UnitedHealth Group confirmed that it has paid a ransom demanded by hackers who struck its Change Healthcare insurer unit in February.
The company also acknowledged that files containing personal information had been stolen in the breach that threw hundreds of medical facilities, physicians and pharmacies into financial and operational chaos.
UnitedHealth did not reveal the amount of the ransom payment nor the method in which it was paid. Some $22 million in bitcoin has been rumored — and reportedly stamped by blockchain data — that UnitedHealth is said to have paid to unlock its systems and safeguard patient data. In a recent Q1 SEC filing, UnitedHealth reported that the ransomware strike cost it $872 million in the first quarter of 2024 and projected the overall financial impact could run to $1.6 billion. It’s the first time the company has made any type of disclosure as to the material impact of the cyberattack.
“This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cybersecurity firms during our investigation,” UnitedHealth told CNBC. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”
Security firms tapped to help in the investigation have not been named.
Admission of Ransom Payment?
Admission of ransom payments by victims of cyber extortion is highly unusual in any case let alone tied to the reason for doing so. It’s not known if UnitedHealth has met ransom payment reporting requirements of the Cybersecurity and Infrastructure Security Agency (CISA) or Securities and Exchange Commission (SEC) breach materiality disclosures.
In a statement, UnitedHealth made no mention of the ransom payment but did allow that “based on initial targeted data sampling to date" it had located files containing personally identifiable information (PII) or protected health information (PHI) that involved a “substantial portion of people in America.”
UnitedHealth said that 22 screenshots, allegedly of PII and PHI data, were posted on the dark web for about a week. So far, no additional data has appeared. At this point, UnitedHealth said it had not seen evidence of doctors’ charts or full medical histories among the data.
Cybersecurity researcher Jeremiah Fowler has previously told CNBC that on the dark web medical records sell for $60 compared to $15 for a Social Security number and $3 for a credit card.
The company projected that it will take “several months of continued analysis” before it will be able to notify customers and individuals if they’ve been impacted by the hack. UnitedHealth said it will “reach out to stakeholders when there is sufficient information for notifications and will be transparent with the process.”
The medical clearinghouse's technology touches more than 30% of American patient records, the company has said. As of 2023, UnitedHealth owned a 15% share of the U.S. health insurance market, according to Statista data.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said UnitedHealth chief executive Andrew Witty.
Update on Restoration of Systems
In the meantime, Change Healthcare offered details of systems and services it has prioritized that impact patient care or medication:
- Pharmacy services are now back to near-normal levels, with 99% of pre-incident pharmacies able to process claims.
- Medical claims across the U.S. health system are now flowing at near-normal levels as systems come back online or providers switch to other methods of submission.
- Change Healthcare realizes there are a small number of providers who continue to be adversely impacted and is working with them to find alternative submission solutions and will continue to provide financial support as needed.
- Payment processing by Change Healthcare, which represents approximately 6% of all payments in the U.S health care system, is at approximately 86% of pre-incident levels and is increasing as additional functionality is restored.
- Other Change Healthcare services, including eligibility software and analytical tools, are being restored on a rolling basis with the active reconnection of our customers now the priority.
- To date, approximately 80% of Change functionality has been restored on the major platforms and products, and the company expects full restoration of other systems to be completed in the coming weeks.
UnitedHealth previously said it has funneled some $6 billion in advance funding and loans to support care providers related to the ransomware strike.
ALPHV/BlackCat Crew Blamed
The ALPHV/BlackCat ransomware crew has been fingered as the perpetrator of the attack. It's not known if BlackCat affiliates carried out the attack. However, the previously unknown Ransomhub crew told Reuters that an affiliate of BlackCat gave the data to them after the hackers made off with the $22 million in bitcoin.
Customers and individuals are being directed to a dedicated website at http://changecybersupport.com/ for more information and details. A dedicated call center at 866-262-5342 has been established to offer free credit monitoring and identity theft protections for two years to anyone impacted by the attack.
In March, the Health and Human Services (HHS) agency began an investigation into whether Change Healthcare violated the Health Insurance Portability and Accountability Act (HIPAA) governing patient privacy. Under HIPAA, healthcare clearinghouses, plans and providers must report breaches to individual patients within 60 days of discovery.
