"United HealthCare Reports Data Breach That May Have Revealed Customers' Personal Information"
United HealthCare recently made customers aware of a data breach, which temporarily allowed access to personal information for those enrolled in the company's healthcare plans. According to the company, "suspicious activity" was noticed on the UHC mobile application "that may have led to the disclosure of member information." The company says the breach happened between February 19 and February 25, and it was determined on April 10 that some member information was impacted. They believe that information including members' first and last names, health insurance member identification numbers, dates of birth, addresses, dates of service, provider names, claim information, and group name and number may have been available. The company noted that this incident did not involve the disclosure of Social Security numbers or driver's license numbers. Members who had their information impacted were contacted directly by UHS via mail. The company explained that upon discovery, they took prompt action to investigate the matter. The portal account for members was locked to prevent any further access, and they initiated a forced password reset. During the investigation, the company determined that the application was the target of a credential stuffing attack. The company noted that they have no evidence that member login credentials used during the attack were accessed or obtained from any UnitedHealthcare system.