UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’

Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans’ private healthcare data.

UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may “cover a substantial proportion of people in America.”

The health insurance giant did not say how many Americans are affected but said the data review was “likely to take several months” before the company would begin notifying individuals that their information was stolen in the cyberattack.

Change Healthcare processes insurance and billing for hundreds of thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector; it has access to massive amounts of health information on about half of all Americans.

UnitedHealth said it had not yet seen evidence that doctors’ charts or full medical histories were exfiltrated from its systems.

The admission that hackers stole Americans’ health data comes a week after a new hacking group began publishing portions of the stolen data in an effort to extort a second ransom demand from the company.

The gang, which calls itself RansomHub, published several files on its dark web leak site containing personal information about patients across an array of documents, some of which included internal files related to Change Healthcare. RansomHub said it would sell the stolen data unless Change Healthcare pays a ransom.

RansomHub is the second gang to demand a ransom from Change Healthcare. The health tech giant reportedly paid $22 million to a Russia-based criminal gang called ALPHV in March, which then disappeared, stiffing the affiliate that carried out the data theft out of their portion of the ransom.

RansomHub claimed in its post alongside the published stolen data that “we have the data and not ALPHV.”

In its statement Monday, UnitedHealth acknowledged the publication of some of the files but stopped short of claiming ownership of the documents. “This is not an official breach notification,” UnitedHealth said.

The Wall Street Journal reported Monday that the criminal hacking affiliate of ALPHV broke into Change Healthcare’s network using stolen credentials for a system that allows remote access to its network. The hackers were in Change Healthcare’s network for more than a week before deploying ransomware, allowing the hackers to steal significant amounts of data from the company’s systems.

The cyberattack at Change Healthcare began on February 21 and resulted in ongoing widespread outages at pharmacies and hospitals across the United States. For weeks, physicians, pharmacies and hospitals could not verify patient benefits for dispensing medications, organizing inpatient care, or processing prior authorizations necessary for surgeries.

Much of the U.S. healthcare system ground to a halt, with healthcare providers facing financial pressure as backlogs grow and outages linger.

UnitedHealth reported last week that the ransomware attack has cost it more than $870 million in losses. The company reported it made $99.8 billion in revenue during the first three months of the year, faring better than what Wall Street analysts had expected.

UnitedHealth CEO Andrew Witty, who received close to $21 million in total compensation the full year of 2022, is set to testify to House lawmakers on May 1.