UnitedHealth admits ransom was paid to bad actors, ‘substantial’ data stolen in hack

For the first time, UnitedHealth acknowledged that it paid ransom to “protect patient data,” even though the feds have asked health-care organizations not to pay ransom so stealing patient data becomes less lucrative.

Hackers acquired health and personal information about a potentially “substantial proportion” of consumers during the massive Change Healthcare cyberattack, parent company UnitedHealth Group said on Monday.

Hackers usually seek sensitive data such as patient records, medical histories or treatment plans for use in further criminal acts or ransom demands in such breaches. UnitedHealth acknowledged for the first time that it paid ransom in attempt to stop the disclosure of stolen data.

“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” CEO Andrew Witty told CNBC. “This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cybersecurity firms during our investigation.”

The admission that hackers stole Americans’ health data came a week after a new hacking group began publishing portions of the stolen data in an effort to extort a second ransom from the company. The gang, which calls itself RansomHub, published several files on its dark website containing personal information about patients across an array of documents, some of which included internal files related to Change Healthcare. RansomHub said it would sell the stolen data unless Change Healthcare paid a ransom.

Although a full analysis of the breached data would take several months, there is no evidence to suggest that doctors’ charts or full medical histories of individuals were stolen, UnitedHealth said. It didn’t say exactly how many people’s data was stolen but that it was monitoring online forums where hackers tend to leak or trade such data.

Although the company didn’t specify the amount paid in the ransom, earlier this year Reuters reported that the cybercriminal group claiming responsibility for the attack received $22 million in bitcoins. At the time, UnitedHealth did not address the payment but instead said the company was focused on “investigation and recovery.”

The federal government has asked hospitals and health-care organizations not to pay ransoms so stealing patient data becomes less lucrative. However, health-care companies have a responsibility to protect patient data and restore their systems as quickly as possible. UnitedHealth said 22 screenshots of compromised files have been released on the dark web, but otherwise no data have been published.

Related: Change Healthcare’s stolen ‘private’ patient data leaked by ransomware group

Cybercriminal organizations are becoming bolder with their ransom requests. Last September, the Justice Department revealed that U.S. hospitals had paid $100 million to Russian ransomware hackers. The report said more than 400 cyberattacks on health-care companies in 2023 had affected around 61 million people.

“We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it,” Witty said.