UnitedHealth Group admitted Monday that it had paid hackers to protect patients' data following the cyberattack on its subsidiary Change Healthcare in February.
"This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cyber security firms during our investigation," UnitedHealth told CNBC.
"A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," it added. However, the company did not disclose the ransom payment amount.
UnitedHealth Group Says Hackers Accessed Patients' Protected Health Information
According to a press release Monday, UnitedHealth said the cyberthreat actors gained access to files, including protected health and personally identifiable information. The company noted that the data could "cover a substantial proportion of people in America."
Change Healthcare provides patient billing across the US healthcare system. It performs billions of healthcare transactions annually and claims to manage the data of almost one-third of all US patients, or about 100 million people.
One in every three patient records passes through its systems, which means even patients who are not UnitedHealth clients could have been affected by the cyberattack.
In the press release, UnitedHealth said 22 screenshots of the alleged compromised files were posted to the dark web for about a week. The company further noted that there was no evidence that doctors' charts or complete medical histories were accessed in the breach, and no other data has been published.
UnitedHealth CEO Guarantees Full Assistance for Impacted Individuals
UnitedHealth CEO Andrew Witty said in the release that the attack caused anxiety and inconvenience to consumers and providers, and they "are committed to doing everything possible to help and provide support to anyone who may need it."
The company has created a dedicated website where worried patients can get more information and assistance. UnitedHealth also launched a call center offering free identity theft protection and credit monitoring for two years.
Join the Conversation