UnitedHealth admits breach could 'cover substantial proportion of people in America'

UnitedHealth Group, the parent of ransomware-struck Change Healthcare, delivered some very unwelcome news for customers today as it continues to recover from the massively expensive side and disruptive digital break-in.

"Based on the initial targeted data sampling to date, the company has found files containing protected health information and personally identifiable information, which could cover a substantial proportion of people in America," it said in a statement.

"To date, the company has not seen evidence of exfiltration of materials such as doctors' charts or full medical histories among the data," UnitedHealth added.

The ransomware attack, which began in February, impacted hospital and pharmacies that use the insurance and billing services of UnitedHeath across the US for weeks. Electronic prescriptions came back online in early March.

The exact number of people affected was not mentioned. Given the "ongoing nature and complexity of the data review," the insurance giant estimates it will likely take third party experts "several months of continued analysis" to comb through enough information to "identify and notify impacted customers and individuals."

An affiliate of ALPHV claimed responsibility for the breach. According to a report in the Wall Street Journal yesterday, the criminal crew got into Change Healthcare's network via pilfered credentials for a tech system that permits remote access to its network. The criminal gang spent more than a week inside until they unleashed the ransomware and stole data from the systems.

A spokesperson at UnitedHealth told TechCrunch that a ransom had been paid "as part of the company's commitment to do all it could to protect patient data from disclosure." The amount was not specified but it was understood to be around $22 million.

RansomHub, another criminal crew, recently released what is believed to be personal patient data from the hack and itself demanded a ransom to stop it leaking more. It claimed that it was storing the data, and not ALPHV.

UnitedHealth and its external cyber specialists claim they are still "monitoring" the dark web to ascertain if more data has been published online. The company says it saw 22 screenshots, "allegedly from exfiltrated files," some of which contained protected health information and personally identifiable information, that it says was posted on the dark web for roughly one week by miscreants, but claims it has spotted nothing since.

The cost of the saga to the org is currently pegged at $870 million for calendar Q1 and could stretch to $1.6 billion for the year, UnitedHealth confirmed last week. ®