UnitedHealth confirms it paid ransomware gang to stop data leak

The UnitedHealth Group has confirmed that it paid a ransom to cybercriminals to protect sensitive data stolen during the Optum ransomware attack in late February.

The attack led to an outage that impacted the Change Healthcare payment, affecting a range of critical services used by healthcare providers and pharmacies across the U.S., including payment processing, prescription writing, and insurance claims.

The organization reported that the cyberattack had caused $872 million in financial damages.

The BlackCat/ALPHV ransomware gang claimed the attack, alleging to have stolen 6TB of sensitive patient data. In early March, BlackCat performed an exit scam after allegedly getting $22 million in ransom from UnitedHealth.

At that time, one of the gang's affiliate known as "Notchy" claimed that they had UnitedHealth data because they conducted the attack and that BlackCat cheated them of the ransom payment.

The transaction was visible on the Bitcoin blockchain and confirmed by researchers to have reached a wallet used by BlackCat hackers.

A week later, the U.S. government launched an investigation into whether health data had been stolen in the ransomware attack at Optum.

By mid-April, the extortion group RansomHub raised the pressure even more on UnitedHealth by starting to leak what they claimed to be corporate and patient data stolen during the attack.

UnitedHealth's patient data reached RansomHub after "Notchy" partnered with them to extort the company again.

Data stolen, ransom paid

In a statement for BleepingComputer, the company confirmed that it paid a ransom to avoid patient data from being sold to cybercriminals or leaked publicly.

"A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure" - UnitedHealth Group

BleepingComputer checked RansomHub's data leak website and can confirm that the threat actor has removed UnitedHealth from its list of victims.

UnitedHealth’s removal from RansomHub’s site may indicate that today’s confirmation is for a payment to the new ransomware gang rather than the alleged $22 million payment to BlackCat in March.

Yesterday, UnitedHealth posted an update on its website announcing support for people whose data had been exposed by the February ransomware attack, officially confirming the data breach incident.

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” reads the announcement.

“To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” the company says.

The company reassures patients that only 22 screenshots of stolen files, some containing personally identifiable information, were posted on the dark web, and that no other data exfiltrated in the attack has been published "at this time."

The health insurance and services organization promised to send personalized notifications once it completes its investigation into the type of information has been compromised.

A dedicated call center that will be offering two years of free credit monitoring and identity theft protection services has also been set up as part of the organization's effort to support those impacted.

Currently, 99% of the impacted services are operational, medical claims flow at near-normal levels, and payment processing stands at approximately 86%.

Related Articles:

UnitedHealth says data of 100 million stolen in Change Healthcare breach

BianLian ransomware claims attack on Boston Children's Health Physicians

U.S. govt agency CMS says data breach impacted 3.1 million people

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Hacker gets 10 years in prison for extorting US healthcare provider