Two months after the initial disclosure of the ransomware attack on its network, Change Healthcare officials said the company has now determined that the attackers gained access to some protected health information and personally identifiable information “which could cover a substantial proportion of people in America”.
The company has been investigating the intrusion since it was discovered in late February, but most of the available information about the incident focused on the ransomware deployment and the effects on the company’s systems and its downstream partners and customers. The attack crippled much of Change Healthcare’s operations and, because the company handles data, transaction clearing, and payment and claims processing for a huge chunk of the U.S. healthcare industry, caused massive delays for thousands of providers and pharmacies around the country. On Tuesday, Change Healthcare said that its ongoing investigation has now found that the attackers were able to steal files that included both PHI and PII.
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” the statement says.
“The company, along with leading external industry experts, continues to monitor the internet and dark web to determine if data has been published. There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time.”
The attack on Change Healthcare has developed into one of the more potentially damaging and far-reaching such incidents in recent years. Given the depth of the company’s integration into the healthcare ecosystem in the U.S., the effects from the ransomware attack may still be unfolding in the coming months. Many practices, pharmacies, hospitals, and other organizations have experienced significant delays for both claims and payment processing as a result of the incident, and some pharmacy chains were unable to fill prescriptions for some time, as well.
The attack has been attributed to the ALPHV/BlackCat ransomware group, which had been the target of a disruption effort by law enforcement just two months before the Change Healthcare intrusion was discovered. The company said it paid a ransom to the attackers, reportedly $22 million. But some of the stolen data was published online anyway.
Federal regulators and legislators have followed the details of the breach closely, and Andrew Witty, the CEO of Change Healthcare’s parent company, UnitedHealth Group, will testify in a hearing before the House Energy and Commerce Committee on May 1 to discuss the effects of the attack on providers and patients.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said Witty.