CEO Andrew Witty testified before Congress on Wednesday, disclosing a significant cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group. UnitedHealth Group CEO revealed that hackers breached the company's computer system, releasing ransomware after stealing someone's password.

The cybercriminals exploited a portal lacking multifactor authentication (MFA), a basic cybersecurity safeguard.

During an hour-long congressional hearing, Witty informed lawmakers that the company has not yet determined how many patients and healthcare professionals were impacted by the cyberattack on Change Healthcare in February. The hearing, which focused on how hackers gained access to Change Healthcare, a separate division of UnitedHealth, raised questions about the lack of basic cybersecurity measures before the cyberattack. "Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition," Witty explained. But for some reason, which we continue to investigate, this particular server did not have MFA on it.

Multifactor Authentication and Cybersecurity

Multifactor authentication adds a second layer of security to password-protected accounts by requiring users to enter an auto-generated code sent to their phone or email. Despite being a common feature on apps, this safeguard was not in place on the compromised server. Witty assured that all logins for Change Healthcare now have multifactor authentication enabled. The cyberattack on Change Healthcare was attributed to the Russia-based ransomware gang ALPHV or BlackCat. The group claimed responsibility for the cyberattack, alleging it stole more than six terabytes of data, including "sensitive" medical records. The attack caused a disruption of payment and claims processing across the country, stressing doctor's offices and healthcare systems by interfering with their ability to file claims and get paid. UnitedHealth paid a $22 million ransom in Bitcoin to BlackCat, a decision made by Witty himself. However, despite the ransom payment, some sensitive records from patients were still posted by hackers on the dark web. The ransom payment was one of the hardest decisions I've ever had to make and I wouldn't wish it on anyone," Witty stated.

Scope of the Cyberattack on Change Healthcare and Financial Impact

Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association, meaning that even patients who weren't customers of UnitedHealth were potentially affected. The company revealed earlier this month that personal information covering a "substantial portion of people in America" may have been taken in the attack. The breach has cost UnitedHealth Group nearly $900 million, excluding the ransom paid, according to company officials in the first-quarter earnings report last week.

Rising Threat of Ransomware Attacks

Ransomware attacks have become increasingly common within the healthcare industry. According to a 2022 study published in JAMA Health Forum, the annual number of ransomware attacks against hospitals and other healthcare providers doubled from 2016 to 2021. This escalation in cyber threats highlights the urgent need for enhanced cybersecurity measures across the industry.

The breach at Change Healthcare echoes a similar incident in March 2024, where Refuah Health Center faced a cyberattack due to the lack of MFA. The New York Attorney General's office intervened, resulting in a $1.2 million investment by Refuah in enhancing cybersecurity measures. The health center also agreed to pay $450,000 in penalties and costs, resolving allegations of inadequate cybersecurity controls.

Prioritizing Cybersecurity in Healthcare Both incidents highlight the critical importance of implementing strong cybersecurity measures, especially in the healthcare sector. With patient data at stake, organizations must invest in multifactor authentication and other advanced security protocols to safeguard sensitive information. As cyber threats continue to evolve, proactive measures are essential to protect the privacy and security of patient data. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a bid to safeguard patient data, UnitedHealth Group, a prominent healthcare conglomerate, confirmed that it has paid ransom to cyberthreat actors after its subsidiary, Change Healthcare, fell victim to a cyberattack in February. The company also acknowledged that files containing personal information were compromised in the Change Healthcare cyberattack.

According to a statement provided to CNBC, UnitedHealth stated, “This attack was conducted by malicious threat actors, and we continue to work with law enforcement and multiple leading cybersecurity firms during our investigation. A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”

Ransom Payment Amount And Method

Though the exact ransom amount was not disclosed by UnitedHealth, Wired magazine reported on March 4 that the company likely paid around $22 million in bitcoin to the attackers, citing darknet forum posts and blockchain analysis. The Cyber Express Team contacted Change Healthcare officials to inquire about the reported ransom payment. However, at the time of publication, no official response has been received. UnitedHealth further disclosed that cyberthreat actors accessed files containing protected health information (PHI) and personally identifiable information (PII). The breached files could potentially affect a significant portion of the American population. However, the company clarified that, to date, there is no evidence of exfiltration of materials such as doctors’ charts or full medical histories among the compromised data. "Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data," reads the official release. Andrew Witty, CEO of UnitedHealth Group, expressed the company’s commitment to addressing the concerns raised by the attack, stating, “We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it.”

Change Healthcare Cyberattack Details and Infiltration

The attackers, identified as the ALPHV ransomware gang or one of its affiliates, infiltrated Change Healthcare’s networks more than a week before launching the ransomware strike, as reported by The Wall Street Journal. They gained entry through compromised credentials on an application that allows staff to remotely access systems, as multifactor authentication protocols were not enabled on this particular application. In response to the breach, UnitedHealth has taken steps to mitigate the impact on affected individuals. The company has set up a dedicated website for patients to access resources and launched a call center offering free identity theft protection and credit monitoring for two years. However, due to the ongoing complexity of the data review, the call center is unable to provide specific details about individual data impact. Change Healthcare, which processes approximately 15 billion transactions a year and handles one in three medical records, suffered significant disruption from the attack. More than 100 systems were shut down, affecting numerous healthcare providers and leaving some reliant on loans and personal funds to stay operational. UnitedHealth reported that the attack has cost the company $872 million so far.

Recovery Efforts and Assistance Programs

Despite the challenges, UnitedHealth has been steadily restoring systems since March, including pharmacy software, claims management, and other platforms. The company has also launched financial assistance programs, although some providers have expressed dissatisfaction with the amounts offered and reported feeling pressured to make positive public comments about the loans by UnitedHealth staff. As UnitedHealth continues its efforts to recover from the cyberattack, it remains vigilant in ensuring the security of patient data and strengthening its cybersecurity defenses to prevent future incidents. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

UnitedHealth Group disclosed on Tuesday that it anticipates the hack of its Change Healthcare unit to result in expenses of up to $1.6 billion this year. However, the healthcare giant affirmed its 2024 earnings forecast, suggesting a potentially less severe impact of the Change Healthcare cyberattack. The cyberattack on UnitedHealth Group, which targeted Change Healthcare, a vital provider of healthcare billing and data systems within the U.S. healthcare infrastructure, had far-reaching consequences.  Not only did it disrupt payments to medical practitioners and facilities nationwide for a month, but it also inflicted severe strains on community health centers catering to over 30 million underprivileged and uninsured patients. Despite the substantial financial implications of the cyberattack, UnitedHealth Group surpassed estimates for first-quarter earnings. This was propelled by a decline in medical costs compared to the elevated rates experienced late last year. The company's shares surged by 5.3% following the earnings report. Prior to this, United shares had experienced a decline of nearly 15% since the revelation of the ransomware attack on February 21.

The Aftermath of the Change Healthcare Cyberattack

[caption id="attachment_60476" align="alignnone" width="1000"] Source: Shutterstock[/caption] The disruption caused by the cyberattack extended beyond financial transactions, leading to delays in claim submissions as healthcare providers grappled with manual paperwork due to the inability to access the Change Healthcare system. In response to the crisis, UnitedHealth Group's CEO, Andrew Witty, assured stakeholders of the company's unwavering commitment to resolving the connectivity issues faced by care providers, emphasizing progress in addressing the fallout of the Change Healthcare cyberattack during a recent conference call discussing the company's financial results. The impact of the cyberattack reverberated through UnitedHealth Group's financial performance in the first quarter of 2024, with total cyberattack-related costs amounting to $0.74 per share. Looking ahead, the company estimates a full-year impact ranging from $1.15 to $1.35 per share, encompassing both direct response costs and business disruption impacts. Despite the challenges posed by the cyberattack, UnitedHealth Group reported robust first-quarter earnings, surpassing expectations. The company's revenues for the quarter surged by nearly $8 billion year-over-year to reach $99.8 billion, fueled by strong growth in its Optum and UnitedHealthcare segments.

Response to the UnitedHealth Group Cyberattack 

While the Change Healthcare cyberattack did leave a notable dent in UnitedHealth Group's earnings from operations, which included $872 million in adverse effects, the company's adjusted earnings from operations remained resilient, excluding direct response costs attributed to the cyberattack. As per the latest press release, In light of the cyberattack's potential implications on claims receipt timing, UnitedHealth Group exercised prudence by allocating an additional $800 million towards claims reserves in the first quarter, reflecting a proactive approach to manage potential future impacts on its financial stability. Looking beyond the immediate financial repercussions, UnitedHealth Group remains focused on maintaining consistent care patterns and supporting its care providers through accommodations necessitated by the cyberattack, as evidenced by a medical care ratio of 84.3% in the first quarter of 2024. Despite the turbulence induced by the cyberattack on Change Healthcare, UnitedHealth Group reaffirmed its commitment to shareholder value by returning $4.8 billion through dividends and share repurchases in the first quarter.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.