UnitedHealth Group said Monday “a substantial proportion” of Americans may have had their personal data compromised in a February cyberattack and is offering them free credit monitoring and identity theft protection.
The Minnetonka-based health care giant also disclosed for the first time that it paid a ransom to the hacker in hopes of protecting patient data from disclosure. UnitedHealth did not specify the size of the ransom, but a report in Wired magazine last month suggested it may have been about $22 million.
Anyone worried that their personal and health information might have been compromised will be eligible for the credit and identity theft protections for two years.
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” Andrew Witty, the chief executive officer of UnitedHealth Group, said in a statement..
Monday’s announcement was not an official breach notification of the sort required by federal health privacy regulations. That notice, which UnitedHealth says will come when there’s enough information to formally contact patients, could be the largest of its kind ever in the U.S.
Currently, the nation’s largest health care breach was reported in February 2015, affecting more than 78 million people.
“The company processes information relating to more than 152 million Americans — and that’s the number that have potentially been impacted,” Brett Callow, an analyst with the cybersecurity firm Emsisoft, said in an email.
The cyberattack targeted Change Healthcare, a UnitedHealth subsidiary that runs a widely used clearinghouse for electronic claims data that processes 15 billion health care transactions annually, including about half of all U.S. claims.