We remain confident in what our telemetry and controls demonstrated — that our Optum, UnitedHealthcare and UnitedHealth Group systems are safe and were not affected by this issue. While forensic analysis continues with Mandiant, we are confident in the safe restore date that was established. The forensic work led by Mandiant continues to validate that this attack stopped at the Change firewall. There has never been, nor is there now, any evidence of traversal to Optum, UnitedHealthcare, UnitedHealth Group or any other endpoint.
We remain vigilant and, in partnership with Mandiant and Palo Alto Networks, our heightened and aggressive threat hunting continues across the Change, Optum, UnitedHealthcare and UnitedHealth Group environments. Palo Alto Networks’ Attack Surface Monitoring (ASM) is scanning all company domains and will remain in place indefinitely.
Here are some of the security measures we took while restoring Relay Exchange and Assurance services with an abundance of caution:
- In partnership with AWS, we restored systems across accounts from clean backups.
- A leading cybersecurity platform, Trend Micro, completed scanning prior to services going into production.
- Amazon’s Guard Duty was used to complete the initial scanning post restoration.
- Palo Alto’s Unit 42 scanned the environment for malicious activity and unauthorized behavior.
- Change Healthcare also conducted vulnerability scans via Tenable.
- Bishop Fox penetration tested external-facing endpoints.
- Servers supporting Assurance and Relay Exchange were re-scanned by Mandiant and confirmed cleared prior to moving the servers to the production environment.
- Documentation from Bishop Fox, Mandiant and UnitedHealth Group was made available for customers reconnecting to the service.
Customers can obtain documentation with help from their client executive or by submitting a request via the link on this website. We have provided and will continue providing third-party assurances for products brought back into production.
As we continue to restore products, please know that core services are being monitored 24/7 by the Optum Security Operations Center, Palo Alto and Mandiant, and this will continue. No service will return to production until it has been scanned by multiple agents, is under active monitoring by a third party and has been cleared by Mandiant, Palo Alto or both. Consistent with industry practices, external points have been pen-tested, remediated where necessary and cleared.
If you are still unsure how to safely reconnect or are running into questions or issues with security gateways, etc., please reach out to your client executive or submit a request via the link on this website. Our team is committed to getting everyone back up and running as safely and as quickly as possible.
We have said previously that we are investigating the extent of impacted data as quickly as possible, and we have an update on where we are.
A review of the data is underway by a leading forensics expert. At this time, we know that the data had some quantity of personal health information and personally identifiable information. We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made…and will work with the Office for Civil Rights and our customers in doing so.
This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems. We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data.
We continue to be vigilant, and we are committed to providing appropriate support to people whose data is found to have been compromised.
We are committed to providing updates as we progress through the data, not just at the end. We also know customers are interested in hearing about what data is impacted to determine if they have notification obligations. We will be offering to do the notification work for customers where permitted.