UnitedHealth Group has released an update on the data breach that recently affected its subsidiary Change Healthcare.
The healthcare giant suffered a ransomware attack that took some of its services offline and affected several pharmacies and other neighboring businesses in the United States.
In an update, UnitedHealth Group said that based on its initial targeted data sampling to date, the company has “identified files containing protected health information (PHI) or personally identifiable information (PII), which could cover a significant portion of people in America .”
Ransomware fiasco
So far, there is no evidence that the hackers stole material such as doctor’s records or complete medical histories.
The company further explained that the data review is ongoing and complex, and it will likely take a few months to complete the investigation, indicating that the type of data stolen, as well as its scope, could change.
In the meantime, it has set up a dedicated website http://changecybersupport.com/ where affected individuals can get more information and details. It has also set up a dedicated call center and offers free credit monitoring and identity theft protection for two years.
The ransomware attack was something of a fiasco on both sides. The company was apparently attacked by a subsidiary of the infamous ALPHV (BlackCat) ransomware-as-a-service (RaaS). To address the problem and get the data back, the company paid the attackers $22 million in cryptocurrency. However, due to the nature of RaaS, the affiliates that breached Change never got the money, as ALPHV took it all away and shut down the entire operation.
This also meant that Change never got his data back. In the meantime, a separate threat actor came forward, claiming to be in possession of the data and asking for even more money.
UnitedHealth Group said it is working with industry experts to monitor the Internet and the dark web to determine if any data has come online.
“There were 22 screenshots, allegedly from exfiltrated files, some of which contained PHI and PII, that were posted to the dark web by a malicious threat actor for approximately a week. “No further disclosure of PHI or PII has occurred at this time,” the notice concludes.