Change Healthcare finally spills the tea on what medical data was stolen by cyber-crew

Change Healthcare is formally notifying some of its pharmacy and hospital customers that their patients' data was stolen from it by ransomware criminals back in February – and for the first time has concretely disclosed the types of information swiped during that IT intrusion.

In a Thursday notice, the healthcare giant said it's still "working through data to identify affected individuals." 

This could take some time. Back in April, Change's parent UnitedHealth warned the stolen files "could cover a substantial proportion of people in America," a nation of more than 330 million.

Change provides software and services to manage people's prescription payments and medical claims, among other things, to pharmacies, hospitals, and insurance companies across the United States. Now it's saying that since Thursday, it has been warning those customers that their own customers have had their sensitive info fall into the wrong hands, the hands of ransomware extortionists who raided Change's systems for precious data.

Once the embattled tech biz finishes assessing who exactly was affected, it will mail written letters to affected individuals, we're told, though it also noted "we may not have sufficient addresses for all." This process should begin in late July, we're told.

Also in this week's update Change has, for the first time that we can tell, provided specific details about what types of records may have been exfiltrated by the thieves. This includes first and last names, dates of birth, phone numbers, email addresses, and the following:

Change maintained it has "not yet seen full medical histories appear in the data review." 

Meanwhile, the corporation — and much of the American healthcare industry — continues the very slow recovery process from the ransomware cyberattack, which began on February 12 when ALPHV affiliates used stolen credentials to break in. We understand the crooks used those creds to remotely access a Citrix-based management portal that didn't have multi-factor authentication enabled, and continued into the corporation from there.

• US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO
• UnitedHealth's 'egregious negligence' led to Change Healthcare ransomware infection
• Qilin cyber scum leak data they claim belongs to London hospitals' pathology provider
• Crooks get their hands on 500K+ radiology patients' records in cyber-attack

The criminals encrypted Change's IT systems about a week later, preventing patients from getting prescriptions filled and using medical services as expected under their health insurance plans. And it took nearly a month to bring the electronic prescription processing back online.

As of April, Change's costs associated with the attack were nearing $1 billion, and later that month UnitedHealth CEO Andrew Witty confirmed to US senators that his company had paid $22 million to the extortionists to ostensibly keep a lid on the stolen data.

Earlier this month, the Feds started shutting down financial support to healthcare providers that had faced cash-flow issues because of the ransomware infection.

Meanwhile, the healthcare sector remains a prime target for ransomware and other destructive cyberattacks. 

In early June, ransomware gang Qilin crippled services across hospitals in the UK capital after attacking pathology services provider Synnovis. On Friday the Russian crew began leaking patient data stolen during that raid.

In an interview with The Register a member of Qilin told us they were intent on causing havoc in the attack. ®