UnitedHealth reveals eye-watering cost of Change Healthcare cyber attack

A close up of a laptop screen showing the a browser open on the UnitedHealth homepage
(Image credit: Getty Images)

UnitedHealth Group has said that the cyber attack on its Change Healthcare unit in February could cost the company as much as $1.6 billion in 2024.

UnitedHealth revealed in February that a hacker group had gained access to some of the systems at its Change Healthcare unit, in what it described as an “unprecedented cyber attack on the US health system”. The attack affected systems including pharmacy services, payments platforms, and medical claims.

In March the American Hospital Association described the Change Healthcare cyber attack as "the most significant and consequential incident of its kind against the US health care system in history", making it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims, and receive payment for the essential health care services.

The attack is believed to be the work of the ALPHV/Blackcat ransomware gang. In March, the US State Department offered a $10 million reward for information leading to the identity or location of the group.

Since the attack, the company has been busy bringing the affected systems back online; while a number have been restored, the company has indicated that there are others that are only partially available.

It has now published its financial update for the period covering the attack and some of the aftermath.

UnitedHealth said its first quarter 2024 revenues grew nearly $8 billion year-over-year to $99.8 billion. First quarter earnings from operations were $7.9 billion, including $872 million in “unfavorable cyber attack effects”.

The company said that the total impact of the cyber attack could cost somewhere between $1.35 billion and $1.6 billion for the full year. It put the direct response costs of the cyber attack at $593 million and said this could rise to between $1 billion and $1.15 billion.

On the earning call UnitedHealth CEO Andrew Witty said that the attack had disrupted the ability of care providers to file claims and be paid for their work. “We moved quickly to fill this gap,” he said, by providing $6 billion in funding to care providers in financial need.

“We rapidly deployed resources to develop alternative solutions and moved promptly to restore claims and payment services. We’ve made substantial progress and we will not rest until care providers’ connectivity needs are met,” he said.

The company said of the $870 million in cyber attack costs, about $595 million were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities. The company said the disruption of ongoing Change Healthcare business and loss of revenues associated with the affected services cost around $280 million this quarter.

However, the effects of the cyber attack continue. A threat group now claims to have terabytes of data stolen from the company’s network and is threatening to release some of the data unless it is paid. It’s not clear how this group is related to the initial attackers.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.