Hackers stole Social Security numbers, credit card information and medical histories in a February cyberattack on a UnitedHealth Group subsidiary, the company said Thursday.
The Minnetonka-based health care giant revealed more details about the type of consumer data that was compromised and a timeline for contacting those affected in filings with the U.S. Department of Health and Human Services and in a news release.
The data of as many as one-third of Americans may have been partially or fully stolen, but it’s not yet clear who was affected or how. The company said it began notifying affected business customers on Thursday but that it could take until late July for individuals to start receiving notifications.
“While our data review is in the final stages, we continue to offer credit monitoring and identity theft protection to anyone concerned that their data may be affected,” subsidiary Change Healthcare said in a statement.
UnitedHealth, Minnesota’s largest company and the nation’s largest health insurer, acquired Change Healthcare (CHC) in late 2022. CEO Andrew Whitty told lawmakers in May that the company was beefing up its security at the time of the ransomware attack.
UnitedHealth paid a $22 million ransom to resolve a hack that left a lasting trail of chaos across the U.S. healthcare system.
According to the federal government, Change Healthcare processes 15 billion medical transactions annually and touches one-third of patient records. Following the attack, its payment system was shut down, freezing payments to healthcare providers across the country and affecting patients’ access to medicines and services.
“I want to be very clear to all those affected: I offer my deepest and sincere apologies,” Mr Whitty said in grilling in Parliament last month.
Change Healthcare said Thursday’s disclosure marks the “next step in the process” toward full notification.
The company recommends carefully reviewing bank and credit card statements, medical bills and credit reports, and reporting any suspected crime to police.
Victims do not currently know the nature of the information that was exposed, which UnitedHealth said could range from individuals’ names and addresses to medical examination results, Social Security and passport numbers, or any combination thereof.
“Potentially relevant information was not the same for all affected individuals,” Change Healthcare wrote. “To date, data reviews have not revealed complete medical histories.”
According to the updated HIPAA notice, some healthcare customers will be notified immediately that their members or patients are affected and will be directed to receive assistance.
“CHC intends to send direct notification (written) to identified affected individuals upon completion of its data review, as appropriate,” the filing states. “The mailing process is expected to begin in late July as CHC completes its quality assurance procedures.”
The exact number of people affected has not been disclosed, but the company has previously said that it affects a “significant proportion of the US,” reaching 100 million Americans.
UnitedHealth Group is offering free credit and identity monitoring services for two years. Call us at 1-866-262-5342 or tinyurl.com/UHGcredit register.
