UnitedHealth Group has admitted it paid a ransom to threat actors who exfiltrated patient data in a breach affecting its subsidiary Change Healthcare.
The major US healthcare provider said in a statement on 22 April that hackers were able to access sensitive data associated with “a substantial proportion of people in America”, and its actions were aimed at limiting customer exposure.
Researchers monitoring crypto wallets of the ALPHV group, believed to be responsible for the initial attack, suggested UnitedHealth had paid a $22 million dollar ransom in Bitcoin in early April.
In a statement provided to a number of news outlets, UnitedHealth Group confirmed it had paid the ransom, arguing it did so out of a commitment to do everything it could to protect patient data.
This payment would constitute one of the largest ransom payments ever recorded in the US.
Change Healthcare suffered a major breach in February causing widespread delays to prescription services across the US, according to UnitedHealth Group’s SEC filing.
The technology firm processes over 15 billion healthcare transactions each year, with one-in-three patient records passing through its systems at one point in time, indicating even non UnitedHealth customers could be affected by the attack.
Since the attack, the health insurance and services company that serves over 152 million customers in the US estimated the breach had already cost $872 million this quarter.
Overall, UnitedHealth said it expects the incident will cost the company up to $1.6 billion, with the group’s shares falling by nearly 15% in the months following the attack.
In its most recent update, the group confirmed it and ‘leading external industry experts’ were continuing to monitor the dark web to determine if any of the exfiltrated data had been published.
Other than 22 screenshots alleged to come from the stolen data, with some containing either protected health information (PHI) or personally identifiable information (PII), no other sensitive information has been leaked according to the group.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” said Andrew Witty, chief executive officer of UnitedHealth Group.
UnitedHealth Group paid the initial ransom, but will it pay the second?
UnitedHealth Group disclosed the initial breach on 21 February 2024, reporting it had identified a suspected nation-state linked threat actor had managed to gain access to some of the Change Healthcare IT systems.
The organization was hit by a second attack with a separate threat collective demanding payment to prevent them publishing over 4TB of sensitive data exfiltrated from Change Healthcare’s internal systems.
According to RansomHub, the second attack was carried out after the original ransomware operator, ALPHV, failed to share the spoils of the ransom with its affiliates.
RansomHub collective had performed an exit scam and its affiliates did not receive the expected 80% share of the total ransom fee, as a result they jumped ship to join RansomHub, who now has control of the original data stolen in the February incident.
UnitedHealth is now faced with the difficult decision of whether it needs to pay once again in order to protect customer data, but there are no guarantees a similar situation will reoccur.
