The Zhitong Finance App learned that United Health (UNH.US) recently discovered that in February of this year, the company may have leaked private information of a large number of US customers in a serious cyber attack, which may constitute one of the largest healthcare data breaches in history. According to a statement posted by the company on Monday on its website, the leaked document sample included personal information such as health data, involving a wide range of Americans. By Monday's close, the stock was down nearly 2% to $491.23.
Change Healthcare, a division of UnitedHealth Group, was the focus of the attack in this hacking attack. Prior to this hacking attack, the company processed $2 trillion in health claims each year, involving approximately 15 billion transactions. The disclosure of this incident may trigger greater political pressure, prompting the company to explain the reason for the attack and how to respond to it.
Although it has been two months since the attack came to light, the healthcare system is still evaluating the impact, and many issues remain unresolved, including how many people's private data has actually been leaked.
UnitedHealth said it could take months to assess the privacy impact, and there is currently no evidence that doctors' medical records or complete medical history have been leaked. The company has set up a dedicated website and call center to help people with credit monitoring.
According to relevant health privacy regulations, companies usually have 60 days to report data breaches to the Department of Health and Human Services. Last month, the agency launched an investigation into the incident. However, according to weekly information on the company's website, the HHS office responsible for overseeing the data breach reports has yet to receive notifications from UnitedHealth Group, Change Healthcare, or other relevant entities.
UnitedHealth has paid a ransom in this attack, and a company spokesperson said in an email that this is one of the measures to protect patient data from further disclosure. Specific payment details have not been disclosed. The attack is expected to reduce the company's revenue by up to $1.6 billion this year, although this is mainly a one-time cost and is not included in the adjusted results.
According to reports, hackers used compromised credentials without multi-factor authentication to break into Change Healthcare's systems a week before they were discovered. UnitedHealth Group did not comment on this report.
A few weeks after the system gradually returned to normal operation, some doctors and hospitals are still facing cash flow disruptions. UnitedHealth CEO Andrew Witty is expected to testify against the attack in Congress next week.
It's worth mentioning that, according to reports last month, the hacker group involved in the attack received $22 million in Bitcoin payments on March 1. UnitedHealth previously did not comment on whether to pay the ransom.
The data breach could damage the company's reputation, reduce customer trust, and potentially face legal action and high fines. As the company may face financial losses and legal liabilities, investors and shareholders may see the value of their investments affected, especially if the share price is negatively affected as a result, which may affect the company's financial position and market position in the long run.