Cyber Incident Victim: United Health Services of Delaware
Date:
Aug 2022
Location:
United States of America
Summary
United HealthCare Services experienced a data breach compromising names, addresses, health insurance details, and medical information, likely exposing protected health information (PHI) due to the combination of identifiers with healthcare data. The incident, reported to authorities but not yet fully disclosed to affected individuals, poses risks of healthcare identity theft, which could lead to fraudulent medical care, inaccurate patient records, and potential physical health consequences for victims. The breach highlights vulnerabilities in safeguarding sensitive patient data within a major health insurance provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 15, 2022, United HealthCare Services, Inc. publicly confirmed a data breach through official filings submitted to the Texas Attorney General. The incident compromised sensitive consumer information, including names, physical addresses, health insurance details, and medical records. At the time of reporting, United Healthcare had not yet issued formal breach notifications to affected individuals via letters or website announcements, though company representatives indicated such communications were forthcoming. The breach specifically exposed data elements that, when combined, constitute Protected Health Information (PHI) under regulatory definitions—specifically the inclusion of medical/insurance records alongside personal identifiers like names and addresses. While United Healthcare did not disclose the number of impacted individuals, the nature of the compromised data strongly suggests the breach primarily affected patient populations rather than employees. The company provided no technical details regarding the breach mechanism, intrusion timeline, affected systems, or containment measures.
The exposure of PHI creates significant risks for affected patients, particularly concerning healthcare identity theft. Unlike conventional financial identity theft, medical identity fraud enables malicious actors to obtain treatment or prescriptions under victims’ identities, potentially corrupting medical histories with inaccurate drug allergies, diagnoses, or procedures—errors that could directly endanger patient safety during future care episodes. United Healthcare, a Minnesota-based insurer founded in 1974 with over 125,000 employees and $200 billion in annual revenue, operates numerous regional subsidiaries including Oxford Health Plans and UnitedHealthcare of Texas. The compromised insurance information could enable fraudulent billing schemes or insurance fraud, while medical data exposure heightens risks of targeted phishing or blackmail attempts leveraging sensitive health conditions. No evidence suggests United Healthcare confirmed whether Social Security numbers or financial account details were accessed, nor did the company describe remediation efforts beyond regulatory filings. The absence of public technical disclosures leaves unclear whether the breach resulted from external hacking, insider threats, or accidental exposure.