UnitedHealth Group has disclosed that over 100 million individuals had their sensitive data compromised as a result of the February attack by the now-defunct ALPHV/BlackCat ransomware operation against its subsidiary Change Healthcare, making the incident the largest U.S. healthcare data breach yet, reports TechCrunch.
Investigation into the incident revealed that infiltration of Change Healthcare's employee systems through stolen credentials without multi-factor authentication enabled the eventual compromise of the firm's network with ransomware, resulting in network disruptions that persist to this day. On the other hand, a copy of the stolen data obtained from ALPHV/BlackCat after the payment of a $22 million ransom confirmed the exfiltration of individuals' names, birthdates, addresses, Social Security numbers, diagnoses, imaging and care treatment plans, and financial and banking information, among others. "We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages," said UnitedHealth spokesperson Tyler Mason.