UnitedHealth Group said on Monday that hackers stole health and personal data of potentially a “substantial proportion” of Americans from its systems in February, as the largest U.S. health insurer scrambles to contain the damage.
The intrusion at its Change Healthcare unit, which processes about 50% of U.S. medical claims, was one of the worst hacks to hit American healthcare and caused widespread disruption in payment to doctors and health facilities.
The disclosure suggests patients’ healthcare information remains vulnerable. An initial review of the compromised data showed files with protected health information or personally identifiable information “which could cover a substantial proportion of people in America,” the company said in a statement on its website.
That theft on Feb. 21 occurred despite a ransom payment.
“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” UnitedHealth Chief Executive Andrew Witty told CNBC on Monday.
“This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cybersecurity firms during our investigation.”
Hackers usually seek sensitive data such as patient records, medical histories, or treatment plans for use in further criminal acts or ransom demands in such breaches.
While a full analysis of the breached data would take “several months,” there is no evidence to suggest that doctors’ charts or full medical histories of individuals were stolen, UnitedHealth said. It did not say exactly how many people’s data was stolen, but that it was monitoring online forums where hackers tend to leak or trade such data packets.
The cybercriminal gang behind the breach, known as AlphV or BlackCat, has not responded to multiple requests for comment.
Another hacker group posted 22 screenshots on the dark web for about a week, some of which contained UntiedHealth customers’ protected healthcare and personal data, the company said, adding it was unaware of any other leaks at this time.
That group, which calls itself Ransomhub, told Reuters earlier that a disgruntled affiliate of Blackcat had given it the data.
Soon after the hack came to light in February, Blackcat said on its website it had stolen 8 terabytes of sensitive records from Change Healthcare – only to later delete that statement without explanation.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” UnitedHealth CEO Witty said in the company post.