UnitedHealth reveals hackers may have stolen data on a sizeable number of Americans

UnitedHealth Group said Monday "a substantial proportion" of Americans may have had their personal data compromised in a February cyberattack and is offering them free credit monitoring and identity theft protection.

The Minnetonka-based health care giant also disclosed for the first time that it paid a ransom to the hacker in hopes of protecting patient data from disclosure. UnitedHealth did not specify the size of the ransom, but a report in Wired magazine last month suggested it may have been about $22 million.

Anyone worried that their personal and health information might have been compromised will be eligible for the credit and identity theft protections for two years.

"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," Andrew Witty, the chief executive officer of UnitedHealth Group, said in a statement..

The cyberattack targeted Change Healthcare, a UnitedHealth subsidiary that runs a widely used clearinghouse for electronic claims data that processes 15 billion health care transactions annually, including about half of all U.S. claims.

The impacts were immediately felt at pharmacy counters across the country, where patients struggled to fill prescriptions. Next came administrative nightmares for hospitals and clinics, as the system for filing claims for payment from health insurers was severely disrupted.

Health care providers have been among the plaintiffs in some two dozen class action lawsuits filed so far against UnitedHealth Group.

On Monday, the company announced preliminary findings from its ongoing investigation and review of the cyberattack, revealing the data involved "could cover a substantial proportion of people in America." Thus far, initial targeted data sampling has found files containing protected health information (PHI) or personally identifiable information (PII), but no evidence of "exfiltration of materials" such as doctor charts or full medical histories among the data.

UnitedHealth Group says it's continuing to monitor the internet and dark web to see if data has been published.

"There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor," the company said in a news release. "No further publication of PHI or PII has occurred at this time."

UnitedHealth has launched a website (www.changecybersupport.com) with information on the free credit monitoring and identity protection services. A dedicated call center has been established at 1-866-262-5342, as well.

"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals," UnitedHealth Group said in a news release.

"As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections rather than waiting until the conclusion of the data review. ... The call center will not be able to provide any specifics on individual data impact at this time."