In its 2024 first quarter earnings, Change Healthcare parent UnitedHealth Group reported that the massive ransomware attack that was uncovered at the end of February has cost the company $872 million so far.
Remediation efforts for the attack are still ongoing, but UnitedHealth Group’s earnings offer a glimpse into the financial costs of the attack in the eight weeks since it was announced. That figure includes direct response costs ($593 million), including costs for supporting the company’s platform restoration and those tied to increased medical care expenditures after the company suspended care management activities to help care providers with their workflow processes. Other financial impacts were tied to business disruption impacts ($279 million) from the attack.
"The company continues to make significant progress in restoring the affected Change Healthcare services while providing financial support to impacted health care providers," according to UnitedHealth Group’s Tuesday earnings release. "To date, the company has provided over $6 billion in advance funding and interest-free loans to support care providers in need."
Overall, in its first quarter earnings UnitedHealth Group said its revenue increased almost $8 billion year-over-year to $99.8 billion. The company, however, is still grappling with the fallout from the ransomware attack that occurred in late February, which included a reported $22 million payment to the BlackCat ransomware affiliates behind the attack and led to delays in patient care, prescription orders and payments, impacting providers, pharmacies and hospitals across the U.S.
Though most systems are online and claims processing is underway, UnitedHealth Group is now facing a second ransom demand from another ransomware group affiliate that claims to have patient and corporate data stolen from Change Healthcare’s systems.
The federal government has also stepped in, with the Department of Health and Human Services Office for Civil Rights in March opening an investigation into the incident and whether protected health information was compromised. In a new update on its website on Monday, Change Healthcare said that at this time, the company “knows that the data had some quantity of personal health information and personally identifiable information.”
“We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made — and will work with the Office of Civil Rights and our customers in doing so,” according to UnitedHealth Group’s update this week.
Lasting Damages
While UnitedHealth Group’s financial reports are one way to gauge the impact of the ransomware attack, the incident has a far-reaching and ongoing effect on many other organizations across the industry that's harder to pinpoint.
In a Tuesday hearing by the House Energy and Commerce Subcommittee on Health - titled "Examining Health Sector Cybersecurity in the Wake Of The Change Healthcare Attack" - government and healthcare entities talked about the ongoing impacts of the attack. Representatives from UnitedHealth Group did not participate in the hearing.
Adam Bruggeman, an orthopedic surgeon with the Texas Spine Center, said that the cyberattack led to his practice being unable to process claims and receive payments. While Bruggeman said his practice had enough cash reserves to continue operating without receiving payments during the outage, the practice still faced a number of significant challenges in dealing with the fallout from the attack. For instance, while the practice had the option to change over to an alternative clearinghouse a few weeks after the attack, not all insurers allowed the practice to do that for claim submissions, because integrating with a new clearinghouse is costly and time consuming.
“This made switching impractical,” said Bruggeman. “Instead, we had to either hold claims in limbo or resort to submitting them through individual online portals.”
The practice also could not receive ERAs from insurers, which typically accompany deposits in their bank account and give important information about which bills have been paid. This led to many patients receiving automated bills, which should have been marked as paid, leading to confusion and frustration from patients, said Bruggeman.
Another ongoing issue is the lack of transparency around the attack. Scott MacLean, Board Chair of the College of Healthcare Information Management Executives (CHIME) and SVP and CIO of MedStar Health, said that from the start, many members of CHIME “found themselves struggling to navigate the most significant cyber incident to hit our sector.” IoCs were not widely shared immediately, for instance, and for a certain period of time organizations weren’t sure which systems were safe to reconnect to.
“Following the attack, there was a dearth of information and our members found themselves in the dark navigating an extremely complex and far-reaching attack with few answers, and few options for continuing operations,” said MacLean. “The lack of answers hampered and continues to hamper recovery efforts.”