UnitedHealth Group said Monday that it paid ransoms to cyber threat actors to try to guard patient data following the cyberattack on its Change Healthcare subsidiary in February. The company also confirmed that files containing personal information were compromised in consequence of the breach.
“This attack was carried out by malicious threat actors and we continue to work with law enforcement and several leading cybersecurity firms during our investigation,” UnitedHealth said in a press release to CNBC. “Paying a ransom was part of the company’s commitment to do everything in its power to protect patient information from disclosure.”
The company didn’t provide any information concerning the amount of the ransom payment.
UnitedHealth, which has greater than 152 million customers, said it also found that the cyber threat actors accessed files containing protected health information and personally identifiable information a release on Monday. The files “could cover a significant portion of the people of America,” the press release said.
Change Healthcare offers payment and revenue cycle management tools. The company facilitates greater than 15 billion transactions annually and one in three patient records passes through its systems. This signifies that patients who aren’t UnitedHealth customers is also affected by the attack.
UnitedHealth said within the press release that 22 screenshots purportedly of the compromised files were uploaded to the dark web. The company said no other data was released and it had seen no evidence that medical records or complete medical histories were accessed within the breach.
“We know this attack has been concerning and disruptive to consumers and providers, and we are committed to doing everything we can to help and support anyone who may need it,” UnitedHealth CEO Andrew Witty said. within the press release.
UnitedHealth said concerned patients can visit one own website for access to resources. The company has opened a call center that may provide free identity theft protection and credit monitoring for 2 years, the statement said.
The call center is not going to have the option to supply details on the impact on individual data given the “ongoing nature and complexity of data review,” UnitedHealth said.
image credit : www.cnbc.com