UnitedHealth Group paid an undisclosed ransom to hackers in an effort to preserve patient data that may have been compromised.
The attack, which occurred in February, affected patients at Change Healthcare, a division of United’s Optum.
“This attack was conducted by malicious threat actors, and we continue to collaborate with law enforcement and numerous leading cybersecurity companies throughout our investigation,” a UnitedHealth representative said CNBC. “A ransom was paid as part of the company’s commitment to do everything possible to protect patient data from disclosure.”
Related: A cyberattack on the largest health insurer in the United States could put your prescriptions and personal information at risk
UnitedHealth revealed that the hacked files contained protected health information and personally identifiable information for “a substantial percentage of people in America,” although the company did not disclose exactly how many patients were affected.
So far, UnitedHealth has said there was no evidence of data being exfiltrated to be used maliciously, and that medical records and doctors’ medical records do not appear to be part of the hacked data set.
“We know this attack has caused concern and been disruptive to consumers and providers, and we are committed to doing everything we can to help and provide support to anyone who may need it,” Andrew Witty, CEO of UnitedHealth Group, said in a statement corporate. .
UnitedHealth estimates that it will take several months of analysis to determine the specific individuals affected by the hack, but 22 screenshots of what appeared to be exfiltrated files containing Personal Health Information (PHI) and Personally Identifiable Information (PII) they were posted on the dark web for a week.
Related: Maine hacked in data breach, 1.3 million residents at risk
The company offers those affected two years of free access to a dedicated call center for credit monitoring and identity theft protection.
“As this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulatory authorities and will provide appropriate notifications when the company can confirm the information involved,” UnitedHealth said.