Massive Data Breach at US Health Insurance Provider Exposes 15 Million Records
A major US health insurance provider confirmed a data breach affecting approximately 15 million current and former members, with stolen data including Social Security numbers, medical records, and financial information.
Affected
What happened: A major US health insurance provider disclosed a data breach that exposed the personal and medical information of approximately 15 million current and former members. The breach was attributed to a ransomware attack that occurred over a multi-week period before detection. Stolen data includes full names, dates of birth, Social Security numbers, medical record numbers, health plan information, claims data, and in some cases financial account details. The organization is offering two years of identity monitoring to affected individuals.
Technical details: The attackers gained initial access through a compromised VPN credential belonging to a third-party IT vendor with access to the insurer's network. From there, the threat actors moved laterally for approximately three weeks, exfiltrating data from multiple database systems before deploying ransomware. The ransomware encrypted portions of the network but the primary impact was the data theft. The attack group is associated with a ransomware-as-a-service operation known for double extortion, where stolen data is published if ransom demands are not met.
Who is affected: Approximately 15 million individuals who hold or held health insurance policies with the affected provider. The exposure of medical and financial data creates elevated risk for medical identity fraud, insurance fraud, and targeted phishing attacks. Healthcare providers who submitted claims on behalf of these members may also have organizational data exposed.
What defenders should do: Healthcare organizations should audit third-party vendor access, particularly VPN and remote access credentials. Implement network segmentation to limit lateral movement from vendor access points. Deploy data loss prevention tools to detect large-scale data exfiltration. Ensure database access logging is enabled and monitored. Affected individuals should place fraud alerts with credit bureaus and monitor explanation of benefits statements for signs of medical identity theft.
Broader implications: Healthcare continues to be the most costly sector for data breaches, and the scale of this incident reinforces the attractiveness of health insurance providers as targets. The use of third-party vendor access as the initial compromise vector highlights the persistent challenge of supply chain security. The incident follows the Change Healthcare breach pattern and suggests the healthcare sector has not yet adequately addressed the systemic security weaknesses exposed by that earlier attack.
Sources