The company said it will likely take several months before it can notify impacted individuals, while a separate report claims the company paid a ransom to the criminals.
Health insurance giant UnitedHealth Group has shared more details of a recent cyberattack on its subsidiary company Change Healthcare – and the impact may be very severe.
UnitedHealth has reviewed the data targeted in the cyberattack and said it found files containing protected health information and personally identifiable information. The company claims it has not seen evidence that materials such as doctors’ charts or full medical histories were stolen.
The health insurance giant warned that the stolen data could cover “a substantial proportion of people in America”. The company did not give a further estimate on how many people may be impacted by the data breach, but claimed it will likely “take several months of continued analysis” before it has enough information to identify and notify impacted customers and individuals.
The breach relates to a cyberattack that occurred in February that targeted Change Healthcare, which provides billing and data systems for hundreds of thousands of hospitals and pharmacies across the US. UnitedHealth claims Change’s systems processes approximately 6pc of all payments in the US healthcare system.
Earlier this month, an extortion group called RansomHub claimed that stolen data from the Change Healthcare cyberattack is up for sale online.
UnitedHealth said it is continuing to investigate the situation and has created a “dedicated call centre” to offer free credit monitoring and identity theft protections for two years to anyone impacted.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said UnitedHealth Group CEO Andrew Witty.
Meanwhile, a report from the Wall Street Journal paints a poor picture for Change Healthcare’s cybersecurity. A source familiar with the ongoing investigation claims the ransomware attackers had access to company networks for more than a week before they launched their attack.
This source also claims that UnitedHealth eventually paid the ransom to the cyberattackers, but did not specify how much. Earlier reports claim the company paid a ransom of $22m.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotifyon Apple or wherever you get your podcasts.