The corporate logo of the UnitedHealth Group appears on the side of one of their office buildings in Santa Ana, California
The corporate logo of the UnitedHealth Group appears on the side of one of their office buildings in Santa Ana, California

UnitedHealth Group disclosed on Monday that hackers had accessed health and personal information belonging to potentially a "significant portion" of Americans from its systems in February.

This breach occurred at its Change Healthcare unit, responsible for processing approximately 50% of medical claims in the United States.

Multifactor authentication (MFA) protocols are commonly employed to mitigate against such breaches, utilizing methods like text-message codes or access tokens tailored to individual users. However, MFA was not activated for this specific application, leaving it vulnerable to exploitation.

UnitedHealth's initial assessment of the compromised data revealed files containing protected health information or personally identifiable information, potentially affecting a significant portion of the American population, as stated on the company's website.

Despite a ransom payment, the theft happened on February 21.

The incident ranks among the most severe cyberattacks on the American healthcare sector, leading to extensive disruptions in payments to healthcare providers and facilities.

The cyberattack on Change Healthcare, which manages the largest U.S. clearinghouse for medical payments, prompted healthcare providers to urgently seek alternative methods for billing insurers in the weeks and months following the attack.

The cybercriminal gang behind the breach is known as AlphV or BlackCat.

UnitedHealth revealed that another hacker group, known as Ransomhub, had posted 22 screenshots on the dark web for approximately one week. Some of these screenshots included protected healthcare and personal data of UnitedHealth customers.

The company said that it currently has no knowledge of any additional leaks.

Ransomhub said that a dissatisfied affiliate of Blackcat had provided them with the data.

The hackers behind the attack had infiltrated the company's networks for over a week before executing a ransomware attack.

"A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," UnitedHealth Chief Executive Andrew Witty said on Monday.

"This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cybersecurity firms during our investigation."

In typical breaches of this nature, hackers often target sensitive data such as patient records, medical histories, or treatment plans. They may exploit this information for various criminal purposes or leverage it in ransom demands.

UnitedHealth said that although a comprehensive analysis of the breached data would require "several months," there is presently no indication that doctors' charts or complete medical histories of individuals were compromised.

While the company did not specify the exact number of individuals affected by the breach, it noted that it is actively monitoring online forums frequented by hackers, where such data packets are often leaked or traded.

The company noted that pharmacy services are now back to near-normal levels, with 99% of pre-incident pharmacies able to process claims. Further, payment processing by Change Healthcare, which accounts for about 6% of all payments in the U.S health care system, is at approximately 86% of pre-incident levels.