UnitedHealth confirms patient data compromised in Change Healthcare cyberattack
Company offers to notify affected patients on behalf of providers
UnitedHealth Group has confirmed patient data, potentially covering a significant portion of the U.S. population, was compromised in the Change Healthcare cyberattack.
The Feb. 21 attack has prevented many dentists from sending electronic claims and attachments to insurance companies to receive payment. Change Healthcare, owned by UnitedHealth Group, is one of the largest health care technology companies in the U.S.
Twenty-two screenshots, allegedly of files obtained by the attackers, were posted for about a week on the dark web, according to an April 22 news release from UnitedHealth. Some images included protected health information and personally identifiable information. The company has not found evidence the accessed files included doctors’ charts or full medical histories.
The U.S. Department of Health and Human Services Office for Civil Rights published a webpage April 19 to share answers to frequently asked questions concerning Health Insurance Portability and Accountability Act rules and the cybersecurity attack.
In a statement to CNBC, UnitedHealth stated it paid a ransom in an effort to protect patient data from disclosure.
The company continues to monitor the internet and dark web with external industry experts to determine if other data has been published.
The data review will likely last several months before UnitedHealth has enough information to identify and notify impacted parties. In the meantime, the company is in communication with law enforcement and regulators.
To help ease reporting obligations on other stakeholders, UnitedHealth has also offered to handle notifications and related administrative requirements on behalf of providers whose data may have been compromised as part of the cyberattack.
Affected parties can receive free credit monitoring and identity theft protections for two years by contacting the UnitedHealth call center at 1-866-262-5342. The center will not be able to provide specifics on compromised data.
For more information on resources from UnitedHealth, visit changecybersupport.com.