UnitedHealth Group has begun pinning down what patient data was stolen during the February breach of company subsidiary Change Healthcare. It turns out the hackers appear to have stolen a motherlode of sensitive information. On Thursday, Change Healthcare published an official notice about February’s breach, which may have affected “a third” of Americans. The company still isn’t offering an exact count of the number of consumers that were ensnared. But following an extensive investigation, Change Healthcare did confirm that the hackers stole a “substantial quantity of data.”What kind of data was exactly looted from each user remains unclear. But the company says the stolen information may have included a user’s full name, physical address, date of birth, phone number and email address. Other data that could have been stolen include the user’s health insurance information, medical record numbers, diagnoses, test results, along with payment card and banking information. In addition, the hackers may have also taken people’s social security numbers, drivers’ license ID numbers and passport numbers. “The information that may have been involved will not be the same for every impacted individual,” the company added. “To date, we have not yet seen full medical histories appear in the data review.”
(Change Healthcare)
In the wrong hands, the stolen information could be easily exploited to conduct identity theft schemes and other scams on affected consumers. The company provided the information as it prepared on Thursday to send out official data breach notices to affected customers. The breach of Change Healthcare occurred after hackers tied to the ransomware group ALPHV managed to infiltrate the company and steal an alleged 6,000GB of data.
Recommended by Our Editors
The company’s parent, UnitedHealth Group, then paid a $22 million ransom to the group to prevent the data from leaking. But in April, a second hacking group, called Ransomhub, also demanded the health insurance provider pay another ransom, alleging it was behind the original intrusion into Change Healthcare. Whether UnitedHealth Group paid the second ransom remains unclear. But even if it did, there’s no guarantee that the hackers kept the data to themselves — especially when selling the information could help them make more money. In the meantime, Change Healthcare plans on offering affected users “two years of complimentary credit monitoring and identity protection services.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
