UnitedHealth offers update on cyberattack data analysis, systems restoration

UnitedHealth Group provided an update late Monday on its analysis of the data accessed in the cyberattack on Change Healthcare and said it identified files that contain personal and health information.

The company said the personal health information and personally identifiable information found in the files "could cover a substantial proportion of people in America." However, UHG said it has not yet uncovered evidence that full medical histories or doctors' charts were among what was stolen.

UnitedHealth added that with the complexity of the review, it will likely take months of further analysis to identify and notify impacted customers. In the meantime, it's offering two years of credit monitoring and identity theft protection to anyone who has been affected by the breach.

In addition, the company has also offered to make notifications and conduct required administrative steps on behalf of providers and customers.

“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said Andrew Witty, CEO of UnitedHealth Group, in the press release.

UnitedHealth also confirmed that is continuing to work with external experts to monitor the dark web and identify whether any files have been published. It confirmed 22 screenshots that were allegedly from the extracted files were posted on the dark web for about a week, some of which did contain personal information.

Further posts containing data from the hack have not been identified, UnitedHealth Group said.

A notorious cybercriminal gang known as BlackCat or ALPHV claimed responsibility for the hacking, but its administrators appeared to stiff the actual hacker who breached Change Healthcare's systems. That affiliate, as they did not secure their portion of the ransom, has joined up with a second gang, called RansomHub, to extort the company a second time.

UnitedHealth has never confirmed that a ransom was paid, but cybersecurity experts identified payment logs that point to a payout of about $22 million.

Alongside the update on its data analysis, UnitedHealth Group also offered additional details on where the restoration of Change's services stand. Medical claims, for instance, "are now flowing at near-normal levels," the company said, though it acknowledged that a small number of providers continue to struggle.

Pharmacy services are also back to near normal, according to the release, with 99% of pharmacies connected to Change pre-hacking able to submit claims.

Payment processing within Change, which accounts for about 6% of payments nationwide, is currently operating at about 86% of pre-cyberattack levels, a figure that is growing as the company continues to restore its systems.

"Other Change Healthcare services, including eligibility software and analytical tools, are being restored on a rolling basis with the active reconnection of our customers now the priority," UHG said in the release. "To date, approximately 80% of Change functionality has been restored on the major platforms and products, and the company expects full restoration of other systems to be completed in the coming weeks."