UnitedHealth Confirms Ransom, Compromised Health Data From Change Attack

An article from

Dive Brief:

• UnitedHealth Group said it paid hackers a ransom in an attempt to protect patient information from disclosure after a cyberattack against its subsidiary Change Healthcare in February, the company confirmed to Healthcare Dive on Monday. 
• The healthcare behemoth also said patient data may have been compromised. UnitedHealth found files involved in the cyberattack containing protected health information or personally identifiable information that “could cover a substantial proportion of people in America,” according to a press release. 
• UnitedHealth also said 22 screenshots of allegedly stolen files, some containing patient health information, were posted on the dark web for about a week. The healthcare giant said it’s continuing to monitor the internet and the dark web for stolen data.

Dive Insight:

Rumors that UnitedHealth may have paid a ransom to cybercriminals have swirled for weeks.

Early last month, Wired reportedAlphV or BlackCat, a cyber group that claimed responsibility for the February attack, received a $22 million transaction that looked “very much like a large ransom payment.” Last week, another group called RansomHub published what it said were private and sensitive records to extort a ransom from the company, according to reporting from TechCrunch.

UnitedHealth didn’t confirm how much it paid in ransom. A spokesperson said the payment was “part of the company’s commitment to do all it could to protect patient data from disclosure.”

So far, the company has not seen evidence that information like doctors’ charts or full medical histories were taken, according to a press release. UnitedHealth said it will likely take several months before enough information will be available to contact impacted individuals. 

The company also said it would take on breach reporting and notification requirements for customers whose data may have been exposed in the attack — a big concern for provider groups.

In March, the American Hospital Association and the Federation of American Hospitals wrote to the HHS’ Office for Civil Rights to clarify who would need to send out data breach notifications, noting that requiring hospitals to issue letters could result in duplicative work and confusion for patients. 

The latest update from UnitedHealth comes about two months after the attack was first reported. The incident has upended normal operations for the healthcare sector, with providers reporting challenges filing claims and receiving payments. 

Medical claims are now flowing near normal levels, according to the company. Payment processing by Change, which represents about 6% of all payments in U.S. healthcare, is at approximately 86% of pre-incident levels, UnitedHealth said.

The healthcare behemoth estimates costs from the attack could reach $1.6 billion this year. Though most of Change’s operations have resumed, the subsidiary might not return to expected service levels until 2025.