Healthcare giant announces that ransomware has stolen medical records of 'a significant percentage of Americans'; despite paying $35 million ransom, data leaks could not be prevented and damages continue to grow

Ransomware damage is not something that only affects Japanese companies and institutions, as it has shut down several KADOKAWA services, including Nico Nico Douga. Change Healthcare (CHC) , a major medical management system that handles the health data of one-third of Americans, announced the results of an investigation into a ransomware attack that occurred in February 2024, stating that 'vast amounts of data on a significant proportion of Americans' had been stolen.

Change Healthcare HIPAA Substitute Notice | Change Healthcare
https://www.changehealthcare.com/hipaa-substitute-notice

Change Healthcare lists the medical data stolen in ransomware attack
https://www.bleepingcomputer.com/news/security/change-healthcare-lists-the-medical-data-stolen-in-ransomware-attack/

CHC became aware of ransomware deployment on its systems on February 21, 2024. To prevent the impact from spreading, CHC disconnected its systems and turned off its equipment, contacted law enforcement, and began an investigation, which confirmed that a large amount of data had been exposed between February 17 and 20.

The group that allegedly attacked CHC with ransomware claims to have stolen 6TB of data.

Ransomware attack affects more than 90% of 70,000 pharmacies across the US, hackers claim to have stolen 6TB of data - GIGAZINE

CHC, which had been working with cybersecurity experts to verify the leaked data, announced on June 20 that 'after analysis, CHC has formally confirmed that the affected data may affect a significant percentage of the U.S. population.'

The investigation is in its final stages but is still ongoing, so it is not yet clear whose data was compromised; however, in addition to contact details such as name, address, date of birth, phone number and email, data may include one or more of the following:
Health insurance information (such as health insurance plan, insurance company, membership number, medical assistance program ID number, etc.)
Health Information (e.g., medical record numbers, health care providers, diagnoses, medications, test results, images, care, treatment, etc.)
- Invoice, billing and payment information (such as invoice numbers, account numbers, billing codes, payment cards, financial and banking information, payment amounts, and remaining balances)
- Other personal information (such as social security number, driver's license number, state ID number, passport number, etc.)

The extent of the impact varies, but so far there have been no cases of complete medical histories being exposed, and the information doesn't necessarily belong to the patient, but may instead be the data of those who paid for medical services.

The CHC will begin accepting phone enquiries from people who want to find out if they have been affected, and will begin mailing official data breach notification letters to victims from late July.

To resolve the situation, UnitedHealth , the parent company of CHC, paid a ransom of $22 million (approximately 3.5 billion yen) to a ransomware group called BlackCat. The ransom was to be split between BlackCat and another related organization involved in the attack, but since BlackCat ran off with the entire amount, the related organization that did not receive the ransom announced that it had 'stopped deleting the stolen data as promised.'

The group then leaked some of the personal information stolen from CHC on a data leak site and demanded additional payment. The leak was also deleted shortly after, which indicates that UnitedHealth had responded to the additional ransom demand, according to BleepingComputer, an IT news site.

A survey has shown that 80% of organizations that have paid ransoms in the past have suffered a second victim. The US-led Global Ransomware Initiative (CRI), of which Japan is a member, has a policy of not paying ransoms, based on the view that paying ransoms only encourages cybercrime organizations.

US-led International Anti-Ransomware Initiative pledges not to pay ransoms for ransomware - GIGAZINE

UnitedHealth estimates that losses from the ransomware attack on CHCs will be $872 million (approximately 140 billion yen) as of April 2024, and that the amount of losses may increase as a result of further investigation and recovery.