UnitedHealth paid ransom to bad actors, says patient data was compromised in Change Healthcare cyberattack

30.04.2024

UnitedHealth Group announced on Monday that it made a ransom payment to cyberthreat actors in an attempt to safeguard patient data, following the February cyberattack on its subsidiary Change Healthcare. The company also confirmed that personal information files were compromised during the breach.

“This attack was carried out by malicious threat actors, and we are continuing to collaborate with law enforcement and several leading cybersecurity firms as part of our investigation,” UnitedHealth told CNBC in a statement. “A ransom was paid as a measure of the company’s dedication to protecting patient data from exposure.”

The company did not disclose the amount of the ransom payment.

UnitedHealth, with over 152 million customers, stated that it had determined the cyberthreat actors accessed files containing protected health information and personally identifiable information, according to a release on Monday. The files “potentially encompass a significant portion of the American population,” the release noted.

Change Healthcare provides payment and revenue cycle management solutions. The company handles more than 15 billion transactions annually, with 1 in 3 patient records passing through its systems. This implies that even patients not affiliated with UnitedHealth could have been impacted by the attack.

UnitedHealth mentioned in the release that 22 screenshots, purportedly of the compromised files, were uploaded to the dark web. The company stated that no other data has been made public, and it has not observed any evidence indicating that doctors’ charts or complete medical histories were accessed during the breach.

“We understand that this attack has caused worry and disruption for consumers and healthcare providers, and we are committed to providing all possible assistance and support to those affected,” stated UnitedHealth CEO Andrew Witty in the release.

UnitedHealth informed concerned patients that they can visit a dedicated website for access to resources. The company has established a call center that will provide free identity theft protection and credit monitoring for two years, the release mentioned.

Due to the “ongoing nature and complexity of the data review,” UnitedHealth stated that the call center will not be able to provide specific details about individual data impacts.