UnitedHealth says wide swath of patient files may have been taken in Change cyberattack

UnitedHealth says files with personal information that could cover a “substantial portion of people in America” may have been taken in the cyberattack earlier this year on its Change Healthcare business.

The company said Monday after markets closed that it sees no signs that doctor charts or full medical histories were released after the attack. But it may take several months of analysis before UnitedHealth can identify and notify people who were affected.

UnitedHealth did say that some screen shots containing protected health information or personally identifiable information were posted for about a week online on the dark web, which standard browsers can’t access.

The company is still monitoring the internet and dark web and said there has been no addition file publication. It has started a website to answer questions and a call center. But the company said it won’t be able to offer specifics on the impact to individual data.

The company also is offering free credit monitoring and identity theft protection for people affected by the attack.

UnitedHealth bought Change Healthcare in a roughly $8 billion deal that closed in 2022 after surviving a challenge from federal regulators. The U.S. Department of Justice had sued earlier that year to block the deal, arguing that it would hurt competition by putting too much information about health care claims in the hands of one company.

UnitedHealth said in February that a ransomware group had gained access to some of the systems of its Change Healthcare business, which provides technology used to submit and process insurance claims.

The attack disrupted payment and claims processing around the country, stressing doctor’s offices and health care systems.

Federal civil rights...