Change Healthcare notifies OCR that it sent 100 million notices following since February ransomware attack

In Data Breach News, Malware Ransomware
October 26, 2024

Eight months after the biggest breach ever involving patient data, Change Healthcare informed the U.S. Department of Health & Human Services Office of Civil Rights (HHS OCR) that it has sent individual notifications to 100 million affected patients. This is the first time they have revealed any actual number since an April update where they had estimated that perhaps one third of all Americans had been affected by a ransomware incident.

Hit by the dangerous ransomware group known as AlphV or BlackCat, Change Healthcare made the decision to pay the attackers’ demands to get a decryptor key. But the $22 million they reportedly paid wound up in the hands of one person instead of being shared with an affiliate involved in the attack who had exfiltrated all the data. The AlphV administrator took the money and ran, leaving the affiliate to post on Ramp forum about what had happened and to demand payment if Change Healthcare didn’t want all the patient data leaked.

The situation was so serious that HHS did not wait to open an investigation. In March, it issued a statement, published a “Dear Colleague” letter, and opened an investigation. In April, Congress began investigating after the data appeared to have been put up for sale on a dark web leak site by the affiliate or some other group that had obtained the data.

Change Healthcare’s substitute notice can be found on its website. Its last update was in August.

The Change Healthcare breach impacted everyone. A hearing by the House & Energy Committee in May touched on some of the impact.

Are the 100 million individual notices sent the sum total of all those affected, or might there be more notices sent over time? That is not clear, but Change Healthcare is still attempting to recover from this breach. They will also undoubtedly have a lot of regulatory matters and litigations to address.

The Change Healthcare breach is “one for the books,” but its story is still not fully written.