Omar Marquez | Rocket Lite | Getty Images
UnitedHealth Group It said on Monday that it had paid a ransom to cyber threat actors to try to protect patient data, following the February cyber attack on its subsidiary Change Healthcare. The company also confirmed that files containing personal information were compromised in the hack.
“This attack was carried out by malicious threat actors, and we continue to work with law enforcement and several leading cybersecurity companies during our investigation,” UnitedHealth told CNBC in a statement. “The ransom was paid as part of the company’s commitment to do everything it can to protect patient data from disclosure.”
The company did not specify the amount of ransom paid.
UnitedHealth, which has more than 152 million customers, said it also identified that cyber threat actors accessed files containing protected health information and personally identifiable information, according to a statement issued Monday. The files “could cover a large percentage of people in America,” the statement said.
Change Healthcare offers tools for revenue and payment cycle management. The company facilitates more than 15 billion transactions annually, and 1 in 3 patient records pass through its systems. This means that even patients who are not UnitedHealth customers could be affected by the attack.
UnitedHealth said in the statement that 22 screenshots, allegedly of the compromised files, were uploaded to the dark web. The company said no other data was made public, and it saw no evidence that doctors' charts or full medical histories were accessed through the hack.
“We know this attack has caused concern and disruption for consumers and providers, and we are committed to doing everything we can to help and provide support to anyone who may need it,” UnitedHealth CEO Andrew Whitty said in the statement.
UnitedHealth said concerned patients can visit a dedicated website to access resources. The company launched a call center offering free identity theft protection and credit monitoring for two years, the statement said.
UnitedHealth said the call center would not be able to provide any details about the impact of individual data due to the “ongoing nature and complexity of data review.”