The recent revelation from Change Healthcare has shocked the cybersecurity world as the data breach and ransomware attack on its system was much larger than previously estimated. The UnitedHealth Group subsidiary originally reported around 110 million victims, but the latest statement from the company spokesperson now puts the number at approximately 190 million individuals impacted by the cyberattack.
This significant increase in the victim count has raised concerns about the extent of the breach and the potential risks to the affected individuals. The company has stated that the “vast majority” of the victims have already been notified, and the final number will be filed with the Office for Civil Rights at the U.S. Department of Health and Human Services once the investigation is complete.
Despite the large scale of the breach, there is some hopeful news for the victims. Change Healthcare has not detected any misuse of individuals’ information as a result of the incident, and no electronic medical record databases have appeared in the exposed data during the analysis. However, the company’s efforts to monitor the dark web for any patient data that may have been exposed in the cyberattack are still unclear.
One of the key developments in the aftermath of the breach was the company’s decision to pay a $22 million ransom to the ALPHV/BlackCat ransomware group in an attempt to retrieve the data. However, not all of the data was recovered, and the RansomHub group subsequently tried to extort the company.
In response to the breach, Change Healthcare has updated its HIPAA substitute notice page to reflect the progress of the investigation. The company anticipates that the final victim count of approximately 190 million is unlikely to change once the investigation is concluded.
The leaked information from the breach includes sensitive data such as contact information, date of birth, health insurance information, medical records, billing information, and more. While Social Security numbers were not impacted for the majority of individuals, some information related to guarantors may have been exposed.
For the affected individuals, Change Healthcare has recommended enrolling in two years of complimentary credit monitoring and identity protection services. Victims are also advised to monitor their financial statements and report any suspicious activity to authorities.
The Change Healthcare breach is just one of many cybersecurity incidents that have plagued the healthcare industry in recent times. As the sector grapples with increasing cyber threats, the proposed new HIPAA Security Rule could provide much-needed improvements to healthcare cybersecurity if finalized under the new U.S. Administration.
Overall, the scale of the Change Healthcare data breach highlights the urgent need for robust cybersecurity measures in the healthcare industry to protect sensitive patient information and prevent future cyberattacks.