June 21, 2024
UnitedHealth has confirmed for the first time what types of medical and patient data were stolen in the massive Change Healthcare ransomware attack, stating that data breach notifications will be mailed in July.
On Thursday, the company published a data breach notification warning that the ransomware attack exposed a "substantial quantity of data" for a "substantial proportion of people in America."
While UnitedHealth has not explicitly shared how many people were affected, UnitedHealth CEO Andrew Witty stated during a congressional hearing that "maybe a third" of all American's health data was exposed in the attack.
According to the data breach notification, a massive trove of sensitive information was stolen, including:
- Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
- Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
- Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.
However, Change Healthcare says that the exposed data may be different for each impacted individual and that patients' complete medical histories have not been seen in the stolen data.
