Connect with us

Hi, what are you looking for?


Data Breaches

UnitedHealth Says Patient Data Exposed in Change Healthcare Cyberattack

UnitedHealth confirms that personal and health information was stolen in a ransomware attack that could cost the company up to $1.6 billion.

UnitedHealth Change Healthcare cyberattack

Change Healthcare parent company UnitedHealth Group on Monday confirmed that personally identifiable information (PII) and protected health information (PHI) was stolen in a February ransomware attack.

According to the company, the data breach likely impacts “a substantial proportion of people” in the US, but the investigation into the full scope of the incident continues.

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” UnitedHealth said in an updated incident notice.

Roughly 4Tb of data might have been stolen during the disruptive attack that caused major healthcare system outages across the US, an Alphv/BlackCat ransomware affiliate allegedly responsible for the intrusion has claimed.

In early March, after UnitedHealth reportedly paid out a $22 million ransom, the BlackCat operators pulled an exit scam, A few weeks later, the affiliate, who did not receive their share of the proceeds, joined the RansomHub ransomware group and tried to extort the healthcare payment processor company again.

RansomHub, which some researchers believe is a BlackCat rebrand, listed Change Healthcare to its Tor-based leak site in early April. Last week it published a series of screenshots allegedly depicting information stolen from the company, threatening to sell or release all the data unless a new ransom was paid.

On Monday, just as UnitedHealth published an incident update that confirmed the data breach, Change Healthcare was delisted from RansomHub’s leak site, which indicates that the company has paid another ransom.

According to CNBC, the company has confirmed paying a ransom, but it’s unclear if this is confirmation for the first payment, a second payment, or both.

Advertisement. Scroll to continue reading.

“There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time,” UnitedHealth said on Monday.

Given the large amount of potentially compromised data, the company pointed out, it would likely take several months before a comprehensive analysis has been completed and the impacted individuals have been identified and notified.

“While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved,” UnitedHealth said.

According to the company, there is no evidence that doctor’s charts or full medical histories might have been compromised.

The company also noted that it has restored roughly 80% of the Change Healthcare functionality on major products and platforms, with pharmacy and medical claims services operating at near-normal levels. Payment processing is currently at 86% of pre-incident levels.

As part of its first quarter 2024 earning results (PDF), UnitedHealth Group announced that the ransomware attack incurred costs of $872 million, which could grow to $1.6 billion by the end of the year. The company has provided over $6 billion in advance funding to support impacted healthcare providers.

SecurityWeek has emailed UnitedHealth Group for additional details on the incident and will update this article if a response is received.

*updated to say that it’s unclear which ransom payment was confirmed by UnitedHealth

Related: Ransomware Gang Leaks Data Allegedly Stolen From Government Contractor

Related: Omni Hotels Says Personal Information Stolen in Ransomware Attack

Related: Details and Lessons Learned From the Ransomware Attack on the British Library

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights