Change Healthcare finally spills the tea on what medical data was stolen by cyber-crew

'Substantial proportion' of America to get a little note from next month

Change Healthcare is formally notifying some of its pharmacy and hospital customers that their patients' data was stolen from it by ransomware criminals back in February – and for the first time has concretely disclosed the types of information swiped during that IT intrusion.

In a Thursday notice, the healthcare giant said it's still "working through data to identify affected individuals." 

This could take some time. Back in April, Change's parent UnitedHealth warned the stolen files "could cover a substantial proportion of people in America," a nation of more than 330 million.

Change provides software and services to manage people's prescription payments and medical claims, among other things, to pharmacies, hospitals, and insurance companies across the United States. Now it's saying that since Thursday, it has been warning those customers that their own customers have had their sensitive info fall into the wrong hands, the hands of ransomware extortionists who raided Change's systems for precious data.

Once the embattled tech biz finishes assessing who exactly was affected, it will mail written letters to affected individuals, we're told, though it also noted "we may not have sufficient addresses for all." This process should begin in late July, we're told.

Also in this week's update Change has, for the first time that we can tell, provided specific details about what types of records may have been exfiltrated by the thieves. This includes first and last names, dates of birth, phone numbers, email addresses, and the following:

  • Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payer ID numbers)
  • Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment)
  • Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due)
  • Other personal information such as Social Security numbers, driver's licenses or state ID numbers, or passport numbers.

Change maintained it has "not yet seen full medical histories appear in the data review." 

Meanwhile, the corporation — and much of the American healthcare industry — continues the very slow recovery process from the ransomware cyberattack, which began on February 12 when ALPHV affiliates used stolen credentials to break in. We understand the crooks used those creds to remotely access a Citrix-based management portal that didn't have multi-factor authentication enabled, and continued into the corporation from there.

The criminals encrypted Change's IT systems about a week later, preventing patients from getting prescriptions filled and using medical services as expected under their health insurance plans. And it took nearly a month to bring the electronic prescription processing back online.

As of April, Change's costs associated with the attack were nearing $1 billion, and later that month UnitedHealth CEO Andrew Witty confirmed to US senators that his company had paid $22 million to the extortionists to ostensibly keep a lid on the stolen data.

Earlier this month, the Feds started shutting down financial support to healthcare providers that had faced cash-flow issues because of the ransomware infection.

Meanwhile, the healthcare sector remains a prime target for ransomware and other destructive cyberattacks. 

In early June, ransomware gang Qilin crippled services across hospitals in the UK capital after attacking pathology services provider Synnovis. On Friday the Russian crew began leaking patient data stolen during that raid.

In an interview with The Register a member of Qilin told us they were intent on causing havoc in the attack. ®

More about


Send us news

Other stories you might like