this to fill prescriptions for common black-market drugs or used to black mail or impersonate patients. We don’t know if that’s happened in the Change Healthcare case, but we’ve seen it in other healthcare breaches.”
Piyush Pandey, chief executive officer at Pathlock, said that given the scale of the PHI and PII data compromised, the focus could beneficially shift towards enforcing more stringent data protection measures, such as data masking and dynamic access controls.
Data masking — transforming sensitive data so that it retains value for business processes, but is not exploitable for malicious purposes — and dynamic access controls, which adaptively limit data access based on the context of the interaction, are potent tools, said Pandey. These tools can potentially reduce the risk of unauthorized access and data exfiltration.
“By mandating these advanced protective measures, regulators could significantly enhance the security of sensitive information, thereby reducing the likelihood and potential impact of data breaches,” said Pandey. “This shift could serve as a more proactive approach to data protection, making the 'you may have been impacted' letters less common and a perhaps less necessary aftermath."
