Omar Marques | Light rocket | Getty Images
UnitedHealth Group said Monday that it paid ransoms to cyber threat actors to try to protect patient data following the cyberattack on its Change Healthcare subsidiary in February. The company also confirmed that files containing personal information were compromised as a result of the breach.
“This attack was carried out by malicious threat actors and we continue to work with law enforcement and several leading cybersecurity firms during our investigation,” UnitedHealth said in a statement to CNBC. “Paying a ransom was part of the company’s commitment to do everything in its power to protect patient information from disclosure.”
The company did not provide any information about the amount of the ransom payment.
UnitedHealth, which has more than 152 million customers, said it also discovered that the cyber threat actors accessed files containing protected health information and personally identifiable information, according to a news release Monday. The files “could cover a significant portion of the people of America,” the press release said.
Change Healthcare offers payment and revenue cycle management tools. The company facilitates more than 15 billion transactions annually and one in three patient records passes through its systems. This means that patients who are not UnitedHealth customers could also be affected by the attack.
UnitedHealth said in the press release that 22 screenshots purportedly of the compromised files were uploaded to the dark web. The company said no other data was released and it had seen no evidence that medical records or complete medical histories were accessed in the breach.
“We know this attack has been concerning and disruptive to consumers and providers, and we are committed to doing everything we can to help and support anyone who may need it,” UnitedHealth CEO Andrew Witty said. in the press release.
UnitedHealth said affected patients can visit a dedicated website to access resources. The company has opened a call center that will provide free identity theft protection and credit monitoring for two years, the statement said.
The call center will not be able to offer details on the impact on individual data given the “ongoing nature and complexity of data review,” UnitedHealth said.
Comments are closed.