UnitedHealth Group announced on Monday that it has taken the extraordinary step of paying a ransom to cybercriminals in an attempt to safeguard patient data, following a cyberattack on its subsidiary, Change Healthcare, in February.
Confirming the breach, the company acknowledged that personal information files were compromised.
In a statement, UnitedHealth characterized the attack as the work of malicious threat actors and reiterated its cooperation with law enforcement and leading cybersecurity firms in the ongoing investigation.
The decision to pay the ransom was described as part of the company’s unwavering commitment to shielding patient data from exposure.
While the exact amount of the ransom remains undisclosed, UnitedHealth, boasting more than 152 million customers, revealed that files containing protected health information and personally identifiable information had been accessed by the cybercriminals.
Described as potentially impacting a significant portion of the American population, the breach extends beyond UnitedHealth customers, as Change Healthcare processes a substantial volume of patient records annually.
Change Healthcare, specializing in payment and revenue cycle management tools, processes over 15 billion transactions yearly, with one in every three patient records flowing through its systems.
Consequently, individuals outside UnitedHealth’s clientele may also find themselves affected by the breach.
According to UnitedHealth, 22 screenshots allegedly depicting compromised files have surfaced on the dark web. While no other data has been made public, the company has not found evidence indicating access to doctors’ charts or complete medical histories.
Acknowledging the disruption and concern caused by the attack, UnitedHealth CEO Andrew Witty expressed the company’s commitment to assisting affected consumers and providers.
In response, the company has launched a dedicated website offering resources for concerned patients and established a call center to provide free identity theft protections and credit monitoring for two years.
However, due to the ongoing and intricate nature of the data review, the call center is unable to furnish specific details regarding individual data impacts, as stated by UnitedHealth.