UnitedHealth Group admitted to paying ransom in an attempt to protect patient data stolen during the February cyberattack against its subsidiary, Change Healthcare, according to a CNBC report.
UnitedHealth did not specify the amount paid in the ransom, but earlier this year Reuters reported the cybercriminal group claiming responsibility for the attack received $22 million in bitcoins. At the time, UnitedHealth did not address the payment but instead said the company was focused on "investigation and recovery."
Ransom payments are controversial. The federal government has asked hospitals and healthcare organizations not to pay ransoms so stealing patient data becomes less lucrative. However, healthcare companies have a responsibility to protect patient data and restore their systems as quickly as possible.
UnitedHealth said 22 screenshots of compromised files have been released on the dark web, but otherwise no data has been published.
Cybercriminal organizations are becoming bolder with their ransom requests. In December, Chicago-based Saint Anthony Hospital was hit by LockBit hacker group and asked to pay $900,000 in two days, or it would publish patient data. The hospital contacted the FBI and HHS after the attack.
Last September, the Justice Department revealed U.S. hospitals have paid $100 million to Russian ransomware hackers. The report noted more than 400 cyberattacks on healthcare companies in 2023 that affected around 61 million people.