UnitedHealth Group has completed more than 90% of its review of the data accessed and stolen by ransomware hackers earlier this year, finding “no evidence” that materials such as doctors’ charts or full medical histories were exfiltrated from its systems.
In an advisory on Thursday, the healthcare giant provided its first breach notification to those who may have been affected by the attack on Change Healthcare, which paralyzed the medical industry for weeks due to the company’s pivotal role in the processing of payments and prescriptions.
In April, Change Healthcare confirmed the hackers accessed data that covers “a substantial proportion of people in America.” While the company is still determining the full extent of the breach, so far they have confirmed that names, addresses, dates of birth, phone numbers, and email addresses were leaked.
The attackers also likely accessed some combination of:
- Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
- Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
- Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.
The federal government said two weeks ago that it will allow Change Healthcare to send data breach notifications to victims on behalf of the company’s customers — which include thousands of hospitals, pharmacies, health clinics and doctors’ offices.
Current and former Change Healthcare customers can use the public data breach notice posted online to “proactively notify their individuals of the incident now while the data review remains ongoing and share how individuals can reach out to CHC if they have questions.”
The attack on Change Healthcare is one of the largest ransomware events to ever hit the healthcare industry and sparked outrage as millions of U.S. residents struggled to get medications.
Sen. Ron Wyden (D-OR) said last month that UnitedHealth’s senior executives and board of directors “must be held accountable” for a cascade of reckless decisions — most notably having a chief information security officer who had not worked in a fulltime cybersecurity role before he was elevated to the job in June 2023.
The attack has also reignited efforts to better regulate the healthcare industry after UnitedHealth Group’s CEO admitted the entire attack was traced back to a remote access server that was not protected with multifactor authentication (MFA). MFA policies were waived for servers running older software, the company admitted in Congressional hearings.
Recorded Future
Intelligence Cloud.
