UnitedHealth Group has issued an update on the data breach that recently struck its subsidiary, Change Healthcare.
The healthcare giant suffered a ransomware attack that knocked some of its services offline and affected different pharmacies and other adjacent businesses across the United States.
In an update, UnitedHealth Group said that based on initial targeted data sampling to date, the company found “files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”
Ransomware fiasco
So far, there has been no evidence that the hackers stole materials such as doctors’ charts, or full medical histories.
The company further explained that the data review is ongoing and complex, and that it will likely take a few months to conclude the investigation, suggesting that the type of stolen data, as well as its scope, might change.
In the meantime, it set up a dedicated website http://changecybersupport.com/ where affected individuals can get more information and details. It also set up a dedicated call center, and is offering free credit monitoring and identity theft protection for two years.
The ransomware attack suffered something of a fiasco on both sides. The company was apparently attacked by an affiliate of the infamous ALPHV (BlackCat) ransomware-as-a-service (RaaS). To address the problem and get its data back, the company paid the attackers $22 million in cryptocurrency. However, due to the nature of RaaS, the affiliates who breached Change never got the money, as ALPHV took all of it and shut the entire operation down.
This also meant that Change never got its data back. In the meantime, a separate threat actor came forward, claiming to be in possession of the data, and asking for even more money.
UnitedHealth Group said that it’s monitoring the internet and the dark web, together with industry experts, to determine if any data made it online.
“There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time,” the notification concludes.
