UnitedHealth says a large number of patient records may have been compromised in the Change cyberattack

Server image by Massimo Botturi on unsplash.com

UnitedHealth says files containing personal information that could cover a “significant portion of people in America” may have been captured during the cyberattack on its Change Healthcare business earlier this year.

The company said Monday after markets closed that it sees no signs of medical charts or full medical histories being released after the attack. But it could take several months before UnitedHealth can identify and notify affected people.

UnitedHealth did say that some screenshots containing protected health information or personally identifying information were posted online for about a week on the dark web, which standard browsers cannot access.

The company continues to monitor the Internet and the dark web and said no additional files have been published. It has started a website to answer questions and a call center. But the company said it cannot provide details on the impact on individual data.

The company is also offering free credit monitoring and identity theft protection to people affected by the attack.

UnitedHealth bought Change Healthcare in a roughly $8 billion deal that closed in 2022 after surviving a challenge from federal regulators. The U.S. Department of Justice had filed a lawsuit earlier that year to block the deal, arguing it would harm competition by putting too much information about health care claims in the hands of one company.

UnitedHealth said in February that a ransomware group had gained access to some of the systems of its Change Healthcare business, which provides technology used to file and process insurance claims.

The attack disrupted payment and claims processing across the country, straining physician practices and healthcare systems.

Federal civil rights investigators are already investigating whether the attack exposed protected health information.

UnitedHealth said Monday it was still working to restore services disrupted by the attack. It is primarily aimed at redressing the problems that affect patients’ access to care or medication.

The company said both pharmacy services and medical claims had returned to near-normal levels. It said the payment process was back to about 86% of pre-attack levels.

UnitedHealth said last week as it reported first-quarter results that the company has provided more than $6 billion in pre-funding and interest-free loans to health care providers affected by the attack.

UnitedHealth took an $872 million hit in the first quarter as a result of the cyberattack, and company officials said that could grow to above $1.5 billion this year.

Minnetonka, Minnesota-based UnitedHealth Group Inc. manages one of the largest health insurers in the country. It also operates one of the largest pharmacy benefits management companies in the country, providing healthcare and technology services.

The company fell nearly $3 to $488.36 in afternoon trading on Tuesday, while broader indexes rose.