Change Healthcare shares details on medical data stolen during disastrous February cyber attack

Cyber security concept image showing digitized circuit board with a red alert symbol.
(Image credit: Getty Images)

Change Healthcare has shared details on the scale of the devastating ransomware attack which crippled its systems in February. 

In a customer notice last week, the US-based healthcare technology provider confirmed it has begun notifying affected customers but warned that it’s still working to identify affected individuals and that the process could take some time.

The firm said it plans to contact all affected customers and provide information on how they can protect themselves. This includes offering two years of complimentary credit monitoring and identity theft protection services.

“CHC plans to mail written letters at the conclusion of data review to affected individuals for whom CHC has a sufficient address,” the company said.

“Please note, we may not have sufficient addresses for all affected individuals. The mailing process is expected to begin in late July as CHC completes quality assurance procedures.”

In the update, the company also shared fresh details on the type of data stolen by cyber criminals, which includes first and last names, phone numbers, email addresses, and dates of birth.

Other information stolen included:

  • Health insurance information (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers).
  • Health information (including  medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment).
  • Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due).
  • Other personal information such as Social Security numbers, driver’s licenses, state ID numbers, or passport numbers.

The company insisted that it has “not yet seen full medical histories appear in the data review”.

What happened in the Change Healthcare cyber attack?

Change Healthcare said it first detected the deployment of ransomware in its computer systems on February 21. 

The incident quickly spiraled out of control and caused widespread disruption for customers across the country, affecting critical systems including pharmacy services, payment platforms, and medical claims.

The ALPHV/BlackCat ransomware group claimed responsibility for the attack.

Parent company UnitedHealth warned that a “substantial proportion” of people in the US were impacted. Similarly, the American Hospital Association described the attack as "the most significant and consequential incident of its kind against the US healthcare system in history".

RELATED WHITEPAPER

In April, UnitedHealth Group admitted to having paid a $22 million ransom to recover data stolen in the incident. Just weeks later, it revealed the financial impact of the attack could rise to as much as $1.6 billion.

The disruption caused by the initial breach was compounded by a second attack on the firm within the space of two months. The RansomHub threat collective claimed responsibility for this incident and demanded an additional ransom be paid.

This particular group is believed to have been an affiliate of ALPHV, and claims were made at the time that the attack was made to recoup losses after the group failed to pay associates.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.