The ransomware group that attacked a subsidiary of UnitedHealth Group stole massive amounts of customers’ private health care data, the latest in a continuing string of information coming out about the data breach.

In a statement this week, UnitedHealth said that, based on targeted sampling of the data taken, the number of files that contained such protect health or personally identifiable information “could cover a substantial proportion of people in America.” To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”

The company, which has more than 152 million customers, is still sorting through the damage caused by the February attack on Change Healthcare, whose technology processes payments, medical and insurance claims, and prescription orders for hundreds of thousands of hospitals, health care clinics, and pharmacies in the United States.

UnitedHealth said it likely will take “several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” adding that as yet, there is no indication that the bad actors exfiltrated such information as doctors’ charts or the full medical histories of customers.

Not an Official Breach Notification

The company said it is continuing to work with law enforcement agencies and regulators, but added that the communication this week wasn’t an official breach notification. That will come after more information about the incident is uncovered.

The amount and kind of data that was stolen, the wide-ranging impact – which included week-long problems for hospitals and pharmacies – the involvement of the federal government in the weeks since, and the drama among the cybercriminal groups behind the attacks have helped keep a spotlight on the incident.

According to the Wall Street Journal, an affiliate of the high-profile BlackCat ransomware group – also known as ALPHV – used stolen credentials to get into Change’s network and stayed there for nine days before deploying the ransomware, giving it enough time to exfiltrate data. As part of the effort to mitigate the damage, UnitedHealth this week admitted that it paid a ransom in hopes of protecting customer data.

The company didn’t disclose the ransom amount, but the cybercriminals have suggested that it was $22 million.

Steve Hahn, executive vice president of Americas for ransomware protection company BullWall, said it’s not surprising that the threat group used compromised credentials before the attack, adding that such techniques are used in more than 95% of ransomware attacks.

“This is an incredibly simple and incredibly effective process,” Hahn said. “Once they have the same rights as the most trusted users in the organization, they can essentially do anything they want.”

More Than One Threat Group to Deal With

BlackCat is a ransomware-as-a-service (RaaS) operation, which typically entails an affiliate group using its malicious code in an attack and sharing the stolen money. However, the affiliate group said BlackCat – which had been a target of international law enforcement agencies – kept the entire $22 million in what may have been a swan song for the group, which said it was closing up shop, though that isn’t confirmed.

An extortion gang called RansomHub – which said it was associated with the affiliate group – then demanded another ransom from UnitedHealth and last week began leaking what it said was some of the sensitive patient data stolen during the attack on Change, threatening to sell the data if a ransom wasn’t paid.

The attack had a broad affect in the health care industry, making it difficult for pharmacies to fill orders, hospitals to access patient records or dispense medication, or get paid for their work. Health care providers suddenly could not provide care and faced financial issues. UnitedHealthcare itself said it lost more than $872 million due to the attack.

The Government Gets Involved

The widespread impact and the accompanying hardships brought government agencies into the picture, with health care organizations leaning on the government to help get funding for the struggling hospitals and other health care businesses that had lost billions of dollars in revenue and members of Congress filed bills to speed up Medicare payments.

Now UnitedHealth CEO Andrew Witty will appear before Congress May 1, when he’s scheduled to testify before the Subcommittee on Oversight and Investigations of the House Energy and Commerce Committee. In a letter to Witty April 15, committee leaders noted that Change’s system process about 15 billion transactions a year and are used by about 900,000 physicians, 118,000 dentists, 33,000 pharmacies, and 5,500 hospitals in the United States.

The attack on Change and the resulting widespread fallout is a warning for the health care industry and the country, according to the letter signed by Committee Chair McMorris Rodgers (R-MI) and Ranking Member Rep. Frank Pallone (D-NJ), among others.

“The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised,” they wrote. “It is important for policymakers to understand the events leading up to, during, and after the Change Healthcare cyberattack.”

Breach Notifications are Not Enough

Piyush Pandey, CEO of application security vendor Pathlock, said the UnitedHealth incident “highlights a critical junction in cybersecurity and regulatory responses to data breaches involving sensitive personal information,” noting that while current laws mandate timely notifications of data breach, more may need to be done.

“Given the scale of the protected health information (PHI) and personally identifiable information (PII) compromised, the focus could beneficially shift towards enforcing more stringent data protection measures, such as data masking and dynamic access controls,” Pandey said. “By mandating these advanced protective measures, regulators could significantly enhance the security of sensitive information, thereby reducing the likelihood and potential impact of data breaches. This shift could serve as a more proactive approach to data protection.”