UnitedHealth Group (UHG) has revealed that the cyberattack on its subsidiary, Change Healthcare, in February may have compromised the data of "a substantial proportion of people in America." The company also confirmed that it paid a ransom to the cyberthreat actors in an attempt to protect patient information from being disclosed.
In an update released on Monday, UHG stated that files containing protected health information (PHI) and personally identifiable information (PII) were accessed during the breach. The company has not seen evidence of doctors' charts or full medical histories being exfiltrated, but it noted that 22 screenshots allegedly from Change Healthcare's files were posted on the dark web for about a week by the malicious threat actors.
"This attack was conducted by malicious threat actors, and we continue to work with law enforcement and multiple leading cyber security firms during our investigation," UnitedHealth told CNBC in a statement. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure." The company did not disclose the amount of the ransom payment.
Change Healthcare, a top insurance processing company in the U.S., facilitates more than 15 billion transactions annually, and 1 in every 3 patient records passes through its systems. This means that even patients who are not UnitedHealth customers could have been affected by the attack.
Due to the scope of the breach, UHG said it will likely take "several months" to identify and notify customers who were impacted. The company has launched a dedicated website where customers can access resources and has set up call centers to offer free credit monitoring and identity theft protection for two years to affected individuals.
"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," UnitedHealth CEO Andrew Witty said in a statement. Witty is scheduled to testify before the House Energy and Commerce Subcommittee on Oversight and Investigations on May 1.
UnitedHealth's ownership of Change Healthcare has reignited concerns over vertical integration and the risks involved in single companies commanding large swaths of the healthcare industry. The U.S. Department of Justice tried to block the acquisition and reportedly launched an antitrust investigation into UHG earlier this year.
Federal Trade Commission Chair Lina Khan commented on the Change Healthcare cyberattack while speaking with reporters on Tuesday, stating, "It's fair to say we have seen ways in which consolidation and concentration of data can create more vulnerabilities, right. Because if there's a hack, there's more that could get exposed. And so we see some of those interconnections."
Khan emphasized the importance of data minimization, stating that companies should "really minimize what data you're even collecting or storing in the first place."
