One further thought: If you were sent a two-factor code without having to provide a cell phone number during your attempted log-in, then you can be assured that it was a genuine two-factor code because they used your stored profile information to know what cell phone number to send the two-factor code to. No hacker would know what cell phone number you have in order to spoof the two-factor process.
Unless a hacker had obtained all of the AARP United Healthcare database that included the phone number of record.
That makes sense until they said they have no such number, the number location. I am clearly not just agitated about this suspicious problem but about the haphazard way they have handled it.