UnitedHealth Group recently disclosed that it fell victim to a cyberattack in February, leading to a breach of patient data held by its subsidiary, Change Healthcare. In response, the company made the decision to pay ransom to the cyberthreat actors involved in an effort to safeguard the compromised data.
The cyberattack, orchestrated by malicious actors, prompted UnitedHealth to collaborate with law enforcement and cybersecurity experts to investigate the breach thoroughly. While the exact amount of the ransom payment was not disclosed, the company emphasized its commitment to protecting patient data from unauthorized disclosure.
With over 152 million customers, UnitedHealth acknowledged that files containing protected health information and personally identifiable details were accessed by the cyberthreat actors. This breach potentially impacts a significant portion of the American population due to the vast scope of the compromised data.
Change Healthcare, a subsidiary of UnitedHealth, specializes in payment and revenue cycle management tools, processing billions of transactions annually. Given the high volume of patient records passing through its systems, the data breach has implications beyond UnitedHealth’s customer base, potentially affecting a broader range of individuals.
UnitedHealth reported that screenshots of the compromised files have surfaced on the dark web, heightening concerns about data privacy and security. Despite this, the company assured that no other data had been publicly disclosed, and there is no evidence to suggest that extensive medical records or doctors’ charts were compromised in the incident.
In response to the cyberattack, UnitedHealth CEO Andrew Witty expressed empathy for the disruption caused to consumers and healthcare providers. The company aims to support those affected by providing a dedicated website with resources and establishing a call center that offers complimentary identity theft protection and credit monitoring for a two-year period.
As the data review process remains ongoing, UnitedHealth emphasized the limitations of the call center’s ability to provide detailed information about individual data impacts. However, the company reassured affected individuals of its commitment to mitigating the effects of the breach and offering necessary support throughout the resolution process.
