The two consecutive UnitedHealth Group data breaches have potentially exposed the private medical information of a "substantial proportion" of Americans.
In a public announcement on Monday, UnitedHealth reported that a large number of its customers' protected health information and personally identifiable information has been leaked to hackers during the cyberattack last February.
The healthcare company noted that the findings are only from the initial investigation and that more stolen data could be found in the ensuing probe in the coming months.
No reported data breach or infiltration has been noted that used the stolen data from UnitedHealth, including "doctors' charts or full medical histories."
The Department of Health and Human Services has also launched its separate inquiry into the cyberattack.
As of writing, UnitedHealth is advising affected customers to refer to its dedicated cyberattack support page
The announcement comes in after Change Healthcare, a subsidiary of UnitedHealth Group and the target of the first cyberattack, reported receiving a second ransomware attack from RansomHub.
UnitedHealth: Affected Healthcare Providers Could Receive Financial Compensations
UnitedHealth has earlier announced that affected "assist care providers" could receive financial compensation from the pledged $2 billion assistance package due to the cyberattacks.
The company said the pledges are part of its ongoing "significant progress in restoring the services impacted by this cyberattack."
As for the affected customers, UnitedHealth has yet to announce plans to assist the more than 27.2 million Americans covered by its multitude of healthcare services.
Of course, customers can still pursue reparations from the damages caused by the cyberattack via lawsuit.
Related Article : Cyberattack-Affected Healthcare Providers Receive $2 Billion from UnitedHealthcare
UnitedHealth Confirms Payment to Ransomware Hackers
In addition to the exposed customer data, UnitedHealth has also finally confirmed that it has paid ALPHV, the ransomware group responsible for the first cyberattack last February.
No exact amount was detailed, although earlier reports from the hackers estimate the payment to be around $23 million. The payment was done via cryptocurrency or about 350 bitcoins.
The ransom was paid to prevent hackers from fully leaking all the stolen medical data to the public, potentially further implicating the company in other litigations.