UnitedHealth Group on Monday said it paid ransom to cyber threat actors to try to protect patient data, following the February cyber attack on its subsidiary Changing healthcare. The company also confirmed that files containing personal information were compromised in the breach.
“This attack was conducted by malicious threat actors and we continue to work with law enforcement and several leading cybersecurity companies throughout our investigation,” UnitedHealth told CNBC in a statement. “A ransom was paid as part of the company’s commitment to do everything it could to protect patient data from disclosure.”
The company did not specify the amount of the ransom payment.
UnitedHealth, which has more than 152 million customers, said it also determined that cyber threat actors accessed files containing protected health information and personally identifiable information, according to a release on Monday.
The files “could cover a substantial proportion of people in America,” the statement said.
Change Healthcare offers payment and revenue cycle management tools. The company facilitates more than 15 billion transactions annually and 1 in 3 patient records passes through its systems. This means that even patients who are not UnitedHealth customers may have been affected by the attack.
UnitedHealth said in the statement that 22 screenshots, purportedly of the compromised files, were uploaded to the dark web. The company said no other data was published and it saw no evidence that medical records or full medical histories were accessed in the breach.
“We know this attack has caused concern and been disruptive to consumers and providers, and we are committed to doing everything we can to help and provide support to anyone who may need it,” UnitedHealth CEO Andrew Witty said in the statement.
UnitedHealth said concerned patients can visit a dedicated website for access to resources. The company has launched a call center that will offer free identity theft protection and credit monitoring for two years, the statement said.
The call center will not be able to offer any details about the impact of individual data, given the “ongoing nature and complexity of the data review,” UnitedHealth said.
This story originally appeared on NBCNews.com read the full story
