17 October, 2024
Change Healthcare confirms ransomware hackers stole medical records on a 'substantial proportion' of Americans
Change Healthcare has confirmed a February ransomware attack on its systems, which brought widespread disruption to the U.S. healthcare system for weeks and resulted in the theft of medical records affecting a “substantial proportion of people in America.”
In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack.
The health tech giant, owned by U.S. insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, the company has access to massive amounts of health information on about a third of all Americans.
The cyberattack prompted the company to shut down its systems, resulting in outages and delays to thousands of healthcare providers who rely on Change, and affecting countless patients who could not obtain prescriptions or had medical care or procedures delayed.
Change said in its latest statement that it “cannot confirm exactly” what data was stolen about each individual, and that the information may vary from person to person.
The affected information includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identity documents, such as Social Security numbers, driver licenses and passport numbers.
The data also includes medical records and health information, such as diagnoses, medications, test results, imaging and care and treatment plans, said Change. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said includes financial and banking information.
Change said it was still in the “late stages” of its review of the stolen data to determine what was taken and that more affected individuals may be identified. Some of the stolen information may relate to guarantors who paid healthcare bills for someone else, the company said.
The company added that affected individuals should receive notice by mail beginning late July.
The ransomware attack on Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records. While the full impact of this data breach remains unclear, the ramifications for the millions of Americans whose private medical information was irretrievably compromised are likely incalculable.
Change said it secured a copy of the stolen dataset in March to review for identifying and notifying affected individuals, which TechCrunch previously reported was obtained in exchange for paying a ransom demand.
UnitedHealth confirmed it paid at least one ransom demand to the cybercriminal group behind the ransomware attack, known as ALPHV, in an effort to prevent the publication of the stolen files. Another hacking group called RansomHub demanded an additional payment from UnitedHealth after claiming ALPHV made off with the first ransom payment but left the stolen data with one of its affiliates — essentially a contractor — who broke in and deployed the ransomware on Change’s systems.
RansomHub subsequently published several files on its dark web leak site and threatened to sell the data to the highest bidder if another ransom wasn’t paid.
According to UnitedHealth chief executive Andrew Witty, the hackers broke into Change Healthcare’s network using a set of stolen credentials to an internal system that was not protected with multi-factor authentication, a security feature that makes it more difficult for malicious hackers to misuse stolen passwords.
The ransomware attack cost UnitedHealth around $870 million in the first three months of the year, during which the company made $100 billion in revenue, according to the company’s earnings report. UnitedHealth is expected to report its most recent earnings in mid-July.
Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO
Evolve Bank says ransomware gang stole personal data on millions of customers
U.S.-based banking-as-a-service giant Evolve Bank & Trust said that cybercriminals accessed the personal data of millions of customers during a recent cyberattack.
In a filing with Maine’s attorney general on Monday, Evolve confirmed that the personal data of at least 7.6 million people, including more than 20,000 customers based in Maine, was accessed during the incident, the fallout from which continues to grow.
When reached by TechCrunch, Evolve spokesperson Eric Helvie declined to say if the bank expects the number of affected individuals to grow.
Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners.
This list of partners includes Affirm, which recently confirmed that the Evolve breach “may have compromised some data and personal information” of its customers. Another Evolve partner, the fintech startup Mercury, said in a post on X that the Evolve breach impacted “some account numbers, deposit balances, business owner names, and emails.”
Money transfer organization Wise (formerly TransferWise) also confirmed last week that “some Wise customers’ personal information may have been involved.”
It’s not yet known whether the list of compromised data types is likely to grow, but Evolve said it’s “still investigating what other personal information was affected, including information regarding our business, trust, and mortgage customers.”
Last week, Evolve confirmed that the breach was the result of a February ransomware attack carried out by the Russia-linked LockBit gang, which earlier this year was disrupted by a multi-government operation but whose administrator remains at large.
The bank identified the intrusion in May, when it discovered that the hackers had gained access to its systems. Evolve said it did not pay the hackers’ ransom demand, which led to LockBit publishing the compromised data on its since-revived dark web leak site.
In the letter sent to affected customers, Evolve said that the hackers accessed and downloaded “customer information from Evolve’s databases and a file share during periods in February and May 2024.”
Updated with response from Evolve, declining to answer questions about the breach.
Synapse, backed by a16z, has collapsed, and 10M consumers could be hurt
AT&T says criminals stole phone records of 'nearly all' customers in new data breach
U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of “nearly all” of its customers, a company spokesperson told TechCrunch.
In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.
AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.
The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T’s network, the company said.
AT&T said the stolen data “does not contain the content of calls or texts,” but does include calling and texting records that an AT&T phone number interacted with during the six-month period, as well as the total count of a customer’s calls and texts, and call durations — information that is often referred to as metadata. The stolen data does not include the time or date of calls or texts, AT&T said.
Some of the stolen records include cell site identification numbers associated with phone calls and text messages, information that can be used to determine the approximate location of where a call was made or text message sent.
In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.
AT&T published a website with information for customers about the data incident. AT&T also disclosed the data breach in a filing with regulators before the market opened on Friday.
Breach linked to Snowflake
AT&T said it learned of the data breach on April 19, and that it was unrelated to its earlier security incident in March.
AT&T’s Huguely told TechCrunch that the most recent compromise of customer records were stolen from the cloud data giant Snowflake during a recent spate of data thefts targeting Snowflake’s customers.
Snowflake allows its corporate customers, like tech companies and telcos, to analyze huge amounts of customer data in the cloud. It’s not clear for what reason AT&T was storing customer data in Snowflake, and the spokesperson would not say.
AT&T is the latest company in recent weeks to confirm it had data stolen from Snowflake, following Ticketmaster and LendingTree subsidiary QuoteWizard, and others.
Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts, a security feature that the cloud data giant did not enforce or require its customers to use.
Cybersecurity incident response firm Mandiant, which Snowflake called in to help with notifying customers, later said about 165 Snowflake customers had a “significant volume of data” stolen from their customer accounts.
Mandiant attributed the breach to an as-yet-uncategorized cybercriminal group tracked only as UNC5537. Mandiant’s researchers say the hackers are financially motivated and have members in North America and at least one member in Turkey.
Some of the other corporate victims of the Snowflake account thefts had data subsequently published on known cybercrime forums. For AT&T’s part, the company said that it does not believe that the data is publicly available at this time.
AT&T’s statement said it was working with law enforcement to arrest the cybercriminals involved in the breach. AT&T said that “at least one person has been apprehended.” AT&T’s spokesperson said that the arrested individual was not an AT&T employee, but deferred questions about the alleged criminals to the FBI.
An FBI spokesperson confirmed to TechCrunch on Friday that after the phone giant contacted the agency to report the breach, AT&T, the FBI and the Department of Justice agreed to delay notifying the public and customers on two occasions, citing “potential risks to national security and/or public safety.”
“AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work,” the FBI spokesperson said.
The FBI did not comment on the arrest of one of the alleged cybercriminals.
This is the second security incident AT&T has disclosed this year. AT&T was forced to reset the account passcodes of millions of its customers after a cache of customer account information — including encrypted passcodes for accessing AT&T customer accounts — was published on a cybercrime forum. A security researcher told TechCrunch at the time that the encrypted passcodes could be easily decrypted, prompting AT&T to take precautionary action to protect customer accounts.
Read more on TechCrunch:
Data breach exposes millions of mSpy spyware customersApple warns iPhone users in 98 countries of spyware attacksEvolve Bank says ransomware gang stole personal data on millions of customersOpenAI breach is a reminder that AI companies are treasure troves for hackers
Updated with comment from the FBI.
What the AT&T phone records data breach means for you
Change Healthcare confirms ransomware hackers stole medical records on a 'substantial proportion' of Americans
Change Healthcare has confirmed a February ransomware attack on its systems, which brought widespread disruption to the U.S. healthcare system for weeks and resulted in the theft of medical records affecting a “substantial proportion of people in America.”
In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack.
The health tech giant, owned by U.S. insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, the company has access to massive amounts of health information on about a third of all Americans.
The cyberattack prompted the company to shut down its systems, resulting in outages and delays to thousands of healthcare providers who rely on Change, and affecting countless patients who could not obtain prescriptions or had medical care or procedures delayed.
Change said in its latest statement that it “cannot confirm exactly” what data was stolen about each individual, and that the information may vary from person to person.
The affected information includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identity documents, such as Social Security numbers, driver licenses and passport numbers.
The data also includes medical records and health information, such as diagnoses, medications, test results, imaging and care and treatment plans, said Change. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said includes financial and banking information.
Change said it was still in the “late stages” of its review of the stolen data to determine what was taken and that more affected individuals may be identified. Some of the stolen information may relate to guarantors who paid healthcare bills for someone else, the company said.
The company added that affected individuals should receive notice by mail beginning late July.
The ransomware attack on Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records. While the full impact of this data breach remains unclear, the ramifications for the millions of Americans whose private medical information was irretrievably compromised are likely incalculable.
Change said it secured a copy of the stolen dataset in March to review for identifying and notifying affected individuals, which TechCrunch previously reported was obtained in exchange for paying a ransom demand.
UnitedHealth confirmed it paid at least one ransom demand to the cybercriminal group behind the ransomware attack, known as ALPHV, in an effort to prevent the publication of the stolen files. Another hacking group called RansomHub demanded an additional payment from UnitedHealth after claiming ALPHV made off with the first ransom payment but left the stolen data with one of its affiliates — essentially a contractor — who broke in and deployed the ransomware on Change’s systems.
RansomHub subsequently published several files on its dark web leak site and threatened to sell the data to the highest bidder if another ransom wasn’t paid.
According to UnitedHealth chief executive Andrew Witty, the hackers broke into Change Healthcare’s network using a set of stolen credentials to an internal system that was not protected with multi-factor authentication, a security feature that makes it more difficult for malicious hackers to misuse stolen passwords.
The ransomware attack cost UnitedHealth around $870 million in the first three months of the year, during which the company made $100 billion in revenue, according to the company’s earnings report. UnitedHealth is expected to report its most recent earnings in mid-July.
Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO
Evolve Bank says ransomware gang stole personal data on millions of customers
U.S.-based banking-as-a-service giant Evolve Bank & Trust said that cybercriminals accessed the personal data of millions of customers during a recent cyberattack.
In a filing with Maine’s attorney general on Monday, Evolve confirmed that the personal data of at least 7.6 million people, including more than 20,000 customers based in Maine, was accessed during the incident, the fallout from which continues to grow.
When reached by TechCrunch, Evolve spokesperson Eric Helvie declined to say if the bank expects the number of affected individuals to grow.
Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners.
This list of partners includes Affirm, which recently confirmed that the Evolve breach “may have compromised some data and personal information” of its customers. Another Evolve partner, the fintech startup Mercury, said in a post on X that the Evolve breach impacted “some account numbers, deposit balances, business owner names, and emails.”
Money transfer organization Wise (formerly TransferWise) also confirmed last week that “some Wise customers’ personal information may have been involved.”
It’s not yet known whether the list of compromised data types is likely to grow, but Evolve said it’s “still investigating what other personal information was affected, including information regarding our business, trust, and mortgage customers.”
Last week, Evolve confirmed that the breach was the result of a February ransomware attack carried out by the Russia-linked LockBit gang, which earlier this year was disrupted by a multi-government operation but whose administrator remains at large.
The bank identified the intrusion in May, when it discovered that the hackers had gained access to its systems. Evolve said it did not pay the hackers’ ransom demand, which led to LockBit publishing the compromised data on its since-revived dark web leak site.
In the letter sent to affected customers, Evolve said that the hackers accessed and downloaded “customer information from Evolve’s databases and a file share during periods in February and May 2024.”
Updated with response from Evolve, declining to answer questions about the breach.
Synapse, backed by a16z, has collapsed, and 10M consumers could be hurt
AT&T says criminals stole phone records of 'nearly all' customers in new data breach
U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of “nearly all” of its customers, a company spokesperson told TechCrunch.
In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.
AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.
The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T’s network, the company said.
AT&T said the stolen data “does not contain the content of calls or texts,” but does include calling and texting records that an AT&T phone number interacted with during the six-month period, as well as the total count of a customer’s calls and texts, and call durations — information that is often referred to as metadata. The stolen data does not include the time or date of calls or texts, AT&T said.
Some of the stolen records include cell site identification numbers associated with phone calls and text messages, information that can be used to determine the approximate location of where a call was made or text message sent.
In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.
AT&T published a website with information for customers about the data incident. AT&T also disclosed the data breach in a filing with regulators before the market opened on Friday.
Breach linked to Snowflake
AT&T said it learned of the data breach on April 19, and that it was unrelated to its earlier security incident in March.
AT&T’s Huguely told TechCrunch that the most recent compromise of customer records were stolen from the cloud data giant Snowflake during a recent spate of data thefts targeting Snowflake’s customers.
Snowflake allows its corporate customers, like tech companies and telcos, to analyze huge amounts of customer data in the cloud. It’s not clear for what reason AT&T was storing customer data in Snowflake, and the spokesperson would not say.
AT&T is the latest company in recent weeks to confirm it had data stolen from Snowflake, following Ticketmaster and LendingTree subsidiary QuoteWizard, and others.
Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts, a security feature that the cloud data giant did not enforce or require its customers to use.
Cybersecurity incident response firm Mandiant, which Snowflake called in to help with notifying customers, later said about 165 Snowflake customers had a “significant volume of data” stolen from their customer accounts.
Mandiant attributed the breach to an as-yet-uncategorized cybercriminal group tracked only as UNC5537. Mandiant’s researchers say the hackers are financially motivated and have members in North America and at least one member in Turkey.
Some of the other corporate victims of the Snowflake account thefts had data subsequently published on known cybercrime forums. For AT&T’s part, the company said that it does not believe that the data is publicly available at this time.
AT&T’s statement said it was working with law enforcement to arrest the cybercriminals involved in the breach. AT&T said that “at least one person has been apprehended.” AT&T’s spokesperson said that the arrested individual was not an AT&T employee, but deferred questions about the alleged criminals to the FBI.
An FBI spokesperson confirmed to TechCrunch on Friday that after the phone giant contacted the agency to report the breach, AT&T, the FBI and the Department of Justice agreed to delay notifying the public and customers on two occasions, citing “potential risks to national security and/or public safety.”
“AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work,” the FBI spokesperson said.
The FBI did not comment on the arrest of one of the alleged cybercriminals.
This is the second security incident AT&T has disclosed this year. AT&T was forced to reset the account passcodes of millions of its customers after a cache of customer account information — including encrypted passcodes for accessing AT&T customer accounts — was published on a cybercrime forum. A security researcher told TechCrunch at the time that the encrypted passcodes could be easily decrypted, prompting AT&T to take precautionary action to protect customer accounts.
Read more on TechCrunch:
Data breach exposes millions of mSpy spyware customersApple warns iPhone users in 98 countries of spyware attacksEvolve Bank says ransomware gang stole personal data on millions of customersOpenAI breach is a reminder that AI companies are treasure troves for hackers
Updated with comment from the FBI.
What the AT&T phone records data breach means for you
Evolve Bank says ransomware gang stole personal data on millions of customers
U.S.-based banking-as-a-service giant Evolve Bank & Trust has said that cybercriminals accessed the personal data of millions of customers during a recent cyberattack.
In a filing with Maine’s attorney general on Monday, Evolve confirmed that the personal data of at least 7.6 million people, including more than 20,000 customers based in Maine, was accessed during the incident, the fallout from which continues to grow.
TechCrunch asked Evolve if this number is likely to increase but has yet to receive a response.
Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers, and contact information belonging to its personal banking customers, the personal data of Evolve employees, and information belonging to customers of its financial technology partners.
This list of partners includes Affirm, which recently confirmed that the Evolve breach “may have compromised some data and personal information” of its customers. Another Evolve partner, the fintech startup Mercury, said in a post on X that the Evolve breach impacted “some account numbers, deposit balances, business owner names, and emails.”
Money transfer organization Wise (formerly TransferWise) also confirmed last week that “some Wise customers’ personal information may have been involved.”
It’s not yet known whether the list of compromised data types is likely to grow, but Evolve said it’s “still investigating what other personal information was affected, including information regarding our business, trust, and mortgage customers.”
Last week, Evolve confirmed that the breach was the result of a February ransomware attack carried out by the Russia-linked LockBit gang, which earlier this year was disrupted by a multi-government operation but whose administrator remains at large.
The bank identified the intrusion in May, when it discovered that the hackers had gained access to its systems. Evolve said it did not pay the hackers’ ransom demand, which led to LockBit publishing the compromised data on its since-revived dark web leak site.
In the letter sent to affected customers, Evolve said that the hackers accessed and downloaded “customer information from Evolve’s databases and a file share during periods in February and May 2024.”
Synapse, backed by a16z, has collapsed, and 10M consumers could be hurt
Change Healthcare confirms ransomware hackers stole medical records on a 'substantial proportion' of Americans
Change Healthcare has confirmed a February ransomware attack on its systems, which brought widespread disruption to the U.S. healthcare system for weeks and resulted in the theft of medical records affecting a “substantial proportion of people in America.”
In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack.
The health tech giant, owned by U.S. insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, the company has access to massive amounts of health information on about a third of all Americans.
The cyberattack prompted the company to shut down its systems, resulting in outages and delays to thousands of healthcare providers who rely on Change, and affecting countless patients who could not obtain prescriptions or had medical care or procedures delayed.
Change said in its latest statement that it “cannot confirm exactly” what data was stolen about each individual, and that the information may vary from person to person.
The affected information includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identity documents, such as Social Security numbers, driver licenses and passport numbers.
The data also includes medical records and health information, such as diagnoses, medications, test results, imaging and care and treatment plans, said Change. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said includes financial and banking information.
Change said it was still in the “late stages” of its review of the stolen data to determine what was taken and that more affected individuals may be identified. Some of the stolen information may relate to guarantors who paid healthcare bills for someone else, the company said.
The company added that affected individuals should receive notice by mail beginning late July.
The ransomware attack on Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records. While the full impact of this data breach remains unclear, the ramifications for the millions of Americans whose private medical information was irretrievably compromised are likely incalculable.
Change said it secured a copy of the stolen dataset in March to review for identifying and notifying affected individuals, which TechCrunch previously reported was obtained in exchange for paying a ransom demand.
UnitedHealth confirmed it paid at least one ransom demand to the cybercriminal group behind the ransomware attack, known as ALPHV, in an effort to prevent the publication of the stolen files. Another hacking group called RansomHub demanded an additional payment from UnitedHealth after claiming ALPHV made off with the first ransom payment but left the stolen data with one of its affiliates — essentially a contractor — who broke in and deployed the ransomware on Change’s systems.
RansomHub subsequently published several files on its dark web leak site and threatened to sell the data to the highest bidder if another ransom wasn’t paid.
According to UnitedHealth chief executive Andrew Witty, the hackers broke into Change Healthcare’s network using a set of stolen credentials to an internal system that was not protected with multi-factor authentication, a security feature that makes it more difficult for malicious hackers to misuse stolen passwords.
The ransomware attack cost UnitedHealth around $870 million in the first three months of the year, during which the company made $100 billion in revenue, according to the company’s earnings report. UnitedHealth is expected to report its most recent earnings in mid-July.
Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO
Fidelity National Financial says hackers stole data on 1.3 million customers
Real estate services giant Fidelity National Financial has confirmed hackers stole data on 1.3 million of its customers during a November cyberattack that knocked the company offline for a week.
FNF said in a filing Tuesday with federal regulators: “We determined that an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating, and exfiltrated certain data.” The company said it has “notified its affected customers and applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers.”
The filing did not say what specific customer data was stolen, but said FNF is providing credit monitoring and identity theft services to affected customers, suggesting that the stolen customer information was personal or sensitive in nature.
FNF spokesperson Lisa Foxworthy-Parker did not respond to TechCrunch’s email requesting further details.
FNF said it “contained” the cyberattack on November 26 following a week-long outage that virtually froze all of the company and much of its subsidiaries’ operations. Customers were unable to pay their mortgages. One of FNF’s subsidiaries described the incident as a “catastrophe” in an automated message for customers.
The ransomware gang known as ALPHV (or BlackCat) claimed responsibility for the FNF cyberattack in a post on its dark web leak site, which it uses to extort victims into paying the hackers to remove and delete the data. ALPHV subsequently removed FNF from its site. Ransomware and extortion gangs sometimes remove a victim’s information when they pay the ransom.
FNF was one of several corporate victims of cyberattacks in recent weeks targeting the mortgage and loan industry, including LoanDepot and Mr. Cooper.
Fidelity National Financial shuts down network in wake of cybersecurity incident