UnitedHealth Confirms Data Theft From Change Healthcare, ‘Substantial’ Number Of Americans Possibly Impacted

The data stolen from prescription processor Change Healthcare includes ‘files containing protected health information (PHI) or personally identifiable information (PII),’ UnitedHealth says.

UnitedHealth Group said in a statement Monday it’s confirming that a potentially significant amount of data belonging to Americans may have been stolen in the Change Healthcare cyberattack earlier this year.

The stolen data “could cover a substantial proportion of people in America,” the insurance giant said in a statement posted on its site.

[Related: Federal Scrutiny Growing Over Change Healthcare Breach]

The data stolen from prescription processor Change Healthcare includes “files containing protected health information (PHI) or personally identifiable information (PII),” UnitedHealth said in the statement. “To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”

The disclosure is the latest development in the ongoing fallout from the widely felt Change Healthcare ransomware attack, which was first revealed two months ago. The disruptions prevented many U.S.-based pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.

In its statement Monday, UnitedHealth said that “it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”

“This is not an official breach notification,” the company added.

Last week, UnitedHealth said it was investigating claims that a cybercrime group has leaked data online that was stolen in the Change Healthcare attack as part of an extortion attempt. The RansomHub cybercriminal gang has posted data it claimed was stolen from Change Healthcare.

A different cybercrime group, known as AlphV and Blackcat, had claimed responsibility for the attack and said on its darkweb site that it exfiltrated 6 TB of data from Change Healthcare.

The claim of stolen data had previously prompted the Department of Health and Human Services to launch an investigation into the incident in connection with HIPAA (the Health Insurance Portability and Accountability Act of 1996) rules.

The disclosure also came as the Wall Street Journal reported that the cybercrime group behind the attack initially gained access to Change Healthcare’s systems nine days prior to deploying ransomware. The initial entry was achieved Feb. 12 using stolen credentials, according to the report Monday.

Meanwhile, UnitedHealth has confirmed it paid a ransom to regain access to Change Healthcare’s systems. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the insurer said in a statement to media outlets including CRN.

UnitedHealth did not confirm the amount paid, which was previously pegged at $22 million by security researchers.