With review nearly finished, UnitedHealth says ‘no evidence’ doctors’ charts stolen in ransomware attack

UnitedHealth Group has completed more than 90% of its review of the data accessed and stolen by ransomware hackers earlier this year, finding “no evidence” that materials such as doctors’ charts or full medical histories were exfiltrated from its systems.

In an advisory on Thursday, the healthcare giant provided its first breach notification to those who may have been affected by the attack on Change Healthcare, which paralyzed the medical industry for weeks due to the company’s pivotal role in the processing of payments and prescriptions.

In April, Change Healthcare confirmed the hackers accessed data that covers “a substantial proportion of people in America.” While the company is still determining the full extent of the breach, so far they have confirmed that names, addresses, dates of birth, phone numbers, and email addresses were leaked.

The attackers also likely accessed some combination of: 

• Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
• Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
• Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
• Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.

The federal government said two weeks ago that it will allow Change Healthcare to send data breach notifications to victims on behalf of the company’s customers — which include thousands of hospitals, pharmacies, health clinics and doctors’ offices.

Current and former Change Healthcare customers can use the public data breach notice posted online to “proactively notify their individuals of the incident now while the data review remains ongoing and share how individuals can reach out to CHC if they have questions.”

In statements after UnitedHealth’s notice, Senators Maggie Hassan (D-N.H.) and Marsha Blackburn (R-TN) said the company may have been in violation of the Health Insurance Portability and Accountability Act (HIPAA), which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the incident.

Letters sent by the two senators earlier this month and in April urged UnitedHealth Group to begin notifications by June 21.

Hassan lauded that notifications were beginning but said it is “unacceptable that Americans will be left in the dark for at least another month about a hack that occurred in February.”

“By UnitedHealth Group’s own admission, the personal information of tens of millions of Americans could be at risk and that information could include personal medical information as well as Social Security numbers and other sensitive data,” she said.

“While this is a step in the right direction, the company must find ways to move more quickly to directly notify patients that their personal information is at risk.”

The attack on Change Healthcare is one of the largest ransomware events to ever hit the healthcare industry and sparked outrage as millions of U.S. residents struggled to get medications.

Sen. Ron Wyden (D-OR) said last month that UnitedHealth’s senior executives and board of directors “must be held accountable” for a cascade of reckless decisions — most notably having a chief information security officer who had not worked in a fulltime cybersecurity role before he was elevated to the job in June 2023.

The attack has also reignited efforts to better regulate the healthcare industry after UnitedHealth Group’s CEO admitted the entire attack was traced back to a remote access server that was not protected with multifactor authentication (MFA). MFA policies were waived for servers running older software, the company admitted in Congressional hearings. 

Editor's note: This article was updated at 3:30 p.m. Eastern time with statements from Senators Maggie Hassan (D-N.H.) and Marsha Blackburn (R-TN).