US Secretary of Veterans Affairs Denis McDonough said on April 25 that the personally identifiable information (PII) of 15 million US veterans may have been compromised in the February cyberattack on Change Healthcare. McDonough reported in his monthly press conference that Change Healthcare informed the Department of Veterans Affairs (VA) of the potential data leak earlier this week.
Change Healthcare, the nation’s largest payment processor of healthcare services, also processes many, if not all, of the healthcare and prescription payments for the VA.
In February, Change Healthcare was forced to disable its IT systems after a Russian ransomware gang called ALPHV infiltrated and took control of its customer databases and demanded an unspecified sum to get the databases back. The nearly month-long disruption caused many US pharmacies to stop processing prescriptions and many US customers to go without their medications.
Change Healthcare conducted an audit of its IT systems and databases in April and reported that it found evidence that some of its customers’ data made it onto the dark web.
“Based on initial targeted data sampling to date, the company has found files containing protected health information or personally identifiable information, which could cover a substantial proportion of people in America,” the company said.
United Healthcare Group, the parent company of Change Healthcare, told the VA this week that the PII of some of the veterans under its care were among the sample data discovered on hackers’ forums. United Healthcare said that patients’ medical histories and doctors’ charts were not among the data found.
VA Secretary McDonough assured veterans that, “We are pushing [United Healthcare] for more information. We will move quickly to provide full support and protect veteran data. We are not waiting for that confirmation.”
The VA has notified all 15 million veterans by email of the potential breach of their personal information. It also informed them in the email that they are eligible to sign up for two free years of credit monitoring, presumably provided by United Healthcare.