UnitedHealth Paid Ransom to Cyberhackers After Patients' Personal Data Was Compromised

UnitedHealth Group has paid an undisclosed ransom to hackers in an attempt to retain patient data that may have been compromised.

The attack, which happened in February, affected patients of Change Healthcare, a division of United’s Optum.

“This attack was conducted by malicious threat actors, and we continue to work with law enforcement and multiple leading cyber security firms during our investigation,” a UnitedHealth rep told CNBC. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”

Related: A Cyberattack on the Largest Health Insurer in the U.S. Could Put Your Prescriptions and Personal Data at Risk

UnitedHealth revealed that the hacked files contained protected health information and personally identifiable information to “a substantial proportion of people in America,” though the company did not disclose exactly how many patients were affected.

So far, UnitedHealth said there was no evidence of data being exfiltrated to be used maliciously, and doctors’ charts and medical histories do not seem to be part of the hacked data set.

“We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it,” said Andrew Witty, CEO of UnitedHealth Group, in a company release.

UnitedHealth estimates it will take several months of analysis to determine the specific individuals affected by the hack, but 22 screenshots from what appeared to be exfiltrated files containing Persona Health Information (PHI) and Personal Identifiable Information (PII) were posted on the dark web for a week.

Related: Maine Hacked in Data Breach, 1.3 Million Residents At Risk

The company is offering two years of free access to a dedicated call center for credit monitoring and identity theft protection to those impacted.

“While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved,” UnitedHealth said.

Source link

About The Author

Scroll to Top