Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health technology subsidiary Change Healthcare earlier this year resulted in a massive theft of Americans’ private healthcare data.
UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may “cover a significant percentage of people in America.”
The health insurance giant did not say how many Americans were affected, but said the data review is “likely to take several months” before the company begins notifying people that their information was stolen in the cyberattack.
Changing healthcare processes Insuring and billing hundreds of thousands of hospitals, pharmacies and medical practices in the US healthcare sector. has access to vast amounts of health information for about half of Americans.
UnitedHealth said it has yet to see evidence that doctors’ charts or complete medical records were breached from its systems.
The admission that hackers stole Americans’ health data comes a week after a new hacking group began publishing portions of the stolen data in an attempt to extort a second ransom demand from the company.
The gang, which calls itself RansomHub, published several files on its website containing personal information about patients in a series of documents, some of which included internal files related to Change Healthcare. RansomHub said it will sell the stolen data unless Change Healthcare pays a ransom.
RansomHub is the second gang to demand ransom from Change Healthcare. The health tech giant reportedly paid $22 million to a Russian-based criminal gang, ALPHV, in March, which has since disappeared, making it the affiliate that carried out the data theft from their ransom department.
RansomHub claimed in its post along with the published stolen data that “we own the data, not ALPHV.”
In its statement Monday, UnitedHealth acknowledged the release of some of the records but stopped short of claiming ownership of the documents. “This is not an official breach notification,” UnitedHealth said.
The Wall Street Journal reported Monday that the ALPHV subsidiary hacked Change Healthcare’s network using stolen credentials for a system which allows remote access to its network. The hackers were on Change Healthcare’s network for more than a week before they deployed ransomware, allowing the hackers to steal significant amounts of data from the company’s systems.
The cyberattack on Change Healthcare began on February 21st and has resulted in ongoing widespread outages at pharmacies and hospitals across the United States. For weeks, doctors, pharmacies and hospitals could not verify patients’ benefits to administer drugs, arrange inpatient care or process prior authorizations needed for surgeries.
Much of the US health care system has ground to a halt, with health care providers facing financial pressure as delays mount and shutdowns drag on.
UnitedHealth reported last week that the ransomware attack cost it more than $870 million in losses. The company reported revenue of $99.8 billion in the first three months of the year, which was better than Wall Street analysts had expected.
UnitedHealth CEO Andrew Witty, who received nearly $21 million in total compensation for the full year 2022, is set to submit to the members of Parliament on May 1.
