The company's parent company announced Monday that a February ransomware attack on Change Healthcare had the personal information of “a significant percentage of people in the United States” accessed.
The company is facing questions from health care providers and lawmakers about what personal data was in the hands of hackers who claim to own terabytes of company data.
At a Congressional hearing last week, a doctor told UnitedHealth Group, which owns Change Healthcare, that the company handles about one in three medical records and processes about half of all medical claims. He testified that he repeatedly asked him to clarify what he should tell the patient.in the united states
UnitedHealth said in a statement that it would provide two years of free credit monitoring and identity theft protection to those affected, but did not know how many people were affected or how the health care giant would use the information it obtained. He did not say whether anyone would know.
“Based on the first targeted data sampling to date, the company discovered files containing protected health information (PHI) or personally identifiable information (PII) that are linked to a significant portion of the U.S. may be covering people,” the company said.
“Given the nature and complexity of ongoing data reviews, it may take several months of ongoing analysis before sufficient information is available to identify and notify affected customers or individuals. It may take a while.
The company did not respond to several questions about the estimated number of people affected, the type of information accessed, and the ransom paid to the hackers.UnitedHealth Group has confirmed that CNN CNBC announced Monday that it had paid the ransom “as part of the company's commitment to protecting patient data from breaches.”
It is unclear whether that payment was the $22 million reportedly paid to the AlphV ransomware group several weeks ago, or to another group of hackers who put the company's data up for sale through the group. called ransom hub. RansomHub reportedly deleted his UnitedHealth Group post over the weekend.
The company's statement referred to the RansomHub post, saying 22 screenshots were posted on the site containing leaked files containing some personal information. UnitedHealth said the information was only posted on the dark web for about a week and that “he has not made any further disclosures of PHI or PII at this time.”
Hackers infiltrated UnitedHealth Group's systems for more than a week before launching the ransomware attack, gaining initial access using compromised credentials for a remote management tool, The Wall Street Journal reported Monday. It was reported.
The U.S. Department of Health and Human Services (HHS) issued a statement last month asking whether protected health information was compromised and whether Change Healthcare and UHG complied with Health Insurance Portability and Accountability Act (HIPAA) rules. announced that an investigation had begun.
UnitedHealth Group has set up a website and call center for victims to get more information, but said it is “unable to provide details on the impact of individual data at this time.”
The company said in a House hearing last week that it plans to address direct complaints filed by doctors, notify victims and cover regulatory requirements on behalf of providers and customers.
The company's CEO, Andrew Whitty, is scheduled to testify before the House Energy and Commerce Committee on May 1.
recorded future
intelligence cloud.
learn more.