A cyberattack earlier this year against a UnitedHealth Group subsidiary has proved costly for one of the nation’s largest employers.
The health insurance giant said in an earnings release Tuesday that it incurred $872 million in costs related to “unfavorable cyberattack effects” during the first quarter. Those unfavorable effects refer to the February 21 cyberattack on Change Healthcare, which shut down operations at hospitals and pharmacies for more than a week. The $872 million includes “the Change Healthcare business disruption impacts and exclude the cyberattack direct response costs,” which likely excludes any amount UnitedHealth may have paid to hackers as a ransom.
UnitedHealth confirmed soon after the breach that the cybercriminals behind the attack was a Russia-based ransomware gang known as ALPHV or BlackCat. The group itself claimed responsibility for the attack, alleging it stole more than six terabytes of data, including “sensitive” medical records.
UnitedHealth did now reveal how much — if at all — it paid the hackers to have their systems restored. However, multiple media sources at the time, including Wired Magazine, reported that a ransom payment for the amount of $22 million was made to BlackCat in the form of bitcoin.
UnitedHealth declined a request for comment by CBS MoneyWatch on Tuesday.
Havoc on health care companies
Ransomeware attacks, which involve disabling a target’s computer systems and cause considerable havoc, are nothing new and have become increasingly more common within the health care system. A study published in JAMA Health Forum in December 2022 found that the annual number of ransomware attacks against hospitals and other providers doubled from 2016 to 2021.
A study published in May 2023 in JAMA Network Open examining the effects of an attack on a health system found that waiting times, median length of stay, and incidents of patients leaving against medical advice all increased. An October 2023 preprint from researchers at the University of Minnesota found a nearly 21% increase in mortality for patients in a ransomware-stricken hospital.
The Change Healthcare incident was “straight out an attack on the U.S. health system and designed to create maximum damage,” CEO Andrew Witty told analysts during an earnings call Tuesday. The cyberattack will likely cost UnitedHealth between $1.35 billion and $1.6 billion this year, the company projected in its earnings report.
Despite the $872 million hit from it took in the first quarter as a result of the cyberattack, UnitedHealth Group trounced first-quarter expectations. UnitedHealth reported $99.8 billion in revenue during the first quarter of 2024, and a per-share profit of $6.91 — surpassing the $99.2 billion in revenue and $6.61 per share forecast by analysts on FactSet.
“We got through that very well in terms of remediation and building back to (full) function,” Witty said.
About 80% of Change Healthcare’s pharmacy claims and payment computer systems have been fully restored since the cyberattack, Roger Connor, CEO of Optum Insight said during the analysts’ call.
— With reporting by the Associated Press.