Change Healthcare Breach: A Third of Americans Potentially Impacted
The Scope of the Data Breach
Table of Contents
Two months after hackers infiltrated Change Healthcare’s systems, stealing and encrypting sensitive data, the full extent of the breach remains unclear. Andrew Witty, CEO of UnitedHealth Group, Change Healthcare’s parent company, stated last month that the stolen files contained personal health information belonging to “a substantial proportion of individuals in America.” During a House hearing this week, Witty provided a more specific estimate, suggesting that the breach may have affected “perhaps a third [of Americans] or somewhere of that degree.” He emphasized that this figure is still tentative as investigations are ongoing.
Multi-Factor Authentication: A Missed Opportunity
Witty acknowledged that the hackers exploited compromised credentials to remotely access a Change Healthcare Citrix portal lacking multi-factor authentication (MFA). This crucial cybersecurity measure, which adds an extra layer of security to logins, could have potentially prevented the breach. Senators grilled Witty on this oversight, questioning whether UnitedHealth and Change Healthcare systems are now adequately protected with MFA.
Strengthening Security Measures
Witty assured senators that “we have an enforced policy throughout the organization to have multi-factor authentication on all of our external systems, which is in place.” This statement suggests a commitment to bolstering security measures following the breach.
Notification Timeline and Data Exfiltration
In a written statement submitted before the hearings, Witty stated that “to date, we have not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.” However, he also mentioned that it could take several months for the company to complete its investigation and begin notifying victims of the breach.
The Impact on Individuals
While the exact number of individuals affected remains unknown, the potential impact of this breach is significant. Stolen personal health information can be used for identity theft, medical fraud, and other malicious purposes. It’s crucial for individuals to remain vigilant and monitor their credit reports and insurance statements for any suspicious activity. For more information on protecting yourself from data breaches, visit our data breach protection page.
