UnitedHealth Group has discovered files containing the personal information of millions of Americans whose data may have been compromised in a February cyberattack that disrupted the U.S. health care system.
A sample of the compromised files contains personal information, including health data, that “potentially covers a significant percentage of the population of the United States,” according to a statement posted Monday on the company's website. It turned out that this was the case.
The disclosure suggests this attack may be one of the largest healthcare data breaches on record. Before the hack, Change Healthcare said he processed $2 trillion in health insurance claims and processed 15 billion transactions a year. The disclosure could increase pressure on the company from Washington to explain the cause of the hack and its response.
Two months after the attack on the company's Change Healthcare division came to light, the health system is still grappling with the fallout. Among the many unanswered questions is how many people's personal data may have been compromised.
UnitedHealth said it could take months to tally up the privacy impact. The company has not yet found any evidence that doctors' charts or complete medical histories were exposed. It has set up a website and call center to help people monitor their credit.
Under health privacy regulations, companies typically have 60 days to report data breaches to the Department of Health and Human Services. The agency began investigating the incident last month.
Late last week, the HHS office that oversees data breach reporting said it had not received notification from UnitedHealth, Change Healthcare or any other affected entities, according to its website.
payment of ransom
Earlier Monday, the company paid the ransom in the attack “as part of our commitment to doing everything we can to protect patient data from compromise,” a company spokesperson said in an email. UnitedHealth declined to provide further details.
UnitedHealth said last week that the attack could reduce its revenue this year by up to $1.6 billion, most of which is a one-time charge that will be excluded from its adjusted results.
The Wall Street Journal reported Monday, citing people familiar with the investigation, that the hackers had infiltrated Change Healthcare's systems more than a week before they were discovered. The newspaper said they gained access through compromised credentials that lacked multi-factor authentication checks designed to thwart attackers.
UnitedHealth declined to comment to Bloomberg about the report.
Some doctors and hospitals say they still face funding disruptions weeks after UnitedHealth began bringing downed systems back online. CEO Andrew Whitty is scheduled to testify about the attack in Congress next week.
Wired reported last month that the hacker group involved in the attack received $22 million in Bitcoin on March 1st. UnitedHealth previously declined to comment on the ransom payment.
Photo above: UnitedHealth website on a laptop located in New York, USA, Friday, July 7, 2023. UnitedHealth Group, Inc. is scheduled to release earnings numbers on July 14th.
Copyright 2024 Bloomberg.
Want to stay informed?
Get the latest insurance news
Sent directly to your inbox.