The UnitedHealth Group has confirmed that it paid a ransom to cybercriminals to protect sensitive data stolen during the Optum ransomware attack in late February.
The attack led to an outage that impacted the Change Healthcare payment, affecting a range of critical services used by healthcare providers and pharmacies across the U.S., including payment processing, prescription writing, and insurance claims.
The organization reported that the cyberattack had caused $872 million in financial damages.
The BlackCat/ALPHV ransomware gang claimed the attack, alleging to have stolen 6TB of sensitive patient data. In early March, BlackCat performed an exit scam after allegedly getting $22 million in ransom from UnitedHealth.
At that time, one of the gang's affiliate known as "Notchy" claimed that they had UnitedHealth data because they conducted the attack and that BlackCat cheated them of the ransom payment.
The transaction was visible on the Bitcoin blockchain and confirmed by researchers to have reached a wallet used by BlackCat hackers.
A week later, the U.S. government launched an investigation into whether health data had been stolen in the ransomware attack at Optum.
By mid-April, the extortion group RansomHub raised the pressure even more on UnitedHealth by starting to leak what they claimed to be corporate and patient data stolen during the attack.
UnitedHealth's patient data reached RansomHub after "Notchy" partnered with them to extort the company again.
Data stolen, ransom paid
In a statement for BleepingComputer, the company confirmed that it paid a ransom to avoid patient data from being sold to cybercriminals or leaked publicly.
"A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure" - UnitedHealth Group
BleepingComputer checked RansomHub's data leak website and can confirm that the threat actor has removed UnitedHealth from its list of victims.
UnitedHealth’s removal from RansomHub’s site may indicate that today’s confirmation is for a payment to the new ransomware gang rather than the alleged $22 million payment to BlackCat in March.
Yesterday, UnitedHealth posted an update on its website announcing support for people whose data had been exposed by the February ransomware attack, officially confirming the data breach incident.
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” reads the announcement.
“To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” the company says.
The company reassures patients that only 22 screenshots of stolen files, some containing personally identifiable information, were posted on the dark web, and that no other data exfiltrated in the attack has been published "at this time."
The health insurance and services organization promised to send personalized notifications once it completes its investigation into the type of information has been compromised.
A dedicated call center that will be offering two years of free credit monitoring and identity theft protection services has also been set up as part of the organization's effort to support those impacted.
Currently, 99% of the impacted services are operational, medical claims flow at near-normal levels, and payment processing stands at approximately 86%.
Comments
NoneRain - 2 months ago
"A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure" - UnitedHealth Group
AKA
"We paid criminals and fueled their operations, so we could potentially (our fingers are crossed) avoid data disclosure. Since we are already pwed, the money given to the cybercrime is not a concern. Also, this is a good thing to do in our mind. Good luck everyone."
electrolite - 2 months ago
"But but but, the criminals work on an honour system, so when we paid them the ransomware, they swore they would not sell the data anyway or send it off elsewhere. They did remove the us from the victim list though, so we are safe now. Right?"
Alas...
KeiFeR123 - 2 months ago
These guys just set precedence of WHAT a company SHOULD NOT BE DOING. Now these bad actors would keep doing it given that they would get paid.
I hope the data is not release BUT I doubt cause criminals can be good guys right?
powerspork - 2 months ago
They will talk about protecting patients but we know that is not what they are doing. They are protecting their business contracts they have with medical entities that detail the rates they pay for various services. This data reveals who is getting ripped off and by how much, and will absolutely destroy their profitability in future negotiations. Their business losses have only begun.
But what I would want to see is the details of why they deny certain claims. Is there really a reason, or do they do it to boost profits, knowing you can't stop them?
mikebutash - 2 months ago
At what point do we shut down irresponsible businesses such as United Healthcare that are unwilling and unable to protect themselves and our most personal information, medical records, against constant attack and breach?
They are so rich and fat, they'll keep paying every ransom so they can check the box that says "Did everything you could", pay the fines, fix absolutely nothing of their inherent insecurity, and then go back to making trillions of dollars, simply raising our premiums to cover the ransoms paid.
They are unwilling to do what it takes to protect our data, why should they get to continue to do business after such gross violation of trust and negligence?
powdermnky007 - 2 months ago
I guess this is just a "cost of doing business" / tax write off for them at this point. SAD...
gryphenwings - 2 months ago
"I guess this is just a "cost of doing business" / tax write off for them at this point. SAD..."
More like increasing the rates for those insured. "Here, pay us more money so we can fund criminals because we're too lazy to secure your data."
Mr.Tom - 2 months ago
Why isn't UnitedHealth Group in haveibeenpwned? I'm guessing it will be soon.
With all these healthcare facilities and even other large corporations being breached, I'd like to know HOW they're being breached. This would be important information to try and mitigate future breaches.
With no forensic publications after these breaches, I'm only to assume it was from an attachment in an email some office slug opened. But I know there's so many avenues to break inside a large business like this, which is why forensic information is important to the public.
EPark75 - 2 months ago
I’m in cybersecurity. The most common breaches (over 90%) are unwitting employees clicking on links in phishing emails, but those instances won’t yield the kind of access needed to steal sensitive data because only network administrators have firewall access. So hackers program bots to hunt for login credentials. PWs change frequently but usernames rarely do. Once they’ve determined a username to be valid the bots begin doing thousands of PW queries. If a company hasn’t implemented MFA (you’d be surprised how many big companies still haven’t) then it’s often only a matter of time.
However they don’t necessarily need the data to make the threat. I recently dealt with a ransomware attack, also of a healthcare provider, where we caught the breach while it was happening so they got nothing, but they still threatened to say they got in, because technically they did, and that’s enough to scare many companies into paying to stay off the list.
johnlsenchak - 2 months ago
That is twenty two million dollars that went to either Russia or North Korea , both financially sanctioned countries