The UnitedHealth Group has recently acknowledged that it made a payment to cybercriminals to safeguard sensitive data that was stolen during the Optum ransomware attack in February.
As a result of the attack, there was a disruption in services provided by Change Healthcare, which had significant implications for healthcare providers and pharmacies nationwide.
Critical functions such as payment processing, prescription writing, and insurance claims were impacted. The financial impact of this cyberattack was reported to be approximately $872 million.
The Optum ransomware attack was claimed by the BlackCat/ALPHV ransomware gang, who stated that they had obtained 6TB of sensitive patient data.
However, it was later revealed that the gang had performed an exit scam, disappearing after reportedly receiving a ransom payment of $22 million from UnitedHealth.
During this time, a member of the gang known as “Notchy” accused BlackCat of withholding their share of the ransom payment, claiming that they were the ones responsible for the attack and had access to UnitedHealth data.
The transaction itself was traceable on the Bitcoin blockchain and confirmed by researchers to have been received by a wallet associated with the BlackCat hackers.
Following the Optum ransomware attack, the U.S. government initiated an investigation to determine if any health data had been compromised.
In a further escalation, the extortion group called RansomHub began leaking what they alleged to be corporate and patient data stolen during the attack in mid-April.
UnitedHealth’s patient data had made its way to RansomHub after “Notchy” joined forces with them to extort the company once again.
UnitedHealth Group Data Stolen and Ransom Paid to the Hackers
The organization has indeed confirmed that it made a ransom payment in order to prevent the sale or public leak of patient data to cybercriminals.
“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure”
UnitedHealth Group
RansomHub’s data leak website confirms that the threat actor has removed UnitedHealth from its list of victims.
The recent removal of UnitedHealth from RansomHub’s site suggests that the confirmation made today pertains to a payment made to the new ransomware gang, rather than the previously alleged $22 million payment to BlackCat in March.
In an update posted on its website yesterday, UnitedHealth officially acknowledged the data breach incident resulting from the February ransomware attack and announced support for individuals whose data had been exposed.
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,”
“To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,”
Reads the announcement.
UnitedHealth group has provided reassurance to patients by stating that only 22 screenshots of stolen files, some containing personally identifiable information, were found on the dark web. Additionally, they have clarified that no other data taken in the attack has been made public “at this time.”
The company has committed to conducting a thorough investigation to determine the extent of the compromised information and plans to send personalized notifications to affected individuals once the investigation is complete.
To support those affected, UnitedHealth has established a dedicated call center that will provide two years of free credit monitoring and identity theft protection services.
Currently, the organization reports that 99% of impacted services are operational, with medical claims flowing at near-normal levels, and payment processing functioning at approximately 86%.
