AG Ellison, 22 attorney generals direct UnitedHealth Group to take action in ransomware attack

The Minnesota Attorney General is spearheading an initiative with 22 attorney generals to encourage UnitedHealth Group to take more meaningful action to protect providers and patients after a cyberattack potentially exposed data belonging to “a substantial proportion of people in America” earlier this year.

On Thursday, AG Ellison and others addressed the country’s largest health insurer after a ransomware group gained access to some of the systems of its Change Healthcare business in February and files containing “protected health information” and “personally identifiable information” were exposed.

Ellison and the coalition of attorney generals are asking UnitedHealth to limit the harm to providers and patients by offering financial assistance, suspending requirements for prior authorizations, resolving backlog claims, ensuring providers, pharmacies, and patients are aware of what data was exposed and more.

“As Attorney General, it is my job to help Minnesotans afford their lives and live with dignity, safety, and respect,” said Ellison. “That includes making sure that patients and providers aren’t left holding the bag when a too-big-to-fail health care conglomerate does indeed fail. It is past time for UnitedHealth Group to use its considerable resources to make providers and patients whole after the catastrophic failure of its system.”

Joining the letter to UnitedHealth Group that Ellison led is a bipartisan group of attorneys general from Arizona, California, Connecticut, the District of Columbia, Hawaii, Maine, Massachusetts, Michigan, Mississippi, Nebraska, Nevada, New Hampshire, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, South Dakota, Utah, Vermont and Washington.

At the time of the breach, it was unknown if stolen data had made its way to the dark web. However, this week officials indicated that 22 screenshots allegedly taken from exfiltrated files had been posted on the dark web for about a week, although no other data publications are known at this time.

On Thursday, a spokesperson for UnitedHealth confirmed the company paid a ransom in an effort to protect patient and provider data.

UnitedHealth also sent the following statement to 5 EYEWITNESS NEWS:

We are aware of the letter sent from the Attorneys General. Since, day one, we have prioritized patient access to care, and providing resources and support to concerned individuals, providers, and customers. We continue to offer financial assistance to those providers who need it and encourage them to contact us.

RELATED: UnitedHealth says ‘substantial’ amount of data could have been taken in cyberattack

RELATED: UnitedHealth confirms ransom was paid to hackers in February cybersecurity attack

Despite the cyberattack, which affected UnitedHealth customers all over the country, the health insurer reported revenue of $99.8 billion in its first quarter, a nearly $8 billion increase from the year prior, according to Ellison.

Ellison also noted that in 2022, he and the U.S. Department of Justice sued to block UnitedHealth Group’s acquisition of Change Healthcare, citing concerns over “concentrating market power and data in one corporation.”

However, a district court in the District of Columbia denied the suit and allowed the merger to move forward.

RELATED: Minnesota Hospital Association urges patients to be cautious of scam calls following UnitedHealth Group cyberattack