UnitedHealth Group (UHG) has disclosed that the cyberattack on its subsidiary, Change Healthcare, in February compromised the personal information of a significant portion of Americans. Initial data sampling revealed files containing protected health information (PHI) and personally identifiable information (PII), potentially affecting a substantial number of individuals across the country.
As of now, UHG has not detected any evidence of exfiltration of sensitive data such as complete medical histories or doctors’ charts. However, the company acknowledges the broad reach of the attack and anticipates that it will take several months to identify and notify all affected customers.
In response to the incident, UHG has launched a dedicated website for customers to access information and established call centers offering free credit monitoring and identity theft protection for two years to individuals whose data may have been compromised. Additionally, it has confirmed making a ransom payment as part of its efforts to safeguard patient data.
Change Healthcare is a prominent insurance processing company in the United States. UHG’s acquisition of Change, which faced opposition from the Justice Department, has reignited concerns regarding data concentration and potential risks associated with single entities controlling vast segments of the healthcare industry.
Federal Trade Commission Chair Lina Khan has voiced concerns about the implications of the Change cyberattack, emphasizing the need for data minimization to reduce the amount of sensitive information collected and stored.
The cyberattack on Change Healthcare highlights the critical importance of data security and privacy in today’s digital age. With the increasing frequency and sophistication of cyber threats, organizations must prioritize robust cybersecurity measures and implement responsible data handling practices to protect the sensitive information entrusted to them.
