Minnetonka-headquartered UnitedHealth has updated its estimate of users affected by the cyberattack in February 2024. The healthcare company, which provides health insurance and other medical services to a substantially high number of Americans, now reports that the number of affected individuals exceeds 190 million, according to a report by Reuters. The hack mainly targeted UnitedHealth Group’s tech arm, Change Healthcare, last February.
The attack hindered the firm’s IT system, affecting its operations for up to a month. Under this cyberattack, personal information such as names, physical addresses, birth dates, Social Security numbers, driver’s license numbers, and passport numbers, as well as medical and financial data of customers, was said to have been compromised.
Even in June 2024, the company admitted that the hackers behind the cyberattack had likely accessed health insurance information and personal health details, including medical test results, images, and financial & banking information. In fact, the company began notifying impacted customers in July 2024, four months after the incident took place.
But the interesting thing is, in its statement, the company claims that it has “not seen electronic medical record databases appear in the data during the analysis.”
In October 2024, the US Health Department shared an update regarding the breach and revealed that the personal information of approximately 100 million people had been exposed due to the hack. However, according to the report, the company has now filed a final report with the US Department of Health and Human Services and confirmed the updated number, which is almost double the previous data.
Speaking of the hacking group behind the incident, the Russian ‘AlphV,’ also known as the ‘BlackCat’ ransomware group, claimed responsibility for the attack. They reportedly exploited a loophole in remote-access Citrix software to gain access to the company’s systems. After that, as usual, they locked up the data to make ransom demands.
According to the report, during the testimony in 2024 regarding the incident, CEO Andrew Witty admitted that Change Healthcare did not have multi-factor authentication in place when the attack took place.
Meanwhile, the cyberattack has damaged UnitedHealth in both ways – in terms of reputation as well as financially. This is expected to cost the company between $2-$2.5 billion. Not only that, but the company has reportedly made two ransom payments to the responsible hacking group, with one Installment being around $22 million, according to reports.
Cyberattacks are not a rare phenomenon for US companies, as last month the US Treasury Department officially confirmed that it had suffered a significant cybersecurity breach in November 2024. In this breach, Chinese hackers accessed unclassified documents. In the same month, two of the biggest telecommunications giants – AT&T and Verizon – also suffered a cybersecurity breach from the Chinese-linked Salt Typhoon cyber espionage group.
