The cyberattack on Change Healthcare in February targeted the data of “a substantial proportion of people in America,” UnitedHealth Group (UHG) said this week, with the company confirming it paid a ransom in an effort to protect patient information.
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” UHG said in an update on Monday regarding the attack on its subsidiary.
“To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”
Due to the scope of attack, UHG said it will likely take “several months” to identify and notify customers who were impacted. The company has launched a website where customers can get information and has set up call centers to offer “offer free credit monitoring and identity theft protections for two years” to affected individuals.
It further shared that 22 screenshots allegedly from files taken from Change were posted for about a week on the dark web by a “malicious threat actor.” These files contained both protected health information and personally identifiable information.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” UHG CEO Andrew Witty said in a statement.
Witty is scheduled to testify before the House Energy and Commerce Subcommittee on Oversight and Investigations on May 1.
A UHG spokesperson also confirmed to The Hill that a ransom payment had been made, saying, “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”
Change is one of the top insurance processing companies in the U.S. UHG’s ownership of Change, which the Justice Department tried to block, has reignited concerns over vertical integration and the risks involved in single companies commanding large swaths of the healthcare industry. The DOJ reportedly launched an antitrust investigation into UHG earlier this year.
Federal Trade Commission Chair Lina Khan commented on the Change cyberattack while speaking with reporters on Tuesday.
“It’s fair to say we have seen ways in which consolidation and concentration of data can create more vulnerabilities, right. Because if there’s a hack, there’s more that could get exposed. And so we see some of those interconnections,” said Khan.
“One of the key remedies that we’ve been pushing is this concept of data minimization. So the idea that you should really minimize what data you’re even collecting or storing in the first place.”