Revenue and payment cycle management provider Change Healthcare (CHC) experienced a ransomware attack in February this year that resulted in severe system outages impacting billing and pharmacies in the U.S. The attack, which was then claimed by cybercriminal group ALPHV, exposed customer contact, insurance, health, billing, claims, and payment information, as per the company’s recent announcement.
In April, CHC's parent company, UnitedHealth Group, released an update stating that protected health information (PHI) or personally identifiable information (PII) has been exposed.
Now, CHC says stolen medical and patient data may include names, addresses, dates of birth, phone numbers, email addresses, and Social Security, passport, driver’s license, or state ID numbers, as well as details about primary, secondary, or other health plans/policies, insurance companies, and member/group and Medicaid-Medicare-government payor ID numbers.
Other potentially exposed information refers to medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment, claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and due balances.
The company now states that the details are not the same for all impacted individuals, and full medical histories “have not yet appeared in the data review.”
Once the data review has concluded, CHC intends to send written letters to people who have notifications enabled and recorded physical addresses.
But shortly after the ALPHV group claimed the ransomware attack, the actor reportedly staged an exit scam, pretending the FBI had seized control over the group’s website. A new ransomware group, RansomHub, listed the alleged hack, saying it included 4TB of data.
Cybercriminal attacks on healthcare companies and institutions are still on the rise. The latest victim was the specialty radiology practice Consulting Radiologists Ltd in Minnesota, which sent breach notification messages to 512,000 individuals.