UnitedHealth Group Confirms Ransom Payment, Substantial Data Theft, and Predicts $1.6bn Loss
This week, UnitedHealth Group (UHG), the parent company of Change Healthcare, has confirmed that a ransom was paid to the ransomware group behind the February 21, 2024, attack on Change Healthcare. A spokesperson for UHG said, “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”
UHG has not confirmed how much was paid to prevent the publication of the stolen data, but it has been widely reported to be $22 million. The Change Healthcare ransomware attack has clearly demonstrated the risks of paying a ransom. The Blackcat ransomware group pulled an exit scam and refused to pay the affiliate responsible for conducting the attack. The affiliate retained the stolen data and joined another ransomware group – RansomHub – and provided the stolen data in an attempt to get paid. RansomHub issued another ransom demand and published 22 screenshots of the stolen data and threatened to sell the data to the highest bidder if UHG failed to pay.
This week, UHG announced that the initial results of the investigation have revealed that personal and protected health information was involved. The number of people affected has yet to be determined, but UHG has warned that the breach “could cover a substantial proportion of people in America.”
Change Healthcare processes more than 15 billion transactions each year and states on its website that its systems touch the records of 1 in every 3 Americans. The Blackcat ransomware group claimed to have stolen 6TB of data in the attack, so the breach could have affected tens of millions of individuals, even individuals who are not UHG customers.
UHG has not yet determined the specific types of information involved but has said it has not found any evidence of the exfiltration of doctors’ charts or full medical histories. “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” explained UHG.
Few details about the nature of the attack have been disclosed by UHG; however, The Wall Street Journal has spoken to a source close to the investigation who said initial access to Change Healthcare’s systems occurred 9 days prior to the use of ransomware. Access was allegedly gained using compromised credentials for an account that was not protected with multifactor authentication.
UHG has confirmed that more than $3 billion has been issued to providers affected by the breach as advance payments and interest-free loans to ease the financial difficulties caused by payment delays and the inability to submit claims due to the outages at Change Healthcare. UHG has also confirmed in its first quarter earnings report that the attack has resulted in $872 million in losses, and that losses are expected to rise to between $1.3 and $1.6 billion this year.