UnitedHealth Group has started sending letters to patients, saying information ranging from their health conditions to Social Security numbers may have been accessed during a huge cyberattack earlier this year.
One Minnesota patient shared with the Star Tribune a copy of a notice from the company dated Aug. 5. Minnetonka-based UnitedHealth Group says it also sent letters in late July.
The company has not said exactly how many letters are being sent, although Chief Executive Andrew Witty told congressional committees in May that data from one out of three Americans could have been involved in the hack.
"We are sorry to tell you about a privacy event," says the letter from Change Healthcare, the subsidiary that suffered the cyberattack. "We work with many doctors, health insurance plans, and other health companies to help provide health services or benefits. This event may have involved your data."
UnitedHealth Group says it has repaired and restored systems at Change Healthcare while improving security.
The cyberattack, which occurred in February, was hugely disruptive to the nation's health care system because UnitedHealth Group had to shut down a widely used clearinghouse for processing claims in order to contain the threat. Health care providers, in turn, struggled for weeks and in some cases months to submit claims for reimbursement.
"Notice of Data Breach" documents being received by patients say the information that might have been seen and taken includes name, address, date of birth, phone number and email.
Hackers might also have accessed one or more items from several categories, the notice says, including health insurance data, health data, billing/claims data and other personal data, such as Social Security numbers.
"The data that may have been seen and taken was not the same for everyone," the notice states. "Some of this data may be about the person who paid the bill for health care services."
The breach occurred because a cybercriminal accessed the company's computer system without permission, according to the letter.
UnitedHealth Group is offering free credit monitoring and identity theft protection for two years. The letter says people with questions and concerns can phone the company at 866-262-5342.
In an online notice, Change Healthcare (CHC) says its review of personal information potentially involved in the incident is in its late stages.
"CHC continues working through data review to identify affected individuals. CHC plans to mail written letters on a rolling basis to affected individuals," it said. "The mailing process began in late July and continues as CHC completes quality assurance procedures."
In July, UnitedHealth Group said cyberattack costs could reach up to $2.45 billion for the year, including direct expenses for financial support to health care providers as well as costs for the consumer notices.
During the congressional hearings, lawmakers said the event exposed clear technology flaws at Change Healthcare while raising questions about whether UnitedHealth Group has become too big.
UnitedHealth Group is parent company to UnitedHealthcare, which is the nation's largest health insurer. The company also runs a division for health care services called Optum, which includes a fast-growing network of outpatient medical centers plus a large business in pharmacy benefits management.