Full Report
The 2024 ransomware attack on Change Healthcare exposed the data of about 190 million people, according to an update from parent company UnitedHealth Group.
Analysis Summary
# Incident Report: Change Healthcare Ransomware Attack Escalation
## Executive Summary
A significant ransomware attack targeted Change Healthcare, a major healthcare technology provider owned by UnitedHealth. The scope of the breach dramatically increased over time, impacting an estimated 190 million individuals. Attackers exfiltrated sensitive Personal Health Information (PHI), financial data, and Social Security numbers, forcing the organization to pay a \$22 million ransom and undertake extensive notification efforts overseen by HHS.
## Incident Details
- **Discovery Date:** Not explicitly stated, but initial public confirmation/filings occurred around October (when 100 million victims were reported).
- **Incident Date:** Occurred prior to the October filing reporting 100 million victims.
- **Affected Organization:** Change Healthcare (owned by UnitedHealth Group).
- **Sector:** Healthcare Technology/Claims Processing.
- **Geography:** United States (UnitedHealth CEO noted the company processes about half of all US medical claims).
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Ransomware attack (specific initial vector not detailed in summary).
- **Details:** Attack led to a large-scale data compromise.
### Lateral Movement
- **Details:** Attackers accessed and exfiltrated a wide range of data from systems handled by Change Healthcare, which processes extensive medical records.
### Data Exfiltration/Impact
- **Details:** Attackers likely accessed health insurance information, PHI (test results, medical record numbers), billing/claims data, financial/banking information, and personal identifiers (SSNs, driver’s licenses). The estimated number of impacted individuals rose from 100 million to approximately 190 million.
### Detection & Response
- **Details:** UnitedHealth completed over 90% of its review by June, noting that while extensive data was stolen, they found "no evidence" that full doctors’ charts or medical histories were exfiltrated. HHS mandated that Change Healthcare file breach notification letters to all victims on their behalf due to the scale. The organization paid a \$22 million ransom, which subsequently led to data being posted on another group's leak site due to internal dispute.
## Attack Methodology
- **Initial Access:** Ransomware.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Implied necessity for accessing sensitive data, but specific methods are not detailed.
- **Discovery:** Implied reconnaissance to gather high-value policy and personal data.
- **Lateral Movement:** Implied movement to access diverse databases containing financial, insurance, and PII/PHI records.
- **Collection:** Extensive collection of insurance identifiers, medical record numbers, billing codes, SSNs, and financial information.
- **Exfiltration:** Data was successfully exfiltrated prior to the company gaining control.
- **Impact:** Financial loss due to ransom payment, operational disruption due to necessary remediation, and mass identity/privacy risk for estimated 190 million individuals.
## Impact Assessment
- **Financial:** \$22 million ransom paid. Significant cost associated with remediation and mandatory breach notification efforts.
- **Data Breach:** Approximately 190 million individuals impacted. Data included health insurance details, PHI, financial data, SSNs, and identification numbers.
- **Operational:** Significant disruption implied by the need to process claims and records for half of all US medical claims. Lengthy review process required for notification compliance.
- **Reputational:** Significant negative public attention stemming from the scale of the data loss concerning sensitive medical information.
## Indicators of Compromise
- **Network indicators:** N/A (Defanged details not available in source).
- **File indicators:** N/A (Specific threat actor binaries/files not detailed).
- **Behavioral indicators:** Unauthorized access and exfiltration of large volumes of medical and financial data; ransomware deployment leading to data encryption/theft.
## Response Actions
- **Containment measures:** Not specified, but significant review effort followed the initial incident detection.
- **Eradication steps:** Implied through remediation efforts following the attack; completion of the 90%+ data review.
- **Recovery actions:** Paying the \$22 million ransom; extensive coordination with HHS OCR to manage victim notifications to ensure coverage for vulnerable populations.
## Lessons Learned
- The process for accurately quantifying the scope of a major data breach can be lengthy and subject to significant upward revision (100 million to 190 million victims).
- A key vulnerability exists in third-party vendors (like Change Healthcare) processing massive amounts of sensitive national data.
- Payment of a ransom does not guarantee data security or prevent the data from being released (as evidenced by the data appearing on another leak site).
## Recommendations
- Conduct immediate, comprehensive third-party risk assessments for vendors managing critical national infrastructure data (especially PHI and claims processing).
- Enhance network segmentation and access controls to limit "blast radius" in case of initial compromise via ransomware.
- Develop robust, accelerated procedures for forensic analysis and victim quantification following a major incident to meet regulatory timelines faster.