UnitedHealth Group has paid an undisclosed reward to hackers in an effort to keep patient records that may have been compromised.
The attack, which it happened in februaryaffected patients of Change Healthcare, a division of United's Optum.
“This attack was carried out by malicious threat actors, and we continue to work with law enforcement and multiple leading cybersecurity firms during our investigation,” a UnitedHealth representative said. CNBC. “A reward was paid as part of the company's commitment to do everything possible to protect patient data from disclosure.”
UnitedHealth revealed that the hacked files contained protected health information and personally identifiable information about “a significant portion of people in America,” though the company did not disclose exactly how many patients were affected.
So far, UnitedHealth said there was no evidence of data being exfiltrated for malicious use, and doctors' charts and medical histories do not appear to be part of the hacked data set.
“We know this attack has caused distress and disruption to consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it,” said Andrew Witty, CEO of UnitedHealth Group, in a company release.
UnitedHealth estimates it will take several months of analysis to determine the specific individuals affected by the hack, but 22 screenshots of what appeared to be leaked files containing Personal Health Information (PHI) and Personally Identifiable Information (PII) were posted on the dark web for a week.
Connected: Maine Hacked in Data Breach, 1.3 Million Residents at Risk
The company is offering two years of free access to a dedicated call center for credit monitoring and identity theft protection to those affected.
“While this comprehensive data analysis is being conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company confirms the information contained,” UnitedHealth said.