Change Healthcare parent company UnitedHealth Group on Monday confirmed that personally identifiable information (PII) and protected health information (PHI) was stolen in a February ransomware attack.
According to the company, the data breach likely impacts “a substantial proportion of people” in the US, but the investigation into the full scope of the incident continues.
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” UnitedHealth said in an updated incident notice.
Roughly 4Tb of data might have been stolen during the disruptive attack that caused major healthcare system outages across the US, an Alphv/BlackCat ransomware affiliate allegedly responsible for the intrusion has claimed.
In early March, after UnitedHealth reportedly paid out a $22 million ransom, the BlackCat operators pulled an exit scam, A few weeks later, the affiliate, who did not receive their share of the proceeds, joined the RansomHub ransomware group and tried to extort the healthcare payment processor company again.
RansomHub, which some researchers believe is a BlackCat rebrand, listed Change Healthcare to its Tor-based leak site in early April. Last week it published a series of screenshots allegedly depicting information stolen from the company, threatening to sell or release all the data unless a new ransom was paid.
On Monday, just as UnitedHealth published an incident update that confirmed the data breach, Change Healthcare was delisted from RansomHub’s leak site, which indicates that the company has paid another ransom.
According to CNBC, the company has confirmed paying a ransom, but it’s unclear if this is confirmation for the first payment, a second payment, or both.
“There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time,” UnitedHealth said on Monday.
Given the large amount of potentially compromised data, the company pointed out, it would likely take several months before a comprehensive analysis has been completed and the impacted individuals have been identified and notified.
“While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved,” UnitedHealth said.
According to the company, there is no evidence that doctor’s charts or full medical histories might have been compromised.
The company also noted that it has restored roughly 80% of the Change Healthcare functionality on major products and platforms, with pharmacy and medical claims services operating at near-normal levels. Payment processing is currently at 86% of pre-incident levels.
As part of its first quarter 2024 earning results (PDF), UnitedHealth Group announced that the ransomware attack incurred costs of $872 million, which could grow to $1.6 billion by the end of the year. The company has provided over $6 billion in advance funding to support impacted healthcare providers.
SecurityWeek has emailed UnitedHealth Group for additional details on the incident and will update this article if a response is received.
*updated to say that it’s unclear which ransom payment was confirmed by UnitedHealth
Related: Ransomware Gang Leaks Data Allegedly Stolen From Government Contractor
Related: Omni Hotels Says Personal Information Stolen in Ransomware Attack
Related: Details and Lessons Learned From the Ransomware Attack on the British Library
