UnitedHealth admits IT security breach could 'cover substantial proportion of people in America'

That said, good ol' American healthcare system so elaborately costly, some are forced to avoid altogether

UnitedHealth Group, the parent of ransomware-struck Change Healthcare, delivered some very unwelcome news for customers today as it continues to recover from the massively expensive side and disruptive digital break-in.

In a very roundabout way, the corporate giant says network intruders may have accessed internal health-related data associated with a very large number of people in the United States.

"Based on the initial targeted data sampling to date, the company has found files containing protected health information and personally identifiable information, which could cover a substantial proportion of people in America," it said in a statement.

"To date, the company has not seen evidence of exfiltration of materials such as doctors' charts or full medical histories among the data," UnitedHealth added.

The ransomware attack, which began in February, hit hospital and pharmacies that use the insurance and billing services of UnitedHeath across the US for weeks. Electronic prescriptions came back online in early March.

The exact number of people affected – those who may have had their info accessed by the ransomware extortionists – was not mentioned. Given the "ongoing nature and complexity of the data review," the insurance giant estimates it will likely take third party experts "several months of continued analysis" to comb through enough information to "identify and notify impacted customers and individuals."

An affiliate of ALPHV claimed responsibility for the breach. According to a report in the Wall Street Journal yesterday, the criminal crew got into Change Healthcare's network via pilfered credentials for a tech system that permits remote access to its network. The criminal gang spent more than a week inside until they unleashed the ransomware and stole data from the systems.

A spokesperson at UnitedHealth told TechCrunch that a ransom had been paid "as part of the company's commitment to do all it could to protect patient data from disclosure." The amount was not specified but it was understood to be around $22 million.

RansomHub, another criminal crew, recently released what is believed to be personal patient data from the hack and itself demanded a ransom to stop it leaking more. It claimed that it was storing the data, and not ALPHV.

UnitedHealth and its external cyber specialists claim they are still "monitoring" the dark web to ascertain if more data has been published online. The company says it saw 22 screenshots, "allegedly from exfiltrated files," some of which contained protected health information and personally identifiable information, that it says was posted on the dark web for roughly one week by miscreants, but claims it has spotted nothing since.

The cost of the saga to the org is currently pegged at $870 million for calendar Q1 and could stretch to $1.6 billion for the year, UnitedHealth confirmed last week. ®

More about

More about

More about


Send us news

Other stories you might like