Fraud Management & Cybercrime , Healthcare , HIPAA/HITECH
Company Says Change Healthcare Hackers Stole Sensitive Data
UnitedHealth Group Makes Low Key Admission in Online FAQUnitedHealthGroup said for the first time that hackers behind a February ransomware attack against Change Healthcare breached sensitive health information, an admission that triggers a regulatory countdown clock for public disclosures and individual notification.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Buried in a frequently asked questions portion of its website, UnitedHealth Group in an update posted Monday said a review of data affected by the Feb. 21 attack is underway by a "leading" forensics expert.
"At this time, we know that the data had some quantity of personal health information and personally identifiable information," the company said. "We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made." Change Healthcare is an intermediary between caregivers and insurance companies that processes sensitive information as part of claims settlements.
UnitedHealth Group did not immediately respond to Information Security Media Group's request for additional details about the newly confirmed breach. The company in an emailed statement said: "We are working with law enforcement and outside experts to investigate claims posted online. Our investigation remains active and ongoing."*
The low-key admission from the company came as cybercriminal group RansomHub this week reportedly posted UnitedHealth Group data for sale on its dark web site and displayed several screenshots supposedly showing samples of data that an affiliate of another ransomware group - BlackCat/Alphv - exfiltrated in the attack (see: Second Gang Shakes Down UnitedHealth Group for Ransom).
Change Healthcare's hesitancy to say whether ransomware hackers breached sensitive information covered by the Health Insurance Portability and Accountability Act has run deep. A breach of HIPAA data requires the company to notify federal regulators and potentially costly individual notification requirements sent within 60 days of the breach's discovery.
Legally, the burden of notification could be borne by the individual hospitals, clinics, and doctor practices that relied on Change Healthcare for claims processing, but UnitedHealth Group has indicated it will assume the burden of breach notification. The quantity of notifications for the incident could reach millions of individuals, since it's typically impossible to say with precision whether hackers accessed, viewed or disclosed any particular record in a database. Any intrusion into a database effectively means all individuals whose information is collected there should receive a breach notification.
Expert witnesses testifying as recently as Tuesday at a congressional hearing about the Change Healthcare attack said that to date, UnitedHealth Group had not publicly confirmed whether PII and PHI was compromised in the attack, despite cybercriminals' claims (see: Congress Asks What Went Wrong in Change Healthcare Attack).
Earlier in the month, UnitedHealth Group has confirmed data had been "taken" in the attack but said it had only started to analyze the types of sensitive personal, financial and health information potentially compromised attack (see: UnitedHealth Group Admits Patient Data Was 'Taken' In Mega Attack).
Analysis of affected data is difficult, UnitedHealth Group said in the Monday update. "This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems," the company said. "We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data."
"We continue to be vigilant, and we are committed to providing appropriate support to people whose data is found to have been compromised," it added.
*Article updated to include UnitedHealth Group's statement, April 18 UTC 15:26.