Cyber Incident Victim: United Healthcare
Date:
Feb 2023
Location:
United States of America
Summary
United Healthcare experienced a cybersecurity incident involving unauthorized access to its mobile application, potentially exposing members' personal information due to a credential stuffing attack. The breach impacted data such as names, health insurance identification numbers, dates of birth, addresses, healthcare service details, provider names, claims information, and group identifiers, though Social Security and driver's license numbers were unaffected. The company promptly locked affected accounts, enforced password resets, and initiated direct notifications to impacted individuals along with offering complimentary identity theft protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
United HealthCare (UHC) detected suspicious activity targeting its mobile application between February 19 and February 25, 2023, which potentially exposed personal information of enrolled members. The incident was identified through an internal investigation prompted by anomalous behavior observed on the platform. On April 10, 2023, UHC concluded that unauthorized parties had accessed member data during that seven-day window. The intrusion was attributed to a credential stuffing attack, where malicious actors used previously compromised usernames and passwords from unrelated sources to infiltrate user accounts. UHC emphasized that the attackers did not obtain login credentials directly from its own systems. Upon discovering the breach, the company immediately locked affected portal accounts and executed forced password resets to prevent further unauthorized access. The mobile application itself was confirmed as the primary vector of the attack, though no additional system compromises were identified. UHC maintained that its security protocols were not breached, attributing the incident to external credential misuse. The delayed public disclosure occurred on April 28, 2023, when impacted members began receiving mailed notifications.
Compromised data included members’ first and last names, health insurance identification numbers, dates of birth, physical addresses, dates of medical service, treating provider names, claim details, and insurance group names and numbers. UHC explicitly confirmed that Social Security numbers and driver’s license information remained unaffected. The company initiated direct mail correspondence to impacted individuals starting April 28, offering two years of complimentary identity theft protection services as a precautionary measure. Affected members were directed to contact a dedicated phone line for further inquiries. UHC stated that containment measures were implemented swiftly after identifying the incident, though the two-month gap between discovery and notification allowed for thorough impact assessment. No operational disruptions to healthcare services or claims processing were reported. The organization publicly expressed regret for the incident and acknowledged potential customer concerns but did not quantify the number of affected individuals or specify geographic concentrations in its initial disclosure.