Change Healthcare says attackers gained access to PHI and PII

Two months after initially disclosing the ransomware attack on its network, Change Healthcare officials said the company has now determined that the attackers gained access to certain protected health information and personally identifiable information “that would affect a significant portion of people in America.” can cover”.

The company has been investigating the breach since it was discovered in late February, but most available information about the incident focused on the ransomware implementation and the effects on the company’s systems and its downstream partners and customers. The attack crippled much of Change Healthcare’s operations, and because the company handles data, transaction processing, and payment and claims processing for much of the U.S. healthcare industry, it caused massive delays for thousands of providers and pharmacies across the country. On Tuesday, Change Healthcare said its ongoing investigation has now revealed that the attackers were able to steal files containing both PHI and PII.

“Based on the first targeted data sampling to date, the company has identified files containing protected health information (PHI) or personally identifiable information (PII) that could cover a significant portion of people in America. To date, the company has seen no evidence of exfiltration of materials such as physician records or complete medical histories among the data,” the statement said.

“The company, along with leading third-party industry experts, continues to monitor the Internet and the dark web to determine if any data has been published. There were 22 screenshots, allegedly from exfiltrated files, some of which contained PHI and PII, posted to the dark web by a malicious threat actor for about a week. No further release of PHI or PII has occurred at this time.”

The attack on Change Healthcare has developed into one of the most potentially damaging and far-reaching incidents in recent years. Given the company’s deep integration into the US healthcare ecosystem, the fallout from the ransomware attack could still play out in the coming months. Many practices, pharmacies, hospitals and other organizations have experienced significant delays in both claims and payment processing as a result of the incident, and some pharmacy chains were also unable to fill prescriptions for some time.

The attack is attributed to the ALPHV/BlackCat ransomware group, which was targeted in a law enforcement disruption just two months before the Change Healthcare breach was discovered. The company said it paid a ransom to the attackers, reportedly $22 million. But some of the stolen data was published online anyway.

Federal regulators and lawmakers have been closely monitoring the details of the breach, and Andrew Witty, the CEO of Change Healthcare’s parent company, UnitedHealth Group, will testify on May 1 at a hearing before the House Energy and Commerce Committee to assess the impact of the attack to discuss. about healthcare providers and patients.

“We know this attack has caused concern and been disruptive for consumers and providers, and we are doing everything we can to help and provide support to anyone who needs it,” Witty said.