Over the past few months, we’ve seen a wave of data breaches affecting millions of people, from healthcare giants to government contractors and more. This latest incident is yet another in a long line of alarming breaches. Change Healthcare experienced a major data breach in February this year, causing widespread disruption across the U.S. healthcare sector. At the time, the company did not specify how many people were affected by the breach but hinted that it might impact well over one-third of the U.S. population, marking one of the largest known digital thefts of medical records to date. The owner of Change Healthcare, UnitedHealth Group (UHG), has now confirmed for the first time that over 100 million people had their personal information and healthcare data stolen in what was a ransomware attack.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
Timeline of the Change Healthcare cyberattack
The Change Healthcare cyberattack happened in February, with news going public on February 21. To contain the breach, the company took its systems offline, which led to immediate disruptions across the U.S. healthcare sector that relies on Change’s services for claims processing, payments, and data sharing. UHG CEO Andrew Witty told Congress in May that “maybe a third” of Americans’ health data was exposed in the attack.
A month later, Change Healthcare sent out a data breach notice, confirming that the February ransomware attack exposed a “substantial quantity of data,” affecting a large number of Americans. UnitedHealth Group started notifying impacted individuals in late July, with notifications continuing through October, and the final tally of those affected was released earlier this month.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) data breach portal updated the total number of impacted people to 100 million. “On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach,” reads an updated FAQ on the OCR website.
THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION
What data got stolen?
There’s roughly a 30% chance your personal data was compromised in this breach. Change Healthcare is one of the largest handlers of health, medical data, and patient records, and in 2022, it merged with U.S. healthcare provider Optum as part of a deal with UHG, bringing the two giants together under UHG’s umbrella.
This merger gave Optum — already managing physician groups and providing tech and data to insurers and healthcare services — broader access to the patient records handled by Change. Overall, UHG offers benefit plans to over 53 million customers in the U.S. and another 5 million globally, while Optum serves about 103 million U.S. customers.
The stolen data varies by individual but includes personal information such as names, addresses, dates of birth, phone numbers, email addresses, and government ID numbers, including Social Security, driver’s license, and passport numbers. On top of that, hackers may also have accessed health data, including diagnoses, medications, test results, imaging, care and treatment plans, and health insurance information. Financial and banking details found in claims and payment data are also reportedly compromised.
FROM TIKTOK TO TROUBLE: HOW YOUR ONLINE DATA CAN BE WEAPONIZED AGAINST YOU
What caused the data breach?
The Change Healthcare data breach was caused by a ransomware attack, a type of malware attack that blocks access to the victim’s personal data unless a “ransom” is paid. UHG said ALPHV/BlackCat was behind the attack, a Russian-speaking ransomware and extortion gang that later took credit for the cyberattack.
However, the attack was made possible because Change Healthcare wasn’t smart enough to protect its customers’ data with Multi-Factor Authentication (MFA). The company admitted this during a House hearing into the cyberattack in April. This raises an important question: how could a company that has billions of dollars in revenue and stores data for over 100 million Americans fail at basic cybersecurity?
UHG paid a ransom to get a decryptor and for the hackers to delete the stolen data. The ransom was said to be around $22 million and was supposed to be split between the affiliate and the ransomware operation. However, BlackCat kept it all for themselves and pulled an exit scam.
This complicated things for UHG because the affiliate claimed they still had the company’s data. They later joined forces with a new group called RansomHub, leaking some of the stolen data and extorting a second ransom from UHG.
6 ways to protect yourself from Change Healthcare data breach
1) Remove your personal information from the internet: While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap – and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites.
My top recommendation is Incogni, which has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases.
Get Incogni for your family (up to 4 people) here
2) Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
3) Be cautious of phishing attempts: Be vigilant about emails, phone calls, or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request. The best way to protect yourself from clicking malicious links that install malware is to have strong antivirus protection installed on all your devices.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
4) Monitor your accounts: Breaches of this magnitude will make it a necessity for you to start routinely reviewing your bank accounts, credit card statements, and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.
5) Recognizing and reporting a Social Security scam: If there is a problem with a person’s Social Security number or record, Social Security will typically mail a letter. You can learn more about recognizing Social Security-related scams, including how to report a scam quickly and easily online to Social Security’s Office of the Inspector General, by reading more at www.ssa.gov/scams.
6) Invest in identity theft protection: Data breaches happen every day, and most never make the headlines, but with an identity theft protection service, you’ll be notified if and when you are affected.
While there are many services that you can sign up for, my top recommendation is Identity Guard. It can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account. It can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.
One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
CyberGuy’s Exclusive Offer (66% off): Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
Kurt’s key takeaway
In just 2024, with over two months still to go, we’ve witnessed countless data breaches affecting millions of Americans. This highlights how valuable your data is and how little some companies are doing to protect it. Big firms with massive revenues are struggling to implement even the most basic cybersecurity measures, practically inviting cybercriminals to hack their systems. Change Healthcare fell into this trap by not implementing two-factor authentication, leaving everything from your financial details to health data in the hands of criminals.
Do you think these companies are doing enough to protect your data, and is the government doing enough to catch those behind cyberattacks? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.