UnitedHealth confirms it paid ransomware gang to stop data leak

The UnitedHealth Group has confirmed that it paid a ransom to cybercriminals to protect sensitive data stolen during the Optum ransomware attack in late February.

The attack led to an outage that impacted the Change Healthcare payment, affecting a range of critical services used by healthcare providers and pharmacies across the U.S., including payment processing, prescription writing, and insurance claims.

The BlackCat/ALPHV ransomware gang claimed the attack, alleging to have stolen 6TB of sensitive patient data. In early March, BlackCat performed an exit scam after allegedly getting $22 million in ransom from UnitedHealth.

A week later, the U.S. government launched an investigation into whether health data had been stolen in the ransomware attack at Optum.

By mid-April, the extortion group RansomHub raised the pressure even more on UnitedHealth by starting to leak what they claimed to be corporate and patient data stolen during the attack.

The next day, the organization reported that the cyberattack had caused $872 million in financial damages.

Data stolen, ransom paid

In a statement for BleepingComputer, the company confirmed that it paid a ransom to avoid patient data from being sold to cybercriminals or leaked publicly.

"A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure" - UnitedHealth Group

BleepingComputer checked RansomHub's data leak website and can confirm that the threat actor has removed UnitedHealth from its list of victims.

Yesterday, UnitedHealth posted an update on its website announcing support for people whose data had been exposed by the February ransomware attack, officially confirming the data breach incident.

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” reads the announcement.

“To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” the company says.

The company reassures patients that only 22 screenshots of stolen files, some containing personally identifiable information, were posted on the dark web, and that no other data exfiltrated in the attack has been published "at this time."

The health insurance and services organization promised to send personalized notifications once it completes its investigation into the type of information has been compromised.

A dedicated call center that will be offering two years of free credit monitoring and identity theft protection services has also been set up as part of the organization's effort to support those impacted.

Currently, 99% of the impacted services are operational, medical claims flow at near-normal levels, and payment processing stands at approximately 86%.