Image: NASA via Unsplash

‘Substantial proportion' of US had data stolen in Change Healthcare ransomware attack

A “substantial proportion of people in America” had their personal information accessed during the ransomware attack on Change Healthcare in February, the company’s parent company said Monday. 

The company has faced questions from healthcare providers and lawmakers about what personal data was in the hands of hackers who claimed to have terabytes of the company’s data.

During a congressional hearing last week, a doctor testified that they have repeatedly asked UnitedHealth Group, which owns Change Healthcare, for clarity about what they should tell patients considering the company handles about one in every three medical records and processes about half of all medical claims in the U.S. 

In a statement, UnitedHealth said it is offering free credit monitoring and identity theft protections for two years to anyone impacted, but did not say how many people were affected or how someone would know they had information obtained by the healthcare giant.

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” the company said

“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”

The company did not respond to several questions about estimates of the number of people affected, what kind of information was accessed and the ransom paid to the hackers. UnitedHealth Group confirmed to CNN and CNBC on Monday that it paid a ransom “as part of the company’s commitment to do all it could to protect patient data from disclosure.”

It is unclear if that payment was  the $22 million sum reportedly paid to the AlphV ransomware gang weeks ago, or if it was to a second set of hackers who offered the company’s data for sale through a group called RansomHub. RansomHub reportedly removed the UnitedHealth Group posting over the weekend.

The company’s statement addressed theRansomHub posting, saying there were 22 screenshots posted to the site that included exfiltrated files with some personal information. According to UnitedHealth it was only posted for about a week on the dark web and “no further publication of PHI or PII has occurred at this time.”

The Wall Street Journal reported on Monday that hackers were in UnitedHealth Group’s systems for more than a week before they initiated the ransomware attack, using compromised credentials on a remote management tool to gain initial access. 

The U.S. Department of Health and Human Services (HHS) said last month that it has started an investigation into whether protected health information was compromised and if Change Healthcare and UHG complied with Health Insurance Portability and Accountability Act (HIPAA) rules.

UnitedHealth Group created a website and call center for victims to go to for more information but noted that they “will not be able to provide any specifics on individual data impact at this time.”

The company said it plans to notify victims and cover regulatory requirements on behalf of providers and customers — addressing a direct complaint lodged by doctors during the House hearing last week. 

The company’s CEO Andrew Witty will testify before the House Energy and Commerce Committee on May 1. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.