UnitedHealth confirms ransom payment, reports $872 million impact from attack in Q1
Personal data of a "substantial proportion" of Americans stolen from systems.
On Monday, UnitedHealth Group confirmed that it had paid a ransom to "bad actors" after its subsidiary Change Healthcare was hit with ransomware – an incident that the American Medical Association said caused an "immense crisis", with patients unable to access medicines.
The systems provider, which was purchased by UnitedHealth for over $8 billion in 2022, processes 41 million healthcare transactions daily for one in three US medical patients. The cyberattack, which took place in February 2024, halted medical payments and prescriptions across the US.
BlackCat/ALPHV claimed responsibility for the attack. Change Healthcare has been widely reported as having paid a $22 million ransom.
In Q1 earnings published this month the company said it had suffered "$872 million in unfavorable cyberattack effects" (without breaking this down) in the quarter alone. Executives said that they expect losses from the attack, including remediation and lost revenues, to hit $1.6 billion.
UnitedHealth ransomware impact: Data loss and a big financial hit revealed
CFO John Rex said on an April 16 earnings call that in Q1 "$595 million were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities..."
The company also took a $3 billion cash flow hit as it scrambled to provide funding to care providers.
On April 22 the company added that a data breach had included "protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America."
In terms of systems restoration, "payment processing by Change Healthcare... is at approximately 86% of pre-incident levels and is increasing as additional functionality is restored" the company said this week, adding that "other Change Healthcare services, including eligibility software and analytical tools, are being restored on a rolling basis... approximately 80% of Change functionality has been restored on the major platforms and products."
Reuters reported that after the attack, BlackCat claimed to have stolen over eight terabytes of data from Change Healthcare, however the hacker group later deleted that statement.
Currently, the US Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/Blackcat ransomware gang leaders, and is also offering an additional $5 million reward for tips on people who take part in ALPHV ransomware attacks.
At the time, digital health risk assurance firm First Health Advisory had suggested that the incident, which crippled Change Healthcare's IT systems, was costing health care providers over $100 million daily in unmade payments and putting patients at sustained risk.
See also: US healthcare ransomware attack impact worsens, as government ramps up pressure and lawsuits start
"A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," UnitedHealth Chief Executive Andrew Witty told CNBC on Monday. However, Witty did not disclose the amount that was paid to the threat actors.
Healthcare institutions and hospitals continue to be widely targeted by malicious actors. According to a Cisco report, it continues to be the most targeted sector for cyber criminals.
"They're basically a one-stop shop for an adversary," explained Chris Callahan, chief of cybersecurity for the Northwest region of the federal Cybersecurity and Infrastructure Security Agency in an interview to GovTech.
In the past three months, 13 health care-related businesses have detailed large breaches to the Washington state Attorney General Bob Ferguson, according to the same report.
In June 2023, St. Margaret's Hospital in the US became the first healthcare institution to permanently cease operations due in part to the fallout of a ransomware attack. While, in 2022, a managed services provider to the UK's NHS, revealed that a ransomware attack on August 5 that took out seven different widely used healthcare applications it owns and hosts with significant downstream impact.
According to the World Economic Forum, the healthcare industry reported data breaches costing an average of $10.93 million per breach in the past year.