New evidence suggests that more than half of the US population was touched by the ransomware attack(s) against UnitedHealth subsidiary Change Healthcare.
One of the largest data breaches ever recorded struck Change Healthcare last year. Change’s technology services reach hundreds of vendors and laboratories, thousands of hospitals, tens of thousands of pharmacies, and hundreds of thousands of physicians and dentists, including “nearly all government and commercial payers,” according to company documentation. These services necessarily sweep up loads of patients’ personally identifying information (PII), which ended up in the hands of multiple ransomware actors.
Later last year, it was reported that the incident affected around 100 million Americans. Now, UnitedHealth has updated that number to approximately 190 million. A company spokesperson confirmed this in an emailed statement to Dark Reading, adding, “the vast majority of those people have already been provided individual or substitute notice.”
Change’s Changing Cyberattack Story
Last February, in concert, pharmacies around the US experienced significant delays to prescription orders. Behind it all was Change Healthcare, which processes billions of transactions every year, representing trillions of dollars worth of medical claims.
The company first stated that it had suffered a nation-state cyber intrusion. In fact, it was a regular old ransomware attack (for which it would later pay a whopping $22 million ransom). And this wasn’t the only crucial detail it got wrong.
In June, Change Healthcare finally sent out notices of data compromise, revealing that affected customers totaled around 100 million. On Friday, however, UnitedHealth Group publicly adjusted that figure to include 90 million more.
In its updated online notice of data breach, the company admitted that hackers may have obtained a variety of personally identifying information (PII) about patients and guarantors, including their first and last names, dates of birth, phone numbers, home addresses, and email addresses. Social security numbers, it noted, were only lost in “rare instances,” and in an email to Dark Reading, a spokesperson claimed that Change Healthcare “has not seen electronic medical record databases appear in the data during the analysis.”
The spokesperson also emphasized that “Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident.”
However, Paul Bischoff, consumer privacy advocate at Comparitech, warns that “every press release I ever see about a data release says ‘there’s no evidence that your information has been abused or misused in any way.’ But, obviously, they’re not really looking for that for those instances of abuse, and they would never know if it actually happened. And the people that it happens to can’t attribute the identity theft that they’re suffering back to the data breach that caused it.”
When Data Breach Disclosures Go Wrong
The Securities and Exchange Commission (SEC) data breach disclosure rules require that publicly traded companies disclose “material” cybersecurity incidents within four days of becoming alerted to them. The same rule applies to material updates to breach disclosures, such as when an attack is found to have affected nearly twice as many victims as once thought.
Despite these rules, companies have managed to take extensive time in investigating and addressing critical aspects of their breaches. For instance, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.
Bischoff hesitates, though, before suggesting that what’s needed is even stricter regulation. “It’s a complicated subject, because it gets to a point where you put such a burden on companies. Companies are also victims in these situations, so I don’t want to penalize them for reporting things incorrectly,” he says.
At the same time, he adds, “What we see a lot is that these companies take way too long to finish their investigations and notify victims. Sometimes it’s up to a year or more before we’re notified that people’s data is out there on the Dark Web, being used for who knows what. And that’s after they’re most likely to get hit with identity fraud, and other sorts of fraud, because cybercriminals want that information when it’s as fresh as possible. That’s when it’s most valuable. So I think we do need more strict standards about the timeliness of these notifications.”
