UnitedHealth Group said the cyberattack against its Change Healthcare unit potentially exposed the personal information of "a substantial proportion of people in America," and it will be months before it is able to identify and notify patients affected.
The company also confirmed it paid an unspecified ransom to protect patient data, as reported by Bloomberg Monday.
Related: Lawmakers rip UnitedHealth at Change Healthcare hearing
UnitedHealth found files containing protected health information as well as files with personally identifiable information during its ongoing investigation of the incident, the company said in a news release Monday.
“There were 22 screenshots, allegedly from exfiltrated files, some containing [protected health information] and [personally identifiable information], posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time,” UnitedHealth Group said in the release.
The company has not discovered stolen personal information such as doctors' charts or full medical histories, it said. Change Healthcare blames the Feb. 21 cyberattack on a ransomware group known as BlackCat, ALPHV or Noberus.
UnitedHealth Group said it is establishing a call center with free credit monitoring and identity theft protection for two years for individuals concerned their patient data was hacked. The call center also will be staffed with clinicians to provide emotional support care to consumers.
Individuals cannot verify whether their data was involved in the cyberattack. The company said it will notify affected individuals, a process that providers worried would fall to them. The Health and Human Services Department's Office for Civil Rights, which enforces privacy rules, said last month it is investigating UnitedHealth Group over whether health data was compromised and if the company is in compliance with breach notification requirements.
Change Healthcare touches one in three patient records and its systems are used by countless healthcare providers and payers nationwide to process claims, manage prior authorizations, verify patient eligibility and pay providers.
The company continues working to bring systems back online. Change Healthcare’s major platforms, including pharmacy claims and payment platforms, are running at 80% functionality. Full restoration is expected to be completed “in the coming weeks,” the company said.
UnitedHealth Group executives told financial analysts during its first-quarter earnings call last week the cyberattack’s financial impact is projected to cost up to $1.6 billion this year. It has already cost the company $872 million.