Omar Marques | Light flare | Getty Images
UnitedHealth Group said Monday it paid a ransom to cyberthreat actors in an attempt to protect patient data, following the February cyberattack on its subsidiary Change Healthcare. The company also confirmed that files containing personal information were compromised in this breach.
“This attack was carried out by malicious actors, and we continue to work with law enforcement and several major cybersecurity companies during our investigation,” UnitedHealth told CNBC in a statement. “A ransom was paid as part of the company’s commitment to do everything possible to protect patient data from disclosure.”
The company did not specify the ransom amount.
UnitedHealth, which has more than 152 million customers, said it also determined that cyberthreat actors accessed files containing protected health information and personally identifiable information, according to a statement Monday. The files “could cover a substantial proportion of people in America,” the statement said.
Change Healthcare offers payment and revenue cycle management tools. The company facilitates more than 15 billion transactions per year and one in three patient records passes through its systems. This means that even patients who are not UnitedHealth customers could have been affected by the attack.
UnitedHealth said in the statement that 22 screenshots, allegedly of compromised files, were uploaded to the dark web. The company said no further data has been released and it has found no evidence that medical records or full medical histories were accessed in this breach.
“We know this attack has caused concern and disruption to consumers and providers and we are committed to doing everything we can to help and provide support to anyone who may need it,” said Andrew Witty, CEO of ‘UnitedHealth, in the press release.
UnitedHealth said affected patients can visit a dedicated website to access resources. The company has launched a call center that will offer free identity theft protections and credit monitoring for two years, the release said.
The call center will not be able to provide details on the impact of individual data given the “ongoing nature and complexity of data review,” UnitedHealth said.
cnbc
