Admitted, finally, to CNBC on Monday. UnitedHealth told CNBC in a statement. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.” UHG’s release alludes to this but without specifics as to what entity was paid (ALPHV? RansomHub?) nor the amount. It vaguely states that it reviewed 22 screenshots “some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor” and that “it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals”. This seems to point to the most recent RansomHub offer of 4TB of Change Healthcare PHI/PII for sale, not the original breach, but UHG’s information is inconclusive for the reader. Also Becker’s.
However, the admission that Change files were breached and a ransom was paid is substantial and points to multiple leaks of the PHI and PII on multiple sites. Despite no identification and notification of customers yet, UHG is offering a support hotline to individuals concerned about the cyberattack, offering free credit monitoring and identity theft protections for two years plus “emotional support.”
Another fun fact that DataBreaches.net points to in its short article is that the Wall Street Journal (also cited by TechCrunch) said that its research indicated that the original breach came from stolen remote access credentials. It took only a week for ALPHV’s hackers to explore the system before deploying the cyberransom and hacking software through Change’s systems. Updated: the WSJ pins the original breach to 12 February but the hackers didn’t ‘detonate’ the ransomware till 21 February. Also multi-factor authentication is standard operating procedure for remote access, but MFA wasn’t enabled on this. Developing and will be updated. Our article posted on Monday here with links to our prior articles.
Leave a Reply