UnitedHealth reveals hackers may have stolen data on a sizable number of Americans

UnitedHealth Group said Monday "a substantial proportion" of Americans may have had their personal data compromised in a February cyberattack and is offering them free credit monitoring and identity theft protection.

The Minnetonka-based health care giant also disclosed for the first time that it paid a ransom to the hacker in hopes of protecting patient data from disclosure. UnitedHealth did not specify the size of the ransom, but a report in Wired magazine last month suggested it may have been about $22 million.

Anyone worried that their personal and health information might have been compromised will be eligible for the credit and identity theft protections for two years.

"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," Andrew Witty, the chief executive officer of UnitedHealth Group, said in a statement..

Monday's announcement was not an official breach notification of the sort required by federal health privacy regulations. That notice, which UnitedHealth says will come when there's enough information to formally contact patients, could be the largest of its kind ever in the U.S.

Currently, the nation's largest health care breach was reported in February 2015, affecting more than 78 million people.

"The company processes information relating to more than 152 million Americans — and that's the number that have potentially been impacted," Brett Callow, an analyst with the cybersecurity firm Emsisoft, said in an email.

The cyberattack targeted Change Healthcare, a UnitedHealth subsidiary that runs a widely used clearinghouse for electronic claims data that processes 15 billion health care transactions annually, including about half of all U.S. claims.

The impact was immediately felt at pharmacy counters across the country, where patients struggled to fill prescriptions. Next came administrative nightmares for hospitals and clinics, as the system for filing claims for payment from health insurers was severely disrupted.

Health care providers have been among the plaintiffs in some two dozen class-action lawsuits filed against UnitedHealth Group.

On Monday, the company announced preliminary findings from its ongoing investigation and review of the cyberattack, revealing the data involved "could cover a substantial proportion of people in America." Thus far, initial targeted data sampling has found files containing protected health information (PHI) or personally identifiable information (PII), but no evidence of "exfiltration of materials" such as doctor charts or full medical histories among the data.

UnitedHealth Group says it's continuing to monitor the internet and dark web to see if data has been published.

"There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor," the company said in a news release. "No further publication of PHI or PII has occurred at this time."

UnitedHealth has launched a website (changecybersupport.com) with information on the free credit monitoring and identity protection services. A dedicated call center has been established at 866-262-5342, as well.

Callow, the cybersecurity expert, said there is no evidence that ransomware groups systemically misuse data to commit identity-related fraud. While people should be concerned and certainly accept the offer of credit monitoring, "it may well be that their information will not be misused," he said.

"That said, it is likely that scammers will attempt to take advantage of the situation — in fact, it's already happening," Callow added.

Given the complexity of the ongoing data review, it is likely to take several months of continued analysis to identify and notify affected customers and individuals, UnitedHealth Group said in a news release. In the meantime, the company said it opted to provide immediate support and protections rather than wait.

"The call center will not be able to provide any specifics on individual data impact at this time," the company said.

IT services at Change Healthcare are continuing to recover. Pharmacy systems are now back to near-normal levels, with 99% of pre-incident pharmacies able to process claims, UnitedHealth Group says, and medical claims are flowing at near-normal levels.

"Change Healthcare realizes there are a small number of providers who continue to be adversely impacted and is working with them to find alternative submission solutions and will continue to provide financial support as needed," the company said in a statement.