Cybercriminals who broke into Change Healthcare’s systems and held data for ransom on the dark web likely had access to the company’s network for more than a week prior to any attack.
According to coverage from the Washington Post, the hackers had access to Change Healthcare’s systems as early as Feb. 12, nine days before the Feb. 21 ransomware incident took place. Citing “a person familiar with the cyber investigation,” the group was reportedly able to use stolen credentials on a remote access application that gives employees entry into Change Healthcare’s network.
Regardless of how it happened, the data breach disrupted insurance payments across the country, with ripple effects that still persist over two months later.
Despite paying a $22 million ransom, data stolen from the hack ended up on the dark web when Change Healthcare and parent company UnitedHealth Group failed to pay a second ransom. More concerning, the criminals claimed to have names, addresses, contact information, insurance information and detailed medical histories on nearly every American—all of which are now for sale on the dark web.
In a statement released earlier this week, UnitedHealth seemed to confirm the hackers’ claims, writing that the data taken contained personal health information from “a substantial proportion of people in America,” including high-profile individuals such as politicians and active duty military. However, the company said it has “not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” adding that it will take months to identify and notify everyone whose data was compromised.
Damage is still being done
It’s not yet clear what cybercrime cell is responsible for the data breach, as multiple groups have taken credit. However, RansomHub is the group posting data from the hack onto the dark web. The data trove, now advertised as for sale, is said to contain “thousands of source code files from Change Healthcare solutions”—meaning, the roadmap for another breach may be online along with your protected health information.
In a recent call with investors, UnitedHealth said the Change Healthcare breach has already cost the company $872 million in losses, and that number is expected to reach $1.6 billion before this saga comes to a close.