UnitedHealth Group Ransomware Attack : Hackers Stolen Patients Data

The global American health insurance and services corporation UnitedHealth Group has announced that its health IT subsidiary Change Healthcare was the target of a malicious cyberattack.

Based on its initial targeted data sampling, the company has discovered files containing personally identifiable information (PII) or protected health information (PHI), which may include a significant proportion of the US population. 

The business has not yet discovered any indications that materials like complete medical histories or doctor’s files were leaked among the data.

“A malicious threat actor posted 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, on the dark web for about a week. No further publication of PHI or PII has occurred at this time”, UnitedHealth Group said.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Change Healthcare Paid Ransom To A Cybercriminal Group

According to the information shared with Cyber Security News, Change Healthcare has paid a ransom to AlphV, also known as BlackCat. This hacking gang had been extorting the company since February. 

“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the company said.

According to cybersecurity and cryptocurrency experts, Change Healthcare paid the ransom on March 1.

This is indicated by a transaction in which 350 bitcoins, or about $22 million, were put into a cryptocurrency wallet connected to the AlphV hackers. 

The transaction was originally revealed in a post on the RAMP site, a Russian cybercrime forum, where a purportedly betrayed partner of AlphV expressed dissatisfaction over not having received their share of Change Healthcare’s payment.

But Change Healthcare consistently refused to acknowledge that it had paid the ransom. 

To make matters worse, a second ransomware gang has emerged from a dispute among hackers. It claims to have Change Healthcare’s stolen data and threatens to sell it to the highest bidder on the dark web. 

The second gang to demand a ransom from Change Healthcare was identified as RansomHub.

According to reports, they claim to possess patient details and a contract with another healthcare provider among the stolen data from Change Healthcare’s network.

While acknowledging that some files had been published, UnitedHealth refrained from asserting that the documents were its own. UnitedHealth stated, “This is not an official breach notification.” 

Change Healthcare is still making great strides toward resuming the services that were interrupted by the incident.

With 99% of pharmacies operating as they did before the event, pharmacy services are now almost back to normal. 

As more providers transition to alternative submission methods or systems come back online, medical claims are moving through the U.S. health system at almost normal levels. 

Change Healthcare is gradually restoring other services, such as eligibility software and analytical tools, with the active reconnection of the clients currently taking precedence.

“While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved,” the company said.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.