UnitedHealth says ransomware attack on Change Healthcare impacted 190m individuals

U.S. healthcare company UnitedHealth has revealed that the data security incident it suffered last year compromised the sensitive personal information of 190 million individuals.

 

Headquartered in Nashville, Tennessee, Change Healthcare, a subsidiary of the UnitedHealth Group, said that in February, it experienced enterprise-wide connectivity issues due to which certain applications were not functioning. The company later said the outage occurred due to a "cyber security issue" and that operational disruption could last throughout the day.

 

Later, in another statement, Change said the impact of the cyber attack was restricted to its internal systems and all other systems across UnitedHealth Group, its parent company, were operational.

 

On February 28, the infamous ALPHV/BlackCat ransomware group claimed responsibility for the cyber attack on Change Healthcare and listed it as a victim on its data leak site.

 

Earlier this week, UnitedHealth revealed that the ransomware attack on its subsidiary Change Healthcare affected around 190 million people in the United States.

 

In a statement shared with TechCrunch, Tyler Mason, a spokesperson for UnitedHealth Group said, “Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million.

 

“The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date,” Mason added.

 

UnitedHealth’s spokesperson added that the company was “not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”

 

Commenting on the news, Simon Phillips, CTO of SecureAck, said, “Previous estimates suggested this attack impacted one in three Americans, but clearly these figures were a drop in the ocean in comparison with the reality. It now looks like one in two citizens were impacted, which undoubtedly turns the attack into the largest the world has ever experienced.

 

“UnitedHealth also has suffered an estimated $2 billion in losses following the attack, which also makes it one of the costliest cyber incidents. This is even despite the company apparently paying the ransom demand, twice. This should act as a warning to other organisations. Paying a ransom demand doesn’t equal exemption from the other costs and reputational damage associated with attacks,” he added.