United Healthcare Group has confirmed this week it paid an undisclosed amount of ransomware to resolve a hacking of its Change Healthcare prescription claims systems.
The insurer disclosed publicly the cyberattack on Feb. 23 — two days after it occurred. At that time, the insurer did not say whether it had paid a ransom to bring its systems back online.
UnitedHealthcare said it isolated and disconnected the impacted systems “immediately upon detection” of the threat, but doing so interrupted pharmacy services, payment platforms and medical claims processes.
UnitedHealth has more than 152 million customers.
Change Healthcare allows insurers to communicate electronically with doctors’ offices and pharmacies. United HealthCare said that system became fully operational on March 8.
People are also reading…
The ransomware attack by a group known as BlackCat disrupted crucial operations across the U.S. health-care system, including with Novant Health Inc. and GoodRX that offers discount prescription coupons.
UnitedHealthcare has not specified what kind of data was compromised in the attack, but did confirm that files containing personal information were involved.
However, some groups that track significant cybercurrency exchanges reported that $22 million was transferred to an entity known to be associated with Blackcat.
“This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cyber security firms during our investigation,” UnitedHealth told CNBC in a statement Monday.
“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”
The insurer said in a Monday update that it “found files containing protected health information or personally identifiable information, which could cover a substantial proportion of people in America.”
“There were 22 screenshots, allegedly from exfiltrated files, some containing protected health information or personally identifiable information, posted for about a week on the dark web by a malicious threat actor. No further publication has occurred at this time.
“To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”
The insurer said that “given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”
“The company will reach out to stakeholders when there is sufficient information for notifications and will be transparent with the process.”
A dedicated website at http://changecybersupport.com/ has been set up, along with a dedicated call center (866-262-5342) to offer free credit monitoring and identity theft protections for two years to anyone impacted. The call center will not be able to provide any specifics on individual data impact at this time.
The company, along with leading external industry experts, continues to monitor the internet and dark web to determine if data has been published.
Change Healthcare said pharmacy services “are now back to near-normal levels, with 99% of pre-incident pharmacies able to process claims.”
“Medical claims across the U.S. health system are now flowing at near-normal levels as systems come back online or providers switch to other methods of submission.”
Meanwhile, payment processing by Change Healthcare, which represents approximately 6% of all payments in the U.S health care system, is at 86% of pre-incident levels.
For more information on Change Healthcare’s service restoration and customer support, go to www.uhg.com/changehealthcarecyberresponse.