(Bloomberg) -- UnitedHealth Group Inc. found files containing private information on a vast number of Americans whose data may have been compromised in a February cyberattack that upended the US health system.
A sample of the breached files found they contain personal information, including health data, that “could cover a substantial proportion of people in America,” according to a statement on the company’s website Monday.
The disclosure suggests the attack could be one of the largest health-care data breaches on record. Before the hack, Change Healthcare said it processed $2 trillion in health claims and handled 15 billion transactions per year. The disclosure is likely to add to pressure on the company from Washington to explain what led to the hack and how the company responded.
Two months after the attack on the company’s Change Healthcare unit came to light, the health-care system is still dealing with the repercussions. Among the many unanswered questions is how many people’s private data may have been exposed.
Tallying the privacy impacts may take months, UnitedHealth said. The company has not yet found evidence that doctors’ charts or full medical histories were exposed. It set up a website and call center to assist people with credit monitoring.
Companies typically have 60 days to report data breaches to the Department of Health and Human Services under health privacy rules. The agency opened an investigation into the incident last month.
Late last week, the HHS office that oversees data breach reporting said it hadn’t received notice from UnitedHealth, Change Healthcare, or other affected entities, according to its website.
Ransom Paid
Earlier Monday, the company said it paid a ransom in the attack “as part of the company’s commitment to do all it could to protect patient data from disclosure,” a company spokesperson said in an email. UnitedHealth declined to provide more details.
UnitedHealth said last week that the attack could reduce its earnings by as much as $1.6 billion this year, though most of that is one-time costs excluded from adjusted results.
The hackers breached Change Healthcare’s systems more than a week before they were detected, the Wall Street Journal reported Monday, citing a person familiar with the investigation. They gained access through compromised credentials that didn’t have multi-factor authentication checks designed to thwart attackers, the paper said.
UnitedHealth declined to comment to Bloomberg on the report.
Some doctors and hospitals say they’re still facing cash-flow interruptions weeks after UnitedHealth started bringing downed systems back online. Chief Executive Officer Andrew Witty is expected to testify before Congress next week about the attack.
Wired reported last month that a hacking group involved in the attack got a $22 million bitcoin payment on March 1. UnitedHealth previously declined to comment on the ransom payment.
