UnitedHealth cyberattack compromised credit cards, health history, Social Security numbers

Hackers made off with Social Security numbers, credit card information, medical histories and more in the February cyberattack on a UnitedHealth Group subsidiary, the company disclosed Thursday.

The Minnetonka-based health care behemoth revealed greater detail on the type of consumer data compromised and a timeline for contacting those affected in a filing to the U.S. Department of Health and Human Services and a news release.

As many as one-third of all Americans may have had some or all of that data swiped, but a full picture of who was affected and in what way is still not available. The company said it began notifying affected corporate customers Thursday, but it could take until late July for individuals to begin receiving notice.

“While the data review is in its late stages, we continue to provide credit monitoring and identity theft protection to people concerned about their data potentially being impacted,” the subsidiary, Change Healthcare, said in a statement.

UnitedHealth — Minnesota’s largest company and the nation’s largest health insurer — acquired Change Healthcare (CHC) in late 2022. CEO Andrew Witty told Congress in May that the company was upgrading security when the ransomware attack happened.

UnitedHealth paid a $22 million ransom to resolve the hack, which has left a long trail of disruption across the U.S. health care system.

Change Healthcare processes 15 billion health care transactions annually, according to the federal government, and is involved in 1 in 3 patient records. The payment system was shut down after the attack and froze payments to health care organizations around the country, affecting patient access to medications and services.

“To all those impacted, let me be clear: I’m deeply, deeply sorry,” Witty said at last month’s congressional grilling.

Thursday’s disclosure marks “the next step in the process” toward providing full notice, Change Healthcare said.

The company recommends keeping an eye on bank and credit card statements, medical bills and credit reports, and filing a police report if a crime is suspected.

For now, those affected won’t know the nature of their compromised information. UnitedHealth said it could range from an individual’s name or home address to a medical diagnosis to their Social Security or passport numbers — or a combination of data.

“Information that may have been involved was not the same for every impacted individual,” Change Healthcare wrote. “To date, we have not yet seen full medical histories appear in the data review.”

The updated HIPAA notice said some health care customers will soon be notified that their members or patients were affected in order to direct them toward assistance.

“CHC plans to send direct notice (written letters) at the conclusion of the data review, as required, to affected individuals identified,” the filing said. “The mailing process is expected to begin in late July as CHC completes quality assurance procedures.”

While a specific number of affected individuals was not disclosed, the company previously said it is a “substantial proportion of people in America,” amounting to as many as 100 million U.S. residents.

UnitedHealth Group is making free credit and identity monitoring services available for two years; call 1-866-262-5342 or visit tinyurl.com/UHGcredit to enroll.