Health insurance giant UnitedHealth Group has confirmed a devastating ransomware attack on its health tech subsidiary Change Healthcare earlier this year, resulting in a massive theft of Americans’ private healthcare data. The ransomware gang responsible for the attack took files containing personal data and protected health information that UnitedHealth says may impact a substantial proportion of people in America.
Change Healthcare, which processes insurance and billing for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector, has access to vast amounts of health information on about half of all Americans. UnitedHealth has not disclosed the exact number of individuals affected but stated that the data review process will likely take several months before notifying those whose information was stolen.
The cyberattack, which began on February 21, led to widespread outages at pharmacies and hospitals across the United States, causing disruptions in patient care and financial strain on healthcare providers. The ransomware gang, known as RansomHub, has threatened to sell the stolen data unless a ransom is paid.
UnitedHealth reported losses of over $870 million due to the attack, but the company still managed to exceed revenue expectations for the first three months of the year. CEO Andrew Witty, who received a substantial compensation package in 2022, is scheduled to testify before House lawmakers on May 1 regarding the cyberattack and its impact on the healthcare industry. The breach highlights the growing threat of cyberattacks on sensitive healthcare data and the urgent need for improved cybersecurity measures in the industry.