UnitedHealth Group paid ransom to protect patient information

Photo: Andrew Brookes/Getty images

UnitedHealth Group has admitted it paid a ransom to the Change Healthcare cyberattackers to protect patient information.

"A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," UnitedHealth Group said in a statement on Monday.

The company did not disclose the amount paid.

WHY THIS MATTERS

The company has also confirmed that files containing personal information were compromised in the breach, according to CNBC.

UnitedHealth Group, along with leading external industry experts, continues to monitor the internet and dark web to determine if data has been published, according to a status update published on Monday. There were 22 screenshots, allegedly from exfiltrated files, some containing personal health information and personally identifiable information, posted for about a week on the dark web by a malicious threat actor, UnitedHealth said.

"No further publication of PHI or PII has occurred at this time," the company said.

"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals. As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections rather than waiting until the conclusion of the data review," UnitedHealth said.

Based on initial targeted data sampling to date, the company has found files containing protected health information or personally identifiable information, which could cover a substantial proportion of people in America, the company said. To date, it has not seen evidence of exfiltration of materials such as doctors' charts or full medical histories among the data, UnitedHealth said.

"While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved," the status report said. "This is not an official breach notification. The company will reach out to stakeholders when there is sufficient information for notifications and will be transparent with the process."

The company has announced support for people who may be concerned about their personal data potentially being impacted based on preliminary findings from the ongoing investigation and review of the data involved.

"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," Witty said by statement.

People are asked to visit a dedicated website for more information or call 1-866-262-5342.

THE LARGER TREND

UnitedHealth Group's CEO Andrew Witty is expected to testify before a House committee in May about the ransomware attack, according to The Record. During a hearing last week on the cyberattack by the House Subcommittee on Health, at least two representatives called out UnitedHealth Group for not making anyone available.

In March, Reuters reported that UnitedHealth Group paid $22 million to recover access to data and systems encrypted by the Blackcat ransomware gang.

Change Healthcare, which is owned by Optum, a subsidiary of UnitedHealth Group, discovered it was hit by a cyberattack on February 21. The company shut down its systems, which affected claims payments to hospitals and physicians' groups nationwide.

While Change has been reestablishing connectivity, provider revenue continues to be impacted by delays in submitting and receiving payment.

UnitedHealth said in its status update that it has made "strong progress" in restoring Change services.

Email the writer: SMorse@himss.org