UnitedHealth Group, one of the nation's largest health insurers, has revealed that the February cyberattack on its subsidiary, Change Healthcare, has cost the company $872 million in the first quarter of 2024. The attack, carried out by the Russia-based ransomware gang known as ALPHV or BlackCat, caused widespread disruptions to hospitals, pharmacies, and other healthcare providers, highlighting the growing threat of cybercrime in the healthcare industry.
In its first-quarter earnings report, UnitedHealth noted $872 million in "unfavorable cyberattack effects," which include the impact of the business disruption caused by the attack but exclude the direct costs associated with the company's response to the incident. While UnitedHealth did not disclose whether it paid a ransom to the hackers, multiple media sources, including Wired Magazine, reported that a payment of $22 million in bitcoin was made to BlackCat to restore the company's systems.
The cyberattack on Change Healthcare, which occurred on February 21, caused significant havoc within the healthcare system. The ransomware group claimed to have stolen more than six terabytes of data, including sensitive medical records. The incident led to increased waiting times, longer hospital stays, and a higher incidence of patients leaving against medical advice, according to a study published in JAMA Network Open.
Despite the substantial financial impact of the cyberattack, UnitedHealth managed to exceed expectations in its first-quarter earnings. The company reported $99.8 billion in revenue and a per-share profit of $6.91, surpassing analysts' forecasts of $99.2 billion in revenue and $6.61 per share, according to FactSet.
UnitedHealth CEO Andrew Witty addressed the cyberattack during an earnings call with analysts, stating, "We got through that very well in terms of remediation and building back to (full) function." Roger Connor, CEO of Optum Insight, a subsidiary of UnitedHealth, added that approximately 80% of Change Healthcare's pharmacy claims and payment computer systems have been fully restored since the attack.
However, the financial repercussions of the cyberattack are expected to persist throughout the year. UnitedHealth projects that the incident will likely cost the company between $1.35 billion and $1.6 billion in 2024, with $1 billion to $1.15 billion in direct costs and an additional $350 million to $450 million in business disruption impacts, including lost revenue.
The cyberattack on Change Healthcare has raised concerns among lawmakers and industry experts about the vulnerability of the healthcare system to malicious cyber actors. During a congressional hearing on the attack, House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Washington) emphasized the need to address unanswered questions and learn from the incident to better protect hospitals, doctors, and patients.
Ransomware attacks have become increasingly common in the healthcare industry, with a study published in JAMA Health Forum finding that the annual number of such attacks against hospitals and other providers doubled from 2016 to 2021. The consequences of these attacks extend beyond financial losses, as they can significantly impact patient care and outcomes.
