Largest U.S. health insurer says third of Americans exposed in massive data hack

Art Raymond
·2 min read
Pages from the United Healthcare website are displayed on a computer screen, Feb. 29, 2024, in New York. UnitedHealth says files with personal information that could cover “a substantial portion of people in America” may have been taken in the cyberattack on its Change Healthcare business. The company said Monday, April 22, 2024, after markets closed that it sees no signs that doctor charts or full medical histories were released after the attack.
  • Oops!
    Something went wrong.
    Please try again later.

UnitedHealth Group CEO Andrew Witty told a congressional committee Wednesday that hackers breached a subsidiary of his company, the country’s largest health insurer, by stealing a password and gaining access through a system that lacked multifactor authentication.

Two months after Russian hacker group BlackCat gained access to Change Health Systems and troves of sensitive patient data, UnitedHealth says its investigation has found hackers accessed “files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

When pressed by lawmakers on the issue of exactly how many patients were impacted by the data breach, Witty said, “I think, maybe a third (of Americans) or somewhere of that level,” per TechCrunch.

Multifactor, or two-step, authentication requires users to enter information, in addition to a username and password, to confirm the identity and authorization to access a particular service or software system.

Paying ransom

According to Witty’s written testimony, on Feb. 21, BlackCat locked up Change Healthcare’s systems and demanded a ransom to unlock them.

Witty confirmed that UnitedHealth paid a $22 million ransom to BlackCat, a decision he said he made on his own, according to a report by CBS News. The same report notes the scale of the attack — Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association — meant that even patients who weren’t customers of UnitedHealth were potentially affected.

Last month, UnitedHealth issued a press release stating that ”given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.” The company has created a website to provide additional information to customers and is offering two years of free credit monitoring to those impacted by the breach.

“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” Witty said in the release.

A February report from Chainalysis finds ransomware activity on the rise with payments made to hackers in 2023 hitting an all-time high of $1.1 billion. According to the report, ransomware attacks were carried out by a varied group of actors from large criminal networks to individuals, and the number of incidents is increasing.