In a bid to safeguard patient data, UnitedHealth Group, a prominent healthcare conglomerate, confirmed that it has paid ransom to cyberthreat actors after its subsidiary, Change Healthcare, fell victim to a cyberattack in February. The company also acknowledged that files containing personal information were compromised in the Change Healthcare cyberattack.
According to a statement provided to CNBC, UnitedHealth stated, “This attack was conducted by malicious threat actors, and we continue to work with law enforcement and multiple leading cybersecurity firms during our investigation. A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”
Ransom Payment Amount And Method
Though the exact ransom amount was not disclosed by UnitedHealth, Wired magazine reported on March 4 that the company likely paid around $22 million in bitcoin to the attackers, citing darknet forum posts and blockchain analysis.
The Cyber Express Team contacted Change Healthcare officials to inquire about the reported ransom payment. However, at the time of publication, no official response has been received.
UnitedHealth further disclosed that cyberthreat actors accessed files containing protected health information (PHI) and personally identifiable information (PII). The breached files could potentially affect a significant portion of the American population.
However, the company clarified that, to date, there is no evidence of exfiltration of materials such as doctors’ charts or full medical histories among the compromised data.
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” reads the official release.
Andrew Witty, CEO of UnitedHealth Group, expressed the company’s commitment to addressing the concerns raised by the attack, stating, “We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it.”
Change Healthcare Cyberattack Details and Infiltration
The attackers, identified as the ALPHV ransomware gang or one of its affiliates, infiltrated Change Healthcare’s networks more than a week before launching the ransomware strike, as reported by The Wall Street Journal.
They gained entry through compromised credentials on an application that allows staff to remotely access systems, as multifactor authentication protocols were not enabled on this particular application.
In response to the breach, UnitedHealth has taken steps to mitigate the impact on affected individuals. The company has set up a dedicated website for patients to access resources and launched a call center offering free identity theft protection and credit monitoring for two years.
However, due to the ongoing complexity of the data review, the call center is unable to provide specific details about individual data impact.
Change Healthcare, which processes approximately 15 billion transactions a year and handles one in three medical records, suffered significant disruption from the attack. More than 100 systems were shut down, affecting numerous healthcare providers and leaving some reliant on loans and personal funds to stay operational.
UnitedHealth reported that the attack has cost the company 2 million so far.
Recovery Efforts and Assistance Programs
Despite the challenges, UnitedHealth has been steadily restoring systems since March, including pharmacy software, claims management, and other platforms. The company has also launched financial assistance programs, although some providers have expressed dissatisfaction with the amounts offered and reported feeling pressured to make positive public comments about the loans by UnitedHealth staff.
As UnitedHealth continues its efforts to recover from the cyberattack, it remains vigilant in ensuring the security of patient data and strengthening its cybersecurity defenses to prevent future incidents.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
