UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’

Health insurance giant UnitedHealth Group confirmed that a ransomware attack on its health technology subsidiary Change Healthcare earlier this year resulted in a massive theft of Americans’ private health data.

UnitedHealth said in a statement Monday that a ransomware gang recovered files containing personal data and protected health information that it said could “cover a substantial proportion of people in America.”

The health insurance giant did not say how many Americans are affected, but said reviewing the data “will likely take several months” before the company begins notifying individuals that their information has been stolen during the cyber attack.

Change Healthcare processes insurance and billing for hundreds of thousands of hospitals, pharmacies, and physician practices across the U.S. healthcare industry; it has access to massive amounts of information about the health of about half of Americans.

UnitedHealth said it has not yet seen evidence that medical records or complete medical histories were exfiltrated from its systems.

Admission that hackers stole Americans’ health data comes a week after a new hacking group began publishing portions of the stolen data in an attempt to extort a second ransom demand from the company .

The gang, which calls itself RansomHub, posted several files on its dark web leak site containing personal patient information in a series of documents, some of which included internal files linked to Change Healthcare. RansomHub said it would sell the stolen data unless Change Healthcare paid a ransom.

RansomHub is the second gang to demand ransom from Change Healthcare. The health tech giant reportedly paid $22 million to a Russia-based criminal gang called ALPHV in March, which then disappeared, depriving the subsidiary that committed the data theft of its share of the ransom.

RansomHub claimed in its post alongside the published stolen data that “we have the data and not ALPHV”.

In its statement Monday, UnitedHealth acknowledged the release of some files, but did not claim ownership of the documents. “This is not an official notification of a breach,” UnitedHealth said.

The Wall Street Journal reported Monday that ALPHV’s criminal hacking subsidiary broke into Change Healthcare’s network using stolen credentials for a system allowing remote access to its network. The hackers were present in Change Healthcare’s network for more than a week before deploying ransomware, allowing them to steal significant amounts of data from the company’s systems.

The cyberattack on Change Healthcare began on February 21 and resulted in widespread and ongoing outages at pharmacies and hospitals across the United States. For weeks, doctors, pharmacies and hospitals were unable to verify the benefits to patients in dispensing medications, arranging hospital care or processing the prior authorizations needed for surgical procedures.

Much of the U.S. health care system is paralyzed, with care providers facing financial pressures as backlogs grow and outages persist.

UnitedHealth reported last week that the ransomware attack cost it more than $870 million in losses. The company said it had revenue of $99.8 billion in the first three months of the year, higher than Wall Street analysts expected.

UnitedHealth CEO Andrew Witty, who received nearly $21 million in total compensation for all of 2022, is expected to testify before House lawmakers on May 1.