Ransomware attack has cost UnitedHealth $872 million; total expected to surpass $1 billion

The ransomware attack on a company owned by healthcare giant UnitedHealth Group (UHG) has so far caused $872 million in losses, according to the corporation’s latest earnings report. 

UnitedHealth owns Change Healthcare, a key cog in the U.S. healthcare industry that was crippled by a ransomware attack in February. Change Healthcare and UHG subsidiary Optum took hundreds of systems offline as a result of the incident and faced criticism from the White House and Congress over its handling of the ransomware attack.

On an earnings call, President and Chief Financial Officer John Rex said the company earned $7.8 billion in the first quarter but suffered $872 million in “unfavorable cyberattack effects.”

“Of the $870 million, about $595 million were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities. For the full year, we estimate these direct costs at $1 billion to $1.15 billion,” Rex said. 

“The other components affecting our results relates to the disruption of ongoing Change Healthcare business. This is driven by the loss of revenues associated with the affected services, all while incurring the support and costs to keep these capabilities fully ready to return to service.”

Depending on the timing of service restoration and a return of previous transaction volumes, the company estimates another $350 to $450 million in losses for the rest of the year, Rex added. 

The company claimed much of Change Healthcare’s services have been restored, noting that the pharmacy claim and payment platform is “up to 80% functionality.”

The earnings call comes as the company faces new extortion threats from ransomware actors. Blockchain data reportedly shows the company likely paid a $22 million ransom to the ransomware gang behind the incident, known as AlphV or BlackCat.

A law enforcement takedown disrupted the gang’s operations and the group’s leaders allegedly stole the $22 million ransom from the hacker who was personally involved in the attack on Change Healthcare.

That hacker, who still had access to the data stolen from Change Healthcare during the attack, has now allegedly moved the data to the platform of another gang known as RansomHub.

The data appears to be legitimate, according to a report from Wired, and the group began leaking even more information on Tuesday morning. 

The hackers are offering more than 4 terabytes of data from Change Healthcare, including information connected to partners like CVS and Medicare as well as personal data from thousands of patients. 

UnitedHealth told Recorded Future News last week that it is “aware of these reports and continue[s] to work with the authorities.” The company did not answer several other questions about the recent data leaks.

At a congressional hearing on Tuesday about the attack, doctors spoke at length about the chaos caused by the incident, with some alleging that UnitedHealth used the attack as an opportunity to purchase clinics struggling financially as a result of the attack. 

The company declined to send a representative to testify at the hearing. Several members of Congress emphasized the company’s massive reach within the healthcare industry. 

Change’s platform works with more than 900,000 physicians, 118,000 dentists, 33,000 pharmacies, 5,500 hospital hospitals and 600 labs, according to Rep. Anna Eshoo (D-CA). 

Rep. John Sarbanes (D-MD) added that at least one in three patient records in the U.S. passes through Change Healthcare. 

“The consolidation of Change, United and Optum created this consolidation of mission critical services. And ultimately, that created a consolidation of risks that the entire sector was exposed to,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. 

One doctor said they have received no information from UnitedHealth about what data was stolen and what will be done to protect patients whose information was leaked as a result of the attack.