Topics
Latest
AI
Amazon
Image Credits:Mike Bradley / Bloomberg / Getty Images
Apps
Biotech & Health
Climate
Image Credits:Mike Bradley / Bloomberg / Getty Images
Cloud Computing
commercialism
Crypto
A fake law enforcement seizure notice posted on BlackCat’s dark web leak site soon after receiving a ransom payment of $22 million.Image Credits:TechCrunch (screenshot)
go-ahead
EVs
Fintech
UnitedHealth CEO Andrew Witty testifies before the Senate Finance committee on Capitol Hill on May 1, 2024, in Washington, D.C.Image Credits:Kent Nishimura / Getty Images
Fundraising
convenience
Gaming
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
secrecy
Robotics
security system
Social
Space
startup
TikTok
Transportation
Venture
More from TechCrunch
consequence
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
The hack and data breach stands as the biggest breach of U.S. medical data in history affecting 190 million people.
A February 2024 ransomware attack on UnitedHealth - have wellness tech company Change Healthcare stands as the large information breach of health and medical data in U.S. history .
Change Healthcare confirmed in January 2025 that its data breachaffects approximately 190 million people in America , almost double the ship’s company ’s previous estimation .
The company said it has apprise million of someone by ring armor that their personal and health information was stolen by cybercriminals , and publisheda separate public poster for anyonewhose link info could not be found .
Here ’s what has happened since the ransomware attack start .
February 21, 2024
First report of outages as security incident emerges
It seemed like an average Wednesday afternoon , until it was n’t . The outage was sudden . On February 21 , charge system at doctor offices and health care practices stopped work , and insurance claim stopped processing . The condition page on Change Healthcare ’s website was flooded with outage notice affecting every part of its business , and later that day the society confirmed it was “ experiencing a web break related to a cyber security issue . ” Clearly something had gone very unseasonable .
It turn out that Change Healthcare stir its security system protocols and shut down its entire internet to insulate intruders it encounter in its arrangement . That meantsudden and far-flung outage across the healthcare sectorthat trust on a fistful of companies — like Change Healthcare — to handle healthcare policy and charge claims for immense swathes of the United States . It was later determined that the cyberpunk initially broke into the company ’s systems over a hebdomad earlier , on or around February 12 .
February 29, 2024
UnitedHealth confirms it was hit by ransomware gang
Afterinitially ( and wrongly ) attributingthe intrusion to drudge working for a government or nation - country , UnitedHealth by and by pronounce on February 29 that the cyberattack was in fact the work of a ransomware work party . UnitedHealth said the gang“represented itself to us as ALPHV / BlackCat,”a society spokesperson tell TechCrunch at the time . A dark WWW leak site associated with the ALPHV / BlackCat gang also take quotation for the tone-beginning , take to have stolen millions of Americans ’ sensitive health and patient information , give the first indication of how many individuals this incident had affect .
ALPHV ( aka BlackCat ) is a known Russian - speaking ransomware - as - a - service gang . Its affiliate — contractors who work for the gang — break into victim web and deploy malware developed by ALPHV / BlackCat ’s leader , who take a cut of the profits collected from the ransoms collected from victims to get their files back .
Knowing that the rift was due to a ransomware gang changed the equation of the flak from the sort of hack that governments do — sometimes to station a message to another government alternatively of publishing gazillion of people ’s private information — to a rupture do by financially motivated cybercriminals , who are potential to employ an entirely different playbook to get their payday .
March 3-5, 2024
UnitedHealth pays a ransom of $22 million to hackers, who then disappear
In other March , the ALPHV ransomware bunch go away . The gang ’s leak site on the blue web , which weeks sooner take credit for the cyberattack , was replace with a seizure notice claim that U.K. and U.S. natural law enforcement took down the gang ’s site . But both the FBI and U.K. authorities denied taking down the ransomware crew asthey had attempt calendar month earlier . All signs pointed to ALPHV run off with the ransom and pull an “ expiration cozenage . ”
In a card , the ALPHV affiliate who carried out the hack on Change Healthcare take that the ALPHV leaders stole $ 22 million pay off as a ransom and admit a link toa single bitcoin transactionon March 3 as proof of their call . But despite losing their share of the ransom payment , the affiliate enounce the steal datum is “ still with us . ” UnitedHealth had pay a ransom to cyber-terrorist who leave the information behind and disappeared .
March 13, 2024
Widespread disruption across U.S. healthcare amid fears of data breach
Meanwhile , calendar week into the cyberattack , outage were still ongoing withmany ineffective to get their prescriptionsfilled or throw to yield Johnny Cash out of pocket . Military health insurance supplier TriCare sound out “ all military chemist’s shop worldwide ” were move as well .
The American Medical Association wassaying there was little informationfrom UnitedHealth and Change Healthcare about the ongoing outage , get massive disruption thatcontinued to gurgle across the health care sector .
By March 13 , Change Healthcare had received a “ good ” written matter of the stolen data that it had just years earlier paid $ 22 million for . This allowed Change to begin the process of pore through the dataset to determine whose information was stolen in the cyberattack , with the purpose of notifying as many affected somebody as possible .
March 28, 2024
U.S. government ups its bounty to $10 million for information leading to ALPHV capture
By previous March , the U.S. government activity say it was up its bounty for information on fundamental leadership of ALPHV / BlackCat and its affiliates .
By offering $ 10 million to anyone whocan name or locate the individual behind the gang , the U.S. government seemed to hope that one of the gang ’s insiders would turn on their former leaders . It also could be seen as the U.S. realizing the menace of having a significant number of Americans ’ wellness entropy potentially published online .
April 15, 2024
Contractor forms new ransom gang and publishes some stolen health data
And then there were two — ransoms , that is . By mid - April , the aggrieved affiliate countersink up a new extortion racket called RansomHub , and since it still had the data that it steal from Change Healthcare , it demanded a 2d ransom money from UnitedHealth . In doing so , RansomHubpublished a portion of the steal filescontaining what appeared to be secret and sensitive patient records as test copy of their threat .
Ransomware gangs do n’t just encrypt files ; they also steal as much data as potential andthreaten to publish the files if a ransom money is n’t paid . This is known as “ double extortion . ” In some cases when the victim pay , the ransomware crowd can squeeze the dupe again — or , in others , extort the dupe ’s customers , known as “ triple extortion . ”
Now that UnitedHealth was unforced to pay one ransom , there was a risk that the healthcare hulk would be extort again . It ’s why law enforcement have long advocated against pay a ransom money that allows outlaw to profit from cyberattacks .
April 22, 2024
UnitedHealth says ransomware hackers stole health data on a “substantial proportion of people in America”
For the first meter , UnitedHealth confirm on April 22 — more than two months after the ransomware attack began — that there was a data point falling out and that it likelyaffects a “ solid ratio of multitude in America,”without articulate how many millions of people that entails . UnitedHealth also confirmed it give a ransom money for the data but would not say how many ransoms it at last ante up .
The company said that the steal data includes extremely sensitive selective information , include aesculapian phonograph recording and health selective information , diagnosis , medications , trial run results , mental imagery and care and intervention plan , and other personal information .
Given that Change Healthcare handles datum on as many as half of everyone living in the United States , the data falling out is likely to touch more than 100 million the great unwashed at least . When pass by TechCrunch , a UnitedHealth spokesperson did not dispute the likely affected number but said that the company ’s data point review was ongoing .
May 1, 2024
UnitedHealth Group chief executive testifies that Change wasn’t using basic cybersecurity
Perhaps unsurprisingly when your ship’s company has had one of the bragging datum rift in recent history , its chief executive director is border to get called to prove before lawmakers .
That ’s what happened with UnitedHealth Group ( UHG ) chief executive Andrew Witty , who on Capitol Hill admitted that the drudge broke into Change Healthcare ’s systemsusing a unmarried rigid watchword on a user account not protected with multi - factor authentication , a basic surety feature that can forbid password reuse attacks by requiring a second computer code sent to that news report bearer ’s phone .
One ofthe fully grown data breachesin U.S. history was completely preventable , was the key message . Witty enjoin that the information breach was likely to move about one - third of citizenry experience in America — in stock with the society ’s old estimate that the breach affects around as many people that Change Healthcare march healthcare claims for .
June 20, 2024
UHG starts notifying affected hospitals and medical providers what data was stolen
It took Change Healthcare until June 20 tobegin formally notifying moved individualsthat their info was steal , as legally required under a jurisprudence usually known as HIPAA , likely delay in part by the sheer size of the stolen dataset .
The companypublished a card give away the data breachand say that it would get notifying mortal it had identified in the “ safe ” copy of the stolen datum . But Change enunciate it “ can not confirm exactly ” what data was stolen about each individual and that the information may change from person to person . Change says it was post the poster on its website , as it “ may not have sufficient addresses for all affected individuals . ”
The incident was so adult and complex that the U.S. Department of Health and Human Servicesstepped in and saidthat involve healthcare provider , whose patient are in the end affected by the breach , can ask UnitedHealth to notify affected patient on their behalf , an elbow grease see at lessening the burden on smaller provider whose finances were score amid the on-going outage .
July 29, 2024
Change Healthcare begins notifying known affected individuals by letter
The wellness technical school giant sustain in recent June thatit would begin apprise those whose healthcare datum was stolenin its ransomware attack on a rolling basis . That process begin in recent July .
The letter pass out to impress individuals will most likely arrive from Change Healthcare , if not the specific healthcare provider affect by the hack at Change . The letter confirms what variety of data was stolen , admit aesculapian data and health insurance info , and title and defrayal data , which Change said include financial and banking selective information .
A representative for UnitedHealth told TechCrunch that the data review was in its “ final stages . ”
October 24, 2024
UnitedHealth confirms at least 100 million people affected by data breach
It took the health insurance titan more than eight months to foretell , but it has now confirmed that the data breach affects more than 100 million individuals . The number of those affect is expected to rise , pay some have received datum falling out notifications as recently as October . The U.S. Department of Health and Human Servicesreported the update numberon its data point breach portal on October 24 .
As it stands , the information go against at Change Healthcare is now the great digital theft of U.S. medical record , andone of the biggest datum breaches in living chronicle .
December 16, 2024
New details about Change hack emerge in Nebraska lawsuit
The state of Nebraskafiled a lawsuit against Change Healthcare in December , accusing the health tech giant of security flunk that direct to the massive breach of at least 100 million people in America . New details about the hack come out in the state ’s complaint , including that the ALPHV hackers initially broke in using the slip username and password of a “ low - storey customer backing employee , ” which was n’t protected with multi - factor assay-mark . The res publica ’s ailment also accuses Change Healthcare of having poorly segmented IT system of rules , which allowed the hacker to trip freely between servers once inside the society ’s firewall .
UnitedHealth Group , which owns Change Healthcare , tell TechCrunch that the company was still in the “ final stages ” of notifying individuals affect by the information break ( the same matter it told us in July ) , advise that the turn of Americans affected by the datum breach will be far higher than the 100 million disclosed so far .
January 24, 2025
Change Healthcare says 190 million people in America affected by data breach
On a Friday evening almost a year after the cyberattack , UnitedHealth confirmed thatthe identification number of multitude in America who had private wellness data steal in the data breach stands at 190 million , more than half of the population of the United States . The healthcare insurance whale say it plan to notify the U.S. Department of Health and Human Services of the updated figure , as want by natural law , at a tardy particular date .
gazillion of people are bear upon by the rift , even if they did n’t have UnitedHealthcare indemnity , given the monumental amounts of aesculapian data and billion transactions that Change Healthcare process across the U.S. healthcare system every day .
