UnitedHealth Group announced on Monday that it paid ransom to cyberthreat actors in an effort to protect patient data following the February cyberattack on its subsidiary, Change Healthcare.
The company also confirmed that files containing personal information were compromised in the breach.
“This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cybersecurity firms during our investigation,” UnitedHealth told in a statement.
“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”
The company did not disclose the amount of the ransom payment.
UnitedHealth, which serves more than 152 million customers, stated that the cyberthreat actors accessed files containing protected health information and personally identifiable information, according to a release on Monday.
The files “could cover a substantial proportion of people in America,” the release added.
Change Healthcare provides payment and revenue cycle management tools, facilitating over 15 billion transactions annually, with one in every three patient records passing through its systems.
As a result, even patients who are not UnitedHealth customers could have been affected by the attack.
UnitedHealth revealed in the release that 22 screenshots, allegedly of the compromised files, have been uploaded to the dark web.
The company noted that no other data has been published and that there is no evidence that doctors’ charts or full medical histories were accessed in the breach.
“We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it,” UnitedHealth CEO Andrew Witty said in the release.
UnitedHealth advised that concerned patients can visit a dedicated website for access to resources.
The company has also launched a call center offering free identity theft protections and credit monitoring for two years, as mentioned in the release.
The call center will not be able to provide any details about individual data impacts given the “ongoing nature and complexity of the data review,” UnitedHealth said.