Ransomware Attack on Change Healthcare Exposes Half of US Population

New Evidence Reveals Widespread Impact

New evidence suggests that more than half of the US population was touched by the ransomware attack(s) against UnitedHealth subsidiary Change Healthcare. One of the largest data breaches ever recorded struck Change Healthcare last year. Change’s technology services reach hundreds of vendors and laboratories, thousands of hospitals, tens of thousands of pharmacies, and hundreds of thousands of physicians and dentists, including nearly all government and commercial payers, according to company documentation.

These services necessarily sweep up loads of patients’ personally identifying information (PII), which ended up in the hands of multiple ransomware actors. The breach has been investigating and addressing critical aspects of their breaches. For instance, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.

Regulation and Response

Bischoff hesitates, though, before suggesting that what’s needed is even stricter regulation. "It’s a complicated subject, because it gets to a point where you put such a burden on companies. Companies are also victims in these situations, so I don’t want to penalize them for reporting things incorrectly," he says.

At the same time, he adds, "What we see a lot is that these companies take way too long to finish their investigations and notify victims. Sometimes it’s up to a year or more before we’re notified that people’s data is out there on the Dark Web, being used for who knows what. And that’s after they’re most likely to get hit with identity fraud, and other sorts of fraud, because cybercriminals want that information when it’s as fresh as possible. That’s when it’s most valuable. So I think we do need more strict standards about the timeliness of these notifications."

Related Articles

3 Use Cases for Third-Party API Security